firewall rules do not get read

Alex de Kruijff freebsd at
Fri Nov 21 11:24:53 PST 2003

On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote:
> Alex de Kruijff wrote:
> >On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote:
> >
> >>I noticed my firewall rules are not being read. I have rc.conf set to 
> >>read the file rc.firewall. In rc.firewall the first line is add divert 
> >>natd etc etc. that is followed by pass all from any to any etc etc. Then 
> >>nothing after that is read, it is all ignored.
> >>If I comment out the line pass all from any to any then nothing works to 
> >>access the internet.
> >>I don't know what to do to make it read past those first two lines.
> >>Any suggestions?
> >
> >
> >Can you give me the output of 'ipfw s'. If that one doesn't work then
> >try 'ipfw l'?
> No problem, below are the results of the two commands. Question - do I 
> have to use rc.firewall? 

No you can create your own configuration file for ipfw. You need these
two line in rc.conf:


The configuration file looks something like:
add divert natd ip from any to any via xl1
add allow ip from any to any

> Or is it just a generic ruleset that can be 
> replaced by a custom ruleset, as I have done (called firewall.rules 
> pasted in below)?

Its posible to place your own ruleset in the default script, but i would
adive *not* to do this, because when you update this file can be
overriden in the process.

> here is ipfw s results -
> 00100 1571924 1218317046 divert 8668 ip from any to any via xl1
> 00200 3144909 2436915536 allow ip from any to any
> 00300       0          0 divert 8668 ip from any to any via xl1
> 00400       0          0 allow ip from any to any
> 00500       0          0 divert 8668 ip from any to any via xl1
> 65535       0          0 deny ip from any to any

The result of rc.firewall can be seen with ipfw l and ipfw s (show). The
later gives the same information as ipfw l (list). The two values are
number of packets and the number of bytes that applied to a rule.

A couple of comments 
1. Here you have tree rules with divert natd. Normaly you want a packet
to pass natd only one time.
2. Rule 200 is to allow everyting so  the others aren't looked at.
3. This firewall allows every packed to pass.

You may like to have a look at my home page. I have an artile about how
to setup a firewall, that may proof to be usefull to you.


Articles based on solutions that I use:

More information about the freebsd-questions mailing list