IPFW at startup.
Wojciech Puchar
wojtek at tensor.gdynia.pl
Mon Nov 15 08:44:58 UTC 2010
simply edit /etc/rc.d/ipfw and make it doing only what you want.
On Sun, 14 Nov 2010, Grant Peel wrote:
> Hi all,
>
> I seem to have one server that does not flush the /etc/rc.firewall rules when
> the script taken from "firewall_type" starts up. That is to say when I boot
> the machine, 3 rules seem to be still in the list when I do an ipfw -a list.
> Those three rules appear to be from the /etc.rc.firewall script. The rules
> from my /etc/ipfw.rules file DO get loaded.
>
> Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
>
> setup_loopback () {
> ############
> # Only in rare cases do you want to change these rules
> #
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
>
> Here is my /etc/rc,conf setup:
>
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_type="/etc/ipfw.rules"
>
> Here is my /etc/ipfw.rules:
>
> enterprise# more /etc/ipfw.rules
> # Loopback
> add 00001 allow ip from any to any via lo0
> # Office and Home
> add 00200 allow ip from xxx xxx xxx xxx xxx to any
> add 00201 allow ip from any to xxx xxx xxx xxx
> add 00202 allow all from xxx xxx xxx xxx to any
> add 00203 allow all from any to xxx xxx xxx xxx
> # Allow fxp0 out
> add 00204 allow all from any to any out
> # Allow local net
> add 02000 allow ip from any to any via fxp1
> # email
> add 04000 allow all from xxx xxx xxx xxx to any
> add 04010 allow all from any to xxx xxx xxx xxx
> add 04020 allow all from xxx xxx xxx xxx to any
> add 04030 allow all from any to xxx xxx xxx xxx
> add 04040 allow tcp from any to any 25,587
> add 04050 allow tcp from any 25,587 to any
> # Bruteblock
> add 08000 deny ip from table(1) to me
> add 08001 deny ip from me to table(1)
> add 09050 allow udp from any to any 53 in
> # Email Test
> add 09100 allow icmp from any to any icmptypes
> 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
> add 65535 deny ip from any to any
>
> Oddly enough, I have several machies that are setup identicly and this is the
> only one that has stikky rules from /etc/rc.firewall.
>
> Any one have any idea what knob might have been turned that causes the sticky
> startup rules?
>
> -Grant
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>
More information about the freebsd-questions
mailing list