IPFW at startup.

Ian Smith smithi at nimnet.asn.au
Mon Nov 15 13:29:53 UTC 2010 

In freebsd-questions Digest, Vol 337, Issue 1, Message: 15
On Sun, 14 Nov 2010 17:50:47 -0500 "Grant Peel" <gpeel at thenetnow.com> wrote:
 > 
 > I seem to have one server that does not flush the /etc/rc.firewall rules 
 > when the script taken from "firewall_type"  starts up. That is to say when I 
 > boot the machine, 3 rules seem to be still in the list when I do an ipfw -a 
 > list. Those three rules appear to be from the /etc.rc.firewall script. The 
 > rules from my /etc/ipfw.rules file DO get loaded.
 > 
 > Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
 > 
 > setup_loopback () {
 >         ############
 >         # Only in rare cases do you want to change these rules
 >         #
 >         ${fwcmd} add 100 pass all from any to any via lo0
 >         ${fwcmd} add 200 deny all from any to 127.0.0.0/8
 >         ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
 > 
 > Here is my /etc/rc,conf setup:
 > 
 > firewall_enable="YES"
 > firewall_logging="YES"
 > firewall_type="/etc/ipfw.rules"
 > 
 > Here is my /etc/ipfw.rules:
 > 
 > enterprise# more /etc/ipfw.rules
 > # Loopback
 > add 00001 allow ip from any to any via lo0
 > # Office and Home

Ok, looking through your /etc/rc.firewall you should find:

  ############
  # Flush out the list before we begin.
  #
  ${fwcmd} -f flush

  setup_loopback

which installs those rules straight after the flush.  Browsing bits of 
http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.firewall shows the last 
version that does NOT run setup_loopback in ALL cases is RELENG_6.

Anyway, apart from the fact that rules 200 and 300 are worth having, all 
you need to do to remove those rules is to make your first rule:

-f flush

I'll refrain from comment on your ruleset, except that:

 > add 65535 deny ip from any to any

you can't actually override the default rule, which is either 'deny' or 
'allow' according to the value of net.inet.ip.fw.default_to_accept which 
depends on a kernel build option, so you might use say 65000 to be sure.

 > Oddly enough, I have several machies that are setup identicly and this is 
 > the only one that has stikky rules from /etc/rc.firewall.
 > 
 > Any one have any idea what knob might have been turned that causes the 
 > sticky startup rules?

If those systems are >= 7.0, maybe they have an older /etc/rc.firewall?

cheers, Ian

More information about the freebsd-questions mailing list