misc/148656: {oip} and {iip} variables in rc.firewall script undefined in FreeBSD 7.2 and 8.0

John J. Donohue jdonohue at mcallen.net
Thu Jul 15 23:10:02 UTC 2010


>Number:         148656
>Category:       misc
>Synopsis:       {oip} and {iip} variables in rc.firewall script undefined in FreeBSD 7.2 and 8.0
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 15 23:10:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     John J. Donohue
>Release:        6.1, 7.0, 7.2, 8.0
>Organization:
McAllen Public Library (City of McAllen)
>Environment:
FreeBSD internal-dns2.mcallen.lib.tx.us 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009   root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
-----
FreeBSD maindhcp3.mcallen.lib.tx.us 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Thu Feb 25 10:26:00 CST 2010   root at template.mcallen.lib.tx.us:/usr/src/sys/i386/compile/MIDDLEMAN  i386

>Description:
under FreeBSD versions up to 7.0, the oif, onet, omask, oip, iif, inet,
imask, and iip variables were explicitly defined in the SIMPLE segment
of rc.firewall, as in;

	# set these to your outside interface network and netmask and ip
	oif="xl0"
	onet="192.168.224.0"
	omask="255.255.255.0"
	oip="192.168.224.4"

	# set these to your inside interface network and netmask and ip
	iif="xl1"
	inet="192.168.240.0"
	imask="255.255.255.0"
	iip="192.168.240.1"

under version 7.2 and 8.0, oif, onet, iif, and inet are defined in
rc.conf;

firewall_simple_oif="xl0"
firewall_simple_onet="192.168.224.0/24"
firewall_simple_iif="xl1"
firewall_simple_inet="192.168.240.0/24"

and then substituted in the SIMPLE segment of rc.firewall;

	# Configuration:
	#  firewall_simple_iif:		Inside network interface.
	#  firewall_simple_inet:	Inside network address.
	#  firewall_simple_oif:		Outside network interface.
	#  firewall_simple_onet:	Outside network address.
	############

	# set these to your outside interface network
	oif="$firewall_simple_oif"
	onet="$firewall_simple_onet"

	# set these to your inside interface network
	iif="$firewall_simple_iif"
	inet="$firewall_simple_inet"

oip and iip are not defined, declared or extracted anywhere and substitute
as a value of '0' in script statements such as

  ${fwcmd} add pass tcp from 192.168.240.0/24 to ${iip} 22 via ${iif} setup

which upon an 'ipfw show' lists as

   allow tcp from 192.168.240.0/24 to 0.0.0.22 via xl1 setup
                                      ^^^^^^^^
instead of

   allow tcp from 192.168.240.0/24 to 192.168.240.1 dst-port 22 via xl1 setup
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^
which was the original intent.

>How-To-Repeat:
run the default included /etc/rc.firewall script using /etc/rc.conf:firewall_type="SIMPLE" and using any active ipfw statements that include {oip} and/or {iip} variable references

>Fix:
MY SOLUTION:

I added the following to /etc/rc.conf;

firewall_simple_oip="192.168.224.4"
firewall_simple_iip="192.168.240.1"

and the following to the SIMPLE segment of rc.firewall;

	# Configuration:
	#  firewall_simple_iif:		Inside network interface.
	#  firewall_simple_inet:	Inside network address.
-->	#  firewall_simple_iip:         Inside ip address.
	#  firewall_simple_oif:		Outside network interface.
	#  firewall_simple_onet:	Outside network address.
-->	#  firewall_simple_oip:         Outside ip address.
	############

	# set these to your outside interface network
	oif="$firewall_simple_oif"
	onet="$firewall_simple_onet"
-->	oip="$firewall_simple_oip"

	# set these to your inside interface network
	iif="$firewall_simple_iif"
	inet="$firewall_simple_inet"
-->	iip="$firewall_simple_iip"



>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list