net.inet{,6}.fw.enable in /etc/rc

Hiroki Sato hrs at FreeBSD.org
Sun Sep 21 06:00:25 UTC 2014


Hi,

 I would like your comments about the attached patch to /etc/rc.

 The problem I want to fix by this patch is as follows.
 net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
 kernel module is loaded or statically compiled into a kernel.  And by
 default IPFW has only a "deny ip from any to any" rule if it is
 compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option.  In this case,
 the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
 working as described in the patch.

 To fix this, the patch turns IPFW off before running rc.d scripts at
 boot time, and enables it again in rc.d/ipfw script.

 I think most of users use GENERIC kernel + ipfw kernel module.  In
 that case, IPFW is not activated before rc.d/ipfw script regardless
 of this patch, so there is no user-visible change.  This patch
 affects only a combination of a kernel with IPFW compiled and rc.d
 scripts running before rc.d/ipfw.  The behavior will be almost the
 same as GENERIC kernel + ipfw kernel module's.

 Please let me know if I am missing something.

-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc_ipfw.20140921-1.diff
Type: text/x-patch
Size: 942 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20140921/08a6543e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20140921/08a6543e/attachment.sig>


More information about the freebsd-ipfw mailing list