IPFW at startup.

Grant Peel gpeel at thenetnow.com
Sun Nov 14 22:50:51 UTC 2010 

Hi all,

I seem to have one server that does not flush the /etc/rc.firewall rules 
when the script taken from "firewall_type"  starts up. That is to say when I 
boot the machine, 3 rules seem to be still in the list when I do an ipfw -a 
list. Those three rules appear to be from the /etc.rc.firewall script. The 
rules from my /etc/ipfw.rules file DO get loaded.

Here are the three rules (100, 200, and 300), from /etc/rc.firewall.

setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

Here is my /etc/rc,conf setup:

firewall_enable="YES"
firewall_logging="YES"
firewall_type="/etc/ipfw.rules"

Here is my /etc/ipfw.rules:

enterprise# more /etc/ipfw.rules
# Loopback
add 00001 allow ip from any to any via lo0
# Office and Home
add 00200 allow ip from xxx xxx xxx xxx xxx to any
add 00201 allow ip from any to xxx xxx xxx xxx
add 00202 allow all from xxx xxx xxx xxx to any
add 00203 allow all from any to xxx xxx xxx xxx
# Allow fxp0 out
add 00204 allow all from any to any out
# Allow local net
add 02000 allow ip from any to any via fxp1
# email
add 04000 allow all from xxx xxx xxx xxx to any
add 04010 allow all from any to xxx xxx xxx xxx
add 04020 allow all from xxx xxx xxx xxx to any
add 04030 allow all from any to xxx xxx xxx xxx
add 04040 allow tcp from any to any 25,587
add 04050 allow tcp from any 25,587 to any
# Bruteblock
add 08000 deny ip from table(1) to me
add 08001 deny ip from me to table(1)
add 09050 allow udp from any to any 53 in
# Email Test
add 09100 allow icmp from any to any icmptypes 
0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
add 65535 deny ip from any to any

Oddly enough, I have several machies that are setup identicly and this is 
the only one that has stikky rules from /etc/rc.firewall.

Any one have any idea what knob might have been turned that causes the 
sticky startup rules?

-Grant

More information about the freebsd-questions mailing list