/etc/rc.d/ipfw can't deal with firewall_type?

Tue May 3 17:47:05 UTC 2011

On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
 > Hi all,
 > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but
 > all packets could not over nat box. I've researched and found
 > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does
 > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw
 > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is
 > there any problem to do this?

Yes.  Assuming using the default firewall_script="/etc/rc.firewall", 
then as it says early in /etc/rc.firewall, you just needed to:

	# Define the firewall type in /etc/rc.conf.  Valid values are:
	[..]

Sure, /etc/rc.firewall can set firewall_type to a parameter if you pass 
it one, but otherwise uses whatever $firewall_type is set to when you 
start ipfw.  I guess the code below allows you to use syntax like:

 # /etc/rc.d/ipfw start client

to override the $firewall_type set in /etc/rc.conf, but it's not the 
common usage, nor is it how ipfw is started normally by rc.

So just set firewall_type in rc.conf and you should be fine .. unless 
you meant that you're trying to run ipfw & natd INSIDE a jail?

cheers, Ian

 > --- /etc/rc.d/ipfw.org	2011-05-03 18:19:28.000000000 +0900
 > +++ /etc/rc.d/ipfw	2011-05-03 22:08:14.000000000 +0900
 > @@ -35,15 +35,11 @@
 >  
 >  ipfw_start()
 >  {
 > -	local   _firewall_type
 > -
 > -	_firewall_type=$1
 > -
 >  	# set the firewall rules script if none was specified
 >  	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
 >  
 >  	if [ -r "${firewall_script}" ]; then
 > -		/bin/sh "${firewall_script}" "${_firewall_type}"
 > +		/bin/sh "${firewall_script}" "${firewall_type}"
 >  		echo 'Firewall rules loaded.'
 >  	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
 >  		echo 'Warning: kernel has firewall functionality, but' \