IPFW at startup.

Dave Robison daver at vicor.com
Mon Nov 15 18:53:02 UTC 2010

I haven't seen someone use "firewall_type" as a path to the config file. 
If you check the default rc.firewall file, you will see several types of 
default firewall settings, such as "open" and "closed". You want to set 
"firewall_type" in rc.conf to be "open" or whatever your firewall type 
is in /etc/rc.firewall.

You can probably get away with editing your existing rc.firewall to 
include a firewall type, such as "custom", then defining firewall_type 
as "custom" in /etc/rc.conf.


On 11/14/10 14:50, Grant Peel wrote:
> Hi all,
> I seem to have one server that does not flush the /etc/rc.firewall 
> rules when the script taken from "firewall_type"  starts up. That is 
> to say when I boot the machine, 3 rules seem to be still in the list 
> when I do an ipfw -a list. Those three rules appear to be from the 
> /etc.rc.firewall script. The rules from my /etc/ipfw.rules file DO get 
> loaded.
> Here are the three rules (100, 200, and 300), from /etc/rc.firewall.
> setup_loopback () {
>        ############
>        # Only in rare cases do you want to change these rules
>        #
>        ${fwcmd} add 100 pass all from any to any via lo0
>        ${fwcmd} add 200 deny all from any to
>        ${fwcmd} add 300 deny ip from to any
> Here is my /etc/rc,conf setup:
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_type="/etc/ipfw.rules"
> Here is my /etc/ipfw.rules:
> enterprise# more /etc/ipfw.rules
> # Loopback
> add 00001 allow ip from any to any via lo0
> # Office and Home
> add 00200 allow ip from xxx xxx xxx xxx xxx to any
> add 00201 allow ip from any to xxx xxx xxx xxx
> add 00202 allow all from xxx xxx xxx xxx to any
> add 00203 allow all from any to xxx xxx xxx xxx
> # Allow fxp0 out
> add 00204 allow all from any to any out
> # Allow local net
> add 02000 allow ip from any to any via fxp1
> # email
> add 04000 allow all from xxx xxx xxx xxx to any
> add 04010 allow all from any to xxx xxx xxx xxx
> add 04020 allow all from xxx xxx xxx xxx to any
> add 04030 allow all from any to xxx xxx xxx xxx
> add 04040 allow tcp from any to any 25,587
> add 04050 allow tcp from any 25,587 to any
> # Bruteblock
> add 08000 deny ip from table(1) to me
> add 08001 deny ip from me to table(1)
> add 09050 allow udp from any to any 53 in
> # Email Test
> add 09100 allow icmp from any to any icmptypes 
> 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
> add 65535 deny ip from any to any
> Oddly enough, I have several machies that are setup identicly and this 
> is the only one that has stikky rules from /etc/rc.firewall.
> Any one have any idea what knob might have been turned that causes the 
> sticky startup rules?
> -Grant
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

Dave Robison
Sales Solution Architect II
FIS Banking Solutions
510/621-2089 (w)
530/518-5194 (c)
510/621-2020 (f)
daver at vicor.com

This message contains confidential and proprietary information
of the sender, and is intended only for the person(s) to whom
it is addressed. Any use, distribution, copying or disclosure
by any other person is strictly prohibited. If you have
received this message in error, please notify the e-mail sender
immediately, and delete the original message without making a


The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

More information about the freebsd-questions mailing list