IPFW at startup.

Tue Nov 16 02:52:10 UTC 2010

In freebsd-questions Digest, Vol 337, Issue 2, Message: 26
On Mon, 15 Nov 2010 10:52:41 -0800 Dave Robison <daver at vicor.com> wrote:

 > I haven't seen someone use "firewall_type" as a path to the config file. 

It's not so uncommon.  Anyone who's based their ruleset on the handbook 
section on IPFW will likely be using this method, and Grant has used it 
correctly.  This is only applicable where $firewall_script is set to 
'/etc/rc.firewall', but that is the default in /etc/defaults/rc.conf

 > If you check the default rc.firewall file, you will see several types of 
 > default firewall settings, such as "open" and "closed". You want to set 
 > "firewall_type" in rc.conf to be "open" or whatever your firewall type 
 > is in /etc/rc.firewall.

Please note the last section in rc.firewall, which specifically tests 
whether $firewall_type is a readable file, and if so, passes that file 
as an argument to ipfw(8) (qv).

*)
        if [ -r "${firewall_type}" ]; then
                ${fwcmd} ${firewall_flags} ${firewall_type}
        fi
        ;;
esac

Also note that in this case, the file is not a shell script, but a set 
of arguments to the ipfw command.  Grant's set is in the correct format.

 > You can probably get away with editing your existing rc.firewall to 
 > include a firewall type, such as "custom", then defining firewall_type 
 > as "custom" in /etc/rc.conf.

You could, but it's not necessary.  In the olden days you more or less 
had to do that, but nowadays you can specify parameters for the client, 
simple and workstation types, so you can get a minimal reasonably safe 
and effective firewall going, at least for starters, just using rc.conf 
variables.  This also means you can avoid messing with rc.firewall, so 
that system updates will properly bring in any changes and additions.

The documentation for this is so far really only in /etc/rc.firewall 
itself and in /etc/defaults/rc.conf .. perhaps one day $someone will 
re-write the Handbook IPFW section; meanwhile ipfw(8) is definitive.

You can also start out using one of the builtin types, then save it to a 
file with 'ipfw list >file', then modify things it there, add comments 
etc, then specify that file as firewall_type henceforth.  Or, as Chuck 
has shown, you can get really fancy and use some preprocessor :)

cheers, Ian

PS: Please don't top-post on FreeBSD lists, and if at all possible avoid 
posting multiple disclaimers, that are in any case entirely inapplicable 
to public list postings.