[Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jun 18 18:58:31 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238694

            Bug ID: 238694
           Summary: Configuring & using a customized IPFW rule set now
                    causes additional rles to be (involuntarily) added
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: conf
          Assignee: bugs at FreeBSD.org
          Reporter: rfg-freebsd at tristatelogic.com

The HandBook (Section 30.4.1) describes how to enable an IPFW firewall while
using a locally customized set of IPFW filtering rules.  This basically boils
down to placing two lines, like the following, into the /etc/rc.conf file:

     firewall_enable="YES"
     firewall_type="path-to-my-rules-file"

I have been using this exact motif in /etc/rc.conf, and my own customized set
of ipfw rules for years, but I recently upgraded to FreeBSD 12.0-RELEASE.  Once
I had done so, I noticed (when I checkd using "ipfw -a list") that now, several
different IPFW rules were somehow being added to my explicitly specified IPFW
rule set, prior to my own rules.

This appears to be due to the invocation of the new /etc/rc.firewall script
which injects into ipfw several of its own IPFW rules ahead of whatever rules
the user provides within the file designated by "path-to-my-rules-file".

I verified this by finding one part of the /etc/rc.firewall script where this
was ocurring, commenting out some of the relevant lines therein, and then
rebooting the system.  Sure enough, the relevant IPFW rules that were formerly
being inserted into IPFW by /etc/rc.firewall were no longer showing up when I
did a fresh "ipfw -a list".

I believe that it would be appropriate (and would be maximally consistant with
past behavior in prior FreeBSD releases) if, when the user specifies his or her
own explicitly provided IPFW rule set, those rules are used verbatim, and are
not augmented by the /etc/rc.firewall script.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list