firewall rules do not get read

Micheal Patterson micheal at tsgincorporated.com
Fri Nov 21 15:56:06 PST 2003 


----- Original Message ----- 
From: "Alex de Kruijff" <freebsd at akruijff.dds.nl>
To: "Chip" <chip at wiegand.org>
Cc: "FreeBSD Questions List" <questions at freebsd.org>
Sent: Friday, November 21, 2003 1:24 PM
Subject: Re: firewall rules do not get read


> On Thu, Nov 20, 2003 at 04:19:09PM -0800, Chip wrote:
> >
> >
> > Alex de Kruijff wrote:
> >
> > >On Wed, Nov 19, 2003 at 09:38:34PM -0800, Chip wrote:
> > >
> > >>I noticed my firewall rules are not being read. I have rc.conf set to
> > >>read the file rc.firewall. In rc.firewall the first line is add divert
> > >>natd etc etc. that is followed by pass all from any to any etc etc.
Then
> > >>nothing after that is read, it is all ignored.
> > >>If I comment out the line pass all from any to any then nothing works
to
> > >>access the internet.
> > >>I don't know what to do to make it read past those first two lines.
> > >>Any suggestions?
> > >
> > >
> > >Can you give me the output of 'ipfw s'. If that one doesn't work then
> > >try 'ipfw l'?
> >
> > No problem, below are the results of the two commands. Question - do I
> > have to use rc.firewall?
>
> No you can create your own configuration file for ipfw. You need these
> two line in rc.conf:
>
> firewall_enable="YES"
> firewall_type="/etc/firewall.conf"
>
> The configuration file looks something like:
> add divert natd ip from any to any via xl1
> add allow ip from any to any
>
> > Or is it just a generic ruleset that can be
> > replaced by a custom ruleset, as I have done (called firewall.rules
> > pasted in below)?
>
> Its posible to place your own ruleset in the default script, but i would
> adive *not* to do this, because when you update this file can be
> overriden in the process.


It is also possible to simply create an ipfw.sh script in
/usr/local/etc/rc.d and add all of your rules to that script.

ipfw.sh
ipfw -f flush

#NATD Rules here
ipfw add 3 divert natd all from any to any via xl1
etc..

I've used both rc.conf and this method but I prefer to number my rule sets
so that I can easily tell which one is causing an issue should I
inadvertantly block traffic that needs to get through.  To my knowledge,
either method works well, it's just that what I do is generally not
mentioned. :)

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600

More information about the freebsd-questions mailing list