[Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jun 18 18:58:31 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238694
Bug ID: 238694
Summary: Configuring & using a customized IPFW rule set now
causes additional rles to be (involuntarily) added
Product: Base System
Version: 12.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: conf
Assignee: bugs at FreeBSD.org
Reporter: rfg-freebsd at tristatelogic.com
The HandBook (Section 30.4.1) describes how to enable an IPFW firewall while
using a locally customized set of IPFW filtering rules. This basically boils
down to placing two lines, like the following, into the /etc/rc.conf file:
firewall_enable="YES"
firewall_type="path-to-my-rules-file"
I have been using this exact motif in /etc/rc.conf, and my own customized set
of ipfw rules for years, but I recently upgraded to FreeBSD 12.0-RELEASE. Once
I had done so, I noticed (when I checkd using "ipfw -a list") that now, several
different IPFW rules were somehow being added to my explicitly specified IPFW
rule set, prior to my own rules.
This appears to be due to the invocation of the new /etc/rc.firewall script
which injects into ipfw several of its own IPFW rules ahead of whatever rules
the user provides within the file designated by "path-to-my-rules-file".
I verified this by finding one part of the /etc/rc.firewall script where this
was ocurring, commenting out some of the relevant lines therein, and then
rebooting the system. Sure enough, the relevant IPFW rules that were formerly
being inserted into IPFW by /etc/rc.firewall were no longer showing up when I
did a fresh "ipfw -a list".
I believe that it would be appropriate (and would be maximally consistant with
past behavior in prior FreeBSD releases) if, when the user specifies his or her
own explicitly provided IPFW rule set, those rules are used verbatim, and are
not augmented by the /etc/rc.firewall script.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list