IPFW at startup.
Коньков Евгений
kes-kes at yandex.ru
Mon Nov 15 18:13:55 UTC 2010
Здравствуйте, Grant.
Вы писали 15 ноября 2010 г., 0:50:47:
GP> Hi all,
GP> I seem to have one server that does not flush the /etc/rc.firewall rules
GP> when the script taken from "firewall_type" starts up. That is to say when I
GP> boot the machine, 3 rules seem to be still in the list when I do an ipfw -a
GP> list. Those three rules appear to be from the /etc.rc.firewall script. The
GP> rules from my /etc/ipfw.rules file DO get loaded.
GP> Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
GP> setup_loopback () {
GP> ############
GP> # Only in rare cases do you want to change these rules
GP> #
GP> ${fwcmd} add 100 pass all from any to any via lo0
GP> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
GP> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
GP> Here is my /etc/rc,conf setup:
GP> firewall_enable="YES"
GP> firewall_logging="YES"
GP> firewall_type="/etc/ipfw.rules"
you need "firewall_script" variable
GP> Here is my /etc/ipfw.rules:
GP> enterprise# more /etc/ipfw.rules
GP> # Loopback
GP> add 00001 allow ip from any to any via lo0
GP> # Office and Home
GP> add 00200 allow ip from xxx xxx xxx xxx xxx to any
GP> add 00201 allow ip from any to xxx xxx xxx xxx
GP> add 00202 allow all from xxx xxx xxx xxx to any
GP> add 00203 allow all from any to xxx xxx xxx xxx
GP> # Allow fxp0 out
GP> add 00204 allow all from any to any out
GP> # Allow local net
GP> add 02000 allow ip from any to any via fxp1
GP> # email
GP> add 04000 allow all from xxx xxx xxx xxx to any
GP> add 04010 allow all from any to xxx xxx xxx xxx
GP> add 04020 allow all from xxx xxx xxx xxx to any
GP> add 04030 allow all from any to xxx xxx xxx xxx
GP> add 04040 allow tcp from any to any 25,587
GP> add 04050 allow tcp from any 25,587 to any
GP> # Bruteblock
GP> add 08000 deny ip from table(1) to me
GP> add 08001 deny ip from me to table(1)
GP> add 09050 allow udp from any to any 53 in
GP> # Email Test
GP> add 09100 allow icmp from any to any icmptypes
GP> 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
GP> add 65535 deny ip from any to any
GP> Oddly enough, I have several machies that are setup identicly and this is
GP> the only one that has stikky rules from /etc/rc.firewall.
GP> Any one have any idea what knob might have been turned that causes the
GP> sticky startup rules?
GP> -Grant
GP> _______________________________________________
GP> freebsd-questions at freebsd.org mailing list
GP> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
GP> To unsubscribe, send any mail to
GP> "freebsd-questions-unsubscribe at freebsd.org"
--
С уважением,
Коньков mailto:kes-kes at yandex.ru
More information about the freebsd-questions
mailing list