IPFW custom rules file not loading
Giorgos Keramidas
keramida at ceid.upatras.gr
Tue May 3 14:07:49 PDT 2005
On 2005-05-03 15:18, Nicholas Henry <nicholas.henry at gmail.com> wrote:
> May 3 14:25:22 babe kernel: firewall_enable: not found
> May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$
> May 3 14:25:22 babe kernel: Flushed all rules.
> May 3 14:25:22 babe kernel: Line 3:
> May 3 14:25:22 babe kernel: bad command `ipfw'
> May 3 14:25:22 babe kernel:
> May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons:
> May 3 14:25:22 babe kernel: firewall_enable: not found
> May 3 14:25:22 babe kernel: .
> May 3 14:25:22 babe kernel: net.inet.ip.fw.enable:
> May 3 14:25:22 babe kernel: 1
> May 3 14:25:22 babe kernel: ->
> May 3 14:25:22 babe kernel: 1
>
> I'm refering to the "bad command 'ipfw'" line. I'm also concerned
> about the "firewall_enable" not found message.
It's normal. You're using firewall_type and yet you have written a
firewall _script_ in /etc/ipfw.rules.
> ** start rc.conf snippet **
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/ipfw.rules"
> firewall_quiet="NO"
> firewall_logging="NO"
> firewall_flags=""
> ** send rc.conf snippet **
Your firewall_type points to a pathname, so the file should contain
rules in the form:
check-state
add allow tcp from any to any 80 keep-state
add block ip from any to any
> ** start ipfw.rules **
>
> #!/bin/sh
> # Flush out the list before we begin.
> ipfw -q -f flush
>
> # Set rules command prefix
> cmd="ipfw -q add"
> skip="skipto 801"
> pif="fxp0" #found by doing a ifconfig or netstat -nr
> # public interface name of NIC
Your ipfw.rules file is written in the form of a firewall_script.
The difference between the two is small but important.
A firewall_type file contains just a set of rules that ipfw(8) will
parse, without intervention by a shell.
A firewall_script is executed by the /bin/sh shell, as a normal shell
script. One example of what can be used as a firewall_script is
/etc/rc.firewall (in pre-5.X versions) or /etc/rc.d/ipfw (in FreeBSD
5.X or later).
More information about the freebsd-questions
mailing list