Hi all: I have strange probelm with rc.conf. I set up ipfw (compiled into kernel) on freebsd-5.4 and it doesn't seem to load ipfw rulesets (it uses default ruleset 65335 locking out everything). I have to do "sh /etc/ipfw.rules" in order to load the rulesets, once I did that, I can access the box from remote locations here is my rc.conf: host# more /etc/rc.conf network_interfaces="lo0 em0 dc0 rl0 plip0" kern_securelevel="2" kern_securelevel_enable="YES" linux_enable="YES" named_enable="YES" nisdomainname="NO" sshd_enable="YES" usbd_enable="YES" hostname="sis" tcp_keepalive="YES" tcp_extensions="YES" ifconfig_em0="inet 192.168.128.222/24" ifconfig_dc0="inet 192.168.1.4/24" ifconfig_rl0="inet 10.10.75.126/24" defaultrouter="192.168.128.1" static_routes="net1 net2" route_net1="-net 192.168.0.0/22 192.168.1.1" route_net2="-net 10.10.0.0/16 10.10.128.1" firewall_script="/etc/ipfw.rules" firewall_type="simple" firewall_quiet="YES" ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Ds" mpd_enable="YES" also my customized kernel (partial): options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_FORWARD_EXTENDED #all packet dest changes options IPDIVERT #divert sockets TIA __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- gahn <ipfreak@yahoo.com> wrote:> 65335 locking out everything). I have to do "sh > /etc/ipfw.rules" in order to load the rulesets, once I > did that, I can access the box from remote locations >Hmm... It helped me, to look at /etc/rc.firewall... There are some comments, that might give u the right hints... Maybe firewall_enable should be YES? E. g. my /etc/rc.firewall.bartely file cannot be executed with sh... But maybe I still did not understand ipfw... My /etc/rc.firewall.bartely contains rules like: add pass log all from any to 47.11.42.42 add deny log all from any to any And in rc.conf my firewall_type=/etc/rc.firewall.bartleby And I use default firewall_script=/etc/rc.firewall -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 1/26/06, gahn <ipfreak@yahoo.com> wrote:> > > I have strange probelm with rc.conf. I set up ipfw > (compiled into kernel) on freebsd-5.4 and it doesn't > seem to load ipfw rulesets (it uses default ruleset > 65335 locking out everything). I have to do "sh > /etc/ipfw.rules" in order to load the rulesets, once I > did that, I can access the box from remote locations > ... > firewall_script="/etc/ipfw.rules" > firewall_type="simple" >firewall_enable="YES" firewall_type="/etc/ipfw.rules" delete firewal_script=/etc/ipfw.rules", the default rc.conf already has the correct value for what you're trying to do.
Thanks for the comments. My real problem is thta the rc.conf just won load the rulesets when the system reboots. I have to do this every time the system reboots: "sh /etc/ipfw.rules" --- Oxygenshell <admin@oxygenshell.com> wrote:> ipfw rules automatically default to deny > You have to explicitly tell it to allow by default. > (kernel setting) > > > ----- Original Message ----- > From: "Arne Woerner" <arne_woerner@yahoo.com> > To: "gahn" <ipfreak@yahoo.com>; "freebsd security" > <freebsd-security@freebsd.org>; "freebsd general > questions" > <freebsd-questions@freebsd.org> > Sent: Thursday, January 26, 2006 7:03 PM > Subject: Re: strange problem with ipfw and rc.conf > > > > --- gahn <ipfreak@yahoo.com> wrote: > >> 65335 locking out everything). I have to do "sh > >> /etc/ipfw.rules" in order to load the rulesets, > once I > >> did that, I can access the box from remote > locations > >> > > Hmm... > > > > It helped me, to look at /etc/rc.firewall... There > are some > > comments, that might give u the right hints... > > > > Maybe firewall_enable should be YES? > > > > E. g. my /etc/rc.firewall.bartely file cannot be > executed with > > sh... But maybe I still did not understand ipfw... > > > > My /etc/rc.firewall.bartely contains rules like: > > add pass log all from any to 47.11.42.42 > > add deny log all from any to any > > > > And in rc.conf my > firewall_type=/etc/rc.firewall.bartleby > > > > And I use default firewall_script=/etc/rc.firewall > > > > -Arne > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > >http://lists.freebsd.org/mailman/listinfo/freebsd-security> > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > >__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- gahn <ipfreak@yahoo.com> wrote:> Thanks for the comments. > > My real problem is thta the rc.conf just won load the > rulesets when the system reboots. I have to do this > every time the system reboots: "sh /etc/ipfw.rules" >Could you just try firewall_enable=YES in your /etc/rc.conf please? Remember: The kernel options do not change /etc/default/rc.conf... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
gahn wrote:> Hi all: > > I have strange probelm with rc.conf. I set up ipfw > (compiled into kernel) on freebsd-5.4 and it doesn't > seem to load ipfw rulesets (it uses default ruleset > 65335 locking out everything). I have to do "sh > /etc/ipfw.rules" in order to load the rulesets, once I > did that, I can access the box from remote locations > > [...]> ipfilter_rules="/etc/ipf.rules"Hi, Your rc.conf looks for ipf.rules instead of ipfw.rules files. Adding the missing "w" may solve your problem. Mikhail. -- Mikhail Goriachev Systems Administrator Naval Radio Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@navalradio.cl Web: http://www.navalradio.cl PGP Key ID: 0x4E148A3B PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060127/d53ef11b/signature.bin
Hi ipfreak, Meditate on this :) 1. ..... why securelevel = 2 and what it does? kern_securelevel="2" kern_securelevel_enable="YES" 2. ...... Is in the ipfw.rules has a simple section? ......Is the firewall_enable="YES" figure in the rc.conf file? firewall_script="/etc/ipfw.rules" firewall_type="simple" firewall_quiet="YES" 3. If you wish to work with firewall (ipfw) why ipfilter is on? ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" If you answer yourself these questions , you will find the real solution! sorry for my terrible english ???????? !
Hi ipfreak, Meditate on this :) 1. ..... why securelevel =3D 2 and what it does? kern_securelevel=3D"2" kern_securelevel_enable=3D"YES" 2. ...... Is in the ipfw.rules has a simple section?=20 ......Is the firewall_enable=3D"YES" figure in the rc.conf file? firewall_script=3D"/etc/ipfw.rules"=20 firewall_type=3D"simple" firewall_quiet=3D"YES" 3. If you wish to work with firewall (ipfw) why ipfilter is on? ipfilter_enable=3D"YES" ipfilter_rules=3D"/etc/ipf.rules" =20 If you answer yourself these questions , you will find the real solution! sorry for my terrible english=20 ????????!