phantom rules

[Ian Smith]

On Tue, 14 Sep 2010, Brandon Gooch wrote:
 > On Thu, Sep 9, 2010 at 8:17 AM, Gareth de Vaux <bsd at lordcow.org> wrote:
 > > Hi all, for some reason these rules get loaded on boot up before the
 > > ones I specify in a file:
 > >
 > > 00100   0     0 allow ip from any to any via lo0
 > > 00200   0     0 deny ip from any to 127.0.0.0/8
 > > 00300   0     0 deny ip from 127.0.0.0/8 to any
 > > 00400   0     0 deny ip from any to ::1
 > > 00500   0     0 deny ip from ::1 to any
 > > 00600   0     0 allow ipv6-icmp from :: to ff02::/16
 > > 00700   0     0 allow ipv6-icmp from fe80::/10 to fe80::/10
 > > 00800   0     0 allow ipv6-icmp from fe80::/10 to ff02::/16
 > > 00900   0     0 allow ipv6-icmp from any to any ip6 icmp6types 1
 > > 01000   0     0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
 > >
 > > I just flush this manually but how do I stop the behaviour properly?
 > >
 > > My rc.conf entries:
 > >
 > > firewall_enable="YES"
 > > firewall_type="/usr/local/etc/firewall"
 > > firewall_logging="YES"
 > 
 > I would begin by reading:
 > 
 > $ man 7 firewall
 > $ man 5 rc.conf
 > $ less /etc/rc.firewall
 > 
 > I think the source of /etc/rc.firewall may be most enlightening in
 > regard to the behavior in question (setup_loopback(),
 > setup_ipv6_mandatory(), etc...).

Indeed, that's where these have come from (and Gareth, you DO want those
rules, including the ipv6_mandatory ones if running ipv6), but I suspect 
that you may have rather intended this to be:

firewall_script="/usr/local/etc/firewall"

Otherwise - see /etc/defaults/rc.conf for firewall_* - you'll have set:

firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN"         # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="NO"           # Set to YES to enable events logging
firewall_flags=""               # Flags passed to ipfw when type is a file

Since you are (by default) using /etc/rc.firewall as the script, if you 
specify firewall_type as a file rather than one of those types directly 
handled by rc.firewall, then this file is not expected to be a shell 
script, but a list of ipfw commands to be directly consumed by ipfw:

     ipfw [-cfnNqS] [-p preproc [preproc-flags]] pathname

t23# tail -n6 /etc/rc.firewall
*)
        if [ -r "${firewall_type}" ]; then
                ${fwcmd} ${firewall_flags} ${firewall_type}
        fi
        ;;
esac

 > Have fun, and don't get discouraged (speaking from experience)

You'll have more fun if you study ipfw(8) rather than trying to learn 
much from the dreadful and often just WRONG Handbook section on ipfw ..

 > 
 > :)
 > 
 > -Brandon

cheers, Ian