7.0-B2 & IPFW/IP6FW interaction

Bob Johnson fbsdlists at gmail.com
Sat Nov 10 11:49:18 PST 2007 

I've been trying to learn about IPv6, using the 7.0 series as my
platform so it gets some exercise before release, and I've run into a
few odd interactions between IPFW handling of IPv4 and IPv6. The only
one I can reliably reproduce is pretty straightforward: if I set up
/etc/rc.conf to enable IPFW for both IPv4 and IPv6, both with the
CLIENT rule set, and edit /etc/rc.firewall and /etc/rc.firewall6
accordingly, only one ruleset gets loaded.

On my test system, the IPv6 ruleset is loaded first, and then when the
IPv4 ruleset is loaded, the flush command in rc.firewall removes all
of the IPv6 rules, so I end up with default deny for IPv6, plus all of
my normal IPv4 rules. It's possible that this interaction explains the
other oddities I thought I've seen but haven't reliably reproduced.

I fixed it by removing the flush commands from both rc.firewall and
rc.firewall6, but I expect this broke the proper operation of
"/etc/rc.d/ipfw restart" (although I haven't actually tested that. I
just manually flush the rules if I need to restart the firewall).

Am I running into this problem because 7.0 expects me to do something
differently, or is this actually a bug?  It appears the problem is in
the old config scripts (rc.firewall and rc.firewall6) that worked
properly when IPFW and IP6FW were independent, but now interact with
each other. It would probably make sense to integrate the two scripts
into a single rc.firewall script, but I haven't had time to take a
shot at that yet. If the load order is always the same, then of course
I can just remove the flush command from the second rule set and it
will solve the problem. Again, I haven't looked into that yet.

I've also noticed there are new rc.conf variables (e.g.
firewall_myservices, firewall_allowservices) that appear to be
intended to configure default rules for me, but I have not
investigated them. Perhaps I should?

In /etc/rc.conf the firewall statements I have are:

firewall_enable="YES"
firewall_logging="YES"
firewall_type="CLIENT"
ipv6_firewall_enable="YES"
ipv6_firewall_logging="YES"
ipv6_firewall_type="CLIENT"

and this is 7.0-BETA2

- Bob

More information about the freebsd-questions mailing list