net.inet{,6}.fw.enable in /etc/rc
Hiroki Sato
hrs at FreeBSD.org
Sun Sep 21 06:00:25 UTC 2014
Hi,
I would like your comments about the attached patch to /etc/rc.
The problem I want to fix by this patch is as follows.
net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
kernel module is loaded or statically compiled into a kernel. And by
default IPFW has only a "deny ip from any to any" rule if it is
compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case,
the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
working as described in the patch.
To fix this, the patch turns IPFW off before running rc.d scripts at
boot time, and enables it again in rc.d/ipfw script.
I think most of users use GENERIC kernel + ipfw kernel module. In
that case, IPFW is not activated before rc.d/ipfw script regardless
of this patch, so there is no user-visible change. This patch
affects only a combination of a kernel with IPFW compiled and rc.d
scripts running before rc.d/ipfw. The behavior will be almost the
same as GENERIC kernel + ipfw kernel module's.
Please let me know if I am missing something.
-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc_ipfw.20140921-1.diff
Type: text/x-patch
Size: 942 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20140921/08a6543e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20140921/08a6543e/attachment.sig>
More information about the freebsd-ipfw
mailing list