IPFW custom rules file not loading

Giorgos Keramidas keramida at ceid.upatras.gr
Tue May 3 14:07:49 PDT 2005


On 2005-05-03 15:18, Nicholas Henry <nicholas.henry at gmail.com> wrote:
> May  3 14:25:22 babe kernel: firewall_enable: not found
> May  3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$
> May  3 14:25:22 babe kernel: Flushed all rules.
> May  3 14:25:22 babe kernel: Line 3:
> May  3 14:25:22 babe kernel: bad command `ipfw'
> May  3 14:25:22 babe kernel:
> May  3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons:
> May  3 14:25:22 babe kernel: firewall_enable: not found
> May  3 14:25:22 babe kernel: .
> May  3 14:25:22 babe kernel: net.inet.ip.fw.enable:
> May  3 14:25:22 babe kernel: 1
> May  3 14:25:22 babe kernel: ->
> May  3 14:25:22 babe kernel: 1
>
> I'm refering to the "bad command 'ipfw'" line. I'm also concerned
> about the "firewall_enable" not found message.

It's normal.  You're using firewall_type and yet you have written a
firewall _script_ in /etc/ipfw.rules.

> ** start rc.conf snippet **
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/ipfw.rules"
> firewall_quiet="NO"
> firewall_logging="NO"
> firewall_flags=""
> ** send rc.conf snippet **

Your firewall_type points to a pathname, so the file should contain
rules in the form:

	check-state
	add allow tcp from any to any 80 keep-state
	add block ip from any to any

> ** start ipfw.rules **
>
> #!/bin/sh
> # Flush out the list before we begin.
> ipfw -q -f flush
>
> # Set rules command prefix
> cmd="ipfw -q add"
> skip="skipto 801"
> pif="fxp0"   	#found by doing a ifconfig or netstat -nr
> 		# public interface name of NIC

Your ipfw.rules file is written in the form of a firewall_script.
The difference between the two is small but important.

A firewall_type file contains just a set of rules that ipfw(8) will
parse, without intervention by a shell.

A firewall_script is executed by the /bin/sh shell, as a normal shell
script.  One example of what can be used as a firewall_script is
/etc/rc.firewall (in pre-5.X versions) or /etc/rc.d/ipfw (in FreeBSD
5.X or later).



More information about the freebsd-questions mailing list