net.inet{,6}.fw.enable in /etc/rc

Andrey V. Elsukov bu7cher at yandex.ru
Mon Sep 22 18:03:19 UTC 2014


On 21.09.2014 09:58, Hiroki Sato wrote:
> Hi,
> 
>  I would like your comments about the attached patch to /etc/rc.
> 
>  The problem I want to fix by this patch is as follows.
>  net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
>  kernel module is loaded or statically compiled into a kernel.  And by
>  default IPFW has only a "deny ip from any to any" rule if it is
>  compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option.  In this case,
>  the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
>  working as described in the patch.
> 
>  To fix this, the patch turns IPFW off before running rc.d scripts at
>  boot time, and enables it again in rc.d/ipfw script.

Hi,

I think this should be configurable, the change can be an unexpected for
someone.

-- 
WBR, Andrey V. Elsukov


More information about the freebsd-ipfw mailing list