RE: IPFW custom rules file not loading
You did not follow handbook instruction close enough. Your rc.conf statements are not correct. Use the ones from the handbook just like they are printed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nicholas Henry Sent: Tuesday, May 03, 2005 3:18 PM To: freebsd-questions@freebsd.org Subject: IPFW custom rules file not loading FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 I'm a new BSD user installing the OS for the first time. Everything is running well except the firewall. IPFW is not loading the custom rules set I have created at startup/boot (although it does say it has but when I ipfw list it only gives me the one default rule). I assume it is related to this area that I received on the console: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based forwarding dis$ May 3 14:25:22 babe kernel: Flushed all rules. May 3 14:25:22 babe kernel: Line 3: May 3 14:25:22 babe kernel: bad command `ipfw' May 3 14:25:22 babe kernel: May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons: May 3 14:25:22 babe kernel: firewall_enable: not found May 3 14:25:22 babe kernel: . May 3 14:25:22 babe kernel: net.inet.ip.fw.enable: May 3 14:25:22 babe kernel: 1 May 3 14:25:22 babe kernel: -> May 3 14:25:22 babe kernel: 1 I'm refering to the "bad command 'ipfw'" line. I'm also concerned about the "firewall_enable" not found message. I have included the relevant rc.conf setting and the custom rules file (based on the ruleset from the handbook). I'm currently setting up a firewall for this machine that is connected to a D-Link router. My questions are: Why am I getting the bad command msg? Do I need to be concerned about the "firewall_enabled: not found" Any help would be much appreciated, thank you. ** start rc.conf snippet ** firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" firewall_quiet="NO" firewall_logging="NO" firewall_flags="" ** send rc.conf snippet ** ** start ipfw.rules ** #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 801" pif="fxp0" #found by doing a ifconfig or netstat -nr # public interface name of NIC # # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name # # $cmd 005 allow all from any to any via xl0 # don't have a separate interface so won't worry about this # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 24.153.22.67 53 out via $pif setup keep-state $cmd 020 $skip tcp from any to 24.153.22.66 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. # This is for the internal router $cmd 030 $skip udp from any to 198.168.1.1 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state $cmd 040 $skip tcp from any to any 8989 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $sk
Re: IPFW custom rules file not loading
On 2005-05-03 15:18, Nicholas Henry <[EMAIL PROTECTED]> wrote: > May 3 14:25:22 babe kernel: firewall_enable: not found > May 3 14:25:22 babe kernel: ipfw2 initialized, divert disabled, rule-based > forwarding dis$ > May 3 14:25:22 babe kernel: Flushed all rules. > May 3 14:25:22 babe kernel: Line 3: > May 3 14:25:22 babe kernel: bad command `ipfw' > May 3 14:25:22 babe kernel: > May 3 14:25:22 babe kernel: Firewall rules loaded, starting divert daemons: > May 3 14:25:22 babe kernel: firewall_enable: not found > May 3 14:25:22 babe kernel: . > May 3 14:25:22 babe kernel: net.inet.ip.fw.enable: > May 3 14:25:22 babe kernel: 1 > May 3 14:25:22 babe kernel: -> > May 3 14:25:22 babe kernel: 1 > > I'm refering to the "bad command 'ipfw'" line. I'm also concerned > about the "firewall_enable" not found message. It's normal. You're using firewall_type and yet you have written a firewall _script_ in /etc/ipfw.rules. > ** start rc.conf snippet ** > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > firewall_quiet="NO" > firewall_logging="NO" > firewall_flags="" > ** send rc.conf snippet ** Your firewall_type points to a pathname, so the file should contain rules in the form: check-state add allow tcp from any to any 80 keep-state add block ip from any to any > ** start ipfw.rules ** > > #!/bin/sh > # Flush out the list before we begin. > ipfw -q -f flush > > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 801" > pif="fxp0"#found by doing a ifconfig or netstat -nr > # public interface name of NIC Your ipfw.rules file is written in the form of a firewall_script. The difference between the two is small but important. A firewall_type file contains just a set of rules that ipfw(8) will parse, without intervention by a shell. A firewall_script is executed by the /bin/sh shell, as a normal shell script. One example of what can be used as a firewall_script is /etc/rc.firewall (in pre-5.X versions) or /etc/rc.d/ipfw (in FreeBSD 5.X or later). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
