net.inet{,6}.fw.enable in /etc/rc

Ian Smith smithi at nimnet.asn.au
Sun Sep 21 08:52:32 UTC 2014 

On Sun, 21 Sep 2014 14:58:12 +0900, Hiroki Sato wrote:
 > Hi,
 >
 >  I would like your comments about the attached patch to /etc/rc.
 > 
 >  The problem I want to fix by this patch is as follows.
 >  net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
 >  kernel module is loaded or statically compiled into a kernel.  And by
 >  default IPFW has only a "deny ip from any to any" rule if it is
 >  compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option.  In this case,
 >  the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
 >  working as described in the patch.
 > 
 >  To fix this, the patch turns IPFW off before running rc.d scripts at
 >  boot time, and enables it again in rc.d/ipfw script.
 > 
 >  I think most of users use GENERIC kernel + ipfw kernel module.  In
 >  that case, IPFW is not activated before rc.d/ipfw script regardless
 >  of this patch, so there is no user-visible change.  This patch
 >  affects only a combination of a kernel with IPFW compiled and rc.d
 >  scripts running before rc.d/ipfw.  The behavior will be almost the
 >  same as GENERIC kernel + ipfw kernel module's.
 > 
 >  Please let me know if I am missing something.
 > 
 > -- Hiroki

Sounds like a very good idea .. may explain some old bootup mysteries ..

 > +# Clear *.fw.enable sysctls.  At boot time, some of network initialization
 > +# before rc.d/ipfw script requires network communications (e.g. DHCP and
 > +# IPv6 Duplicate Address Detection).  When *.fw.enable=1 and "default deny"
 > +# policy was applied---this can happen when IPFW is complied into the kernel
 > +# or ipfw kernel module is loaded by loader before rc.d/ipfw runs, those
 > +# comminucations are blocked.  To prevent this, set *.fw.enable=0 before

Typo trivia: communications

 > +# calling rc.d scripts.  The rc.d/ipfw script set this to 1 after
 > +# configuration.
 > +/sbin/sysctl -q net.inet.ip.fw.enable=0
 > +/sbin/sysctl -q net.inet6.ip6.fw.enable=0

These OIDs only exist on systems with ipfw loaded or in-kernel.

Use either 'sysctl -iq .. ', or add '|| true' to both of those?

cheers, Ian

More information about the freebsd-ipfw mailing list