net.inet{,6}.fw.enable in /etc/rc

Hiroki Sato hrs at FreeBSD.org
Sat Oct 11 20:04:13 UTC 2014 

Ian Smith <smithi at nimnet.asn.au> wrote
  in <20141003025830.D48482 at sola.nimnet.asn.au>:

sm> which rules will be flushed when /etc/rc.d/ipfw runs, but should enable
sm> DHCP to work?  I'm not sure whether those rules are exactly correct or
sm> sufficient for DHCP, but principle is to anly allow what's necessary in
sm> the circumstances this addresses, vastly reducing vulnerable window.
sm>
sm> Using such a method, there should be no need to modify rc.d/ipfw?

 I created an experimental patch based on an idea installing a minimal
 ruleset.  Please review the attached patch.  rc.d/ipfw0 script to
 install such a ruleset is invoked before rc.d/netif.  The following
 two knobs are added:

 $firewall_minimal_rules_enable
    Enable/disable installing a minimal ruleset.

 $firewall_minimal_ruleset
    Ruleset number to be used for the ruleset.

sm>  >  Does ipfw have rules which depend on interface initialization?  If
sm>  >  not, moving rc.d/ipfw to just before rc.d/netif may be a better idea.
sm>
sm> It can.  If using (say) mpd with dialup or ADSL modems, as I do, the
sm> interface - here ng0 - needs to preexist, needing an IP address too.
sm>
sm> I think that by now, many will likely rely on netif preceding ipfw.

 AFAICC an IPFW rule for ng0 can be installed before the interface is
 created.  Do you have a specific rule which is problematic if IPFW
 rules are loaded before rc.d/netif runs?  I am also using mpd and a
 lot of cloned interfaces on my router box but it worked fine.

-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc_ipfw0.20141012-1.diff
Type: text/x-patch
Size: 5659 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20141012/ea02ac1b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20141012/ea02ac1b/attachment.sig>

More information about the freebsd-ipfw mailing list