Re: IPFW compiled in kernel: Where is it reading the config?

---

• From: "W. D." <WD@xxxxxxxxxxxxxxxxx>
• Date: Thu, 13 Dec 2007 12:39:44 -0600

---

At 05:00 12/13/2007, Gary Palmer wrote:

The config file locaton that I specify in rc.conf doesn't
appear to be being used:

firewall_script="/usr/local/etc/ipfw.rules"

You require

firewall_enable="YES"

in /etc/rc.conf for the rules to be looked at

Also, firewall_script may be the wrong configuration parameter to use.
firewall_script is expected to be a shell script to configure the
firewall. If you just want a file of rules, set firewall_type instead.
e.g.

firewall_type="/etc/rc.firewall.rules"
firewall_enable="YES"

and then put your rules one line at a time into the specified file. i.e.

add allow ip from any to any via lo0
(etc)

ipfw is a kernel module. It will not show up in "ps aux". If
"ipfw list" does not come back with an error message, then it
is likely running. You can check for the ipfw module using

kldstat

(assuming you did not compile ipfw into a custom kernel)

To check the syntax of a list of rules (note: not a shell script) then
you can use

ipfw -n /path/to/rules/file

From the man page

-n Only check syntax of the command strings, without actually pass-
ing them to the kernel.

Regards,

Gary

Thanks, Gary! This is much of what I was looking for.

Start Here to Find It Fast!? -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • IPFW: Blocking me out. How to debug?
    • From: W. D.

• References:
  • IPFW compiled in kernel: Where is it reading the config?
    • From: W. D.
  • Re: IPFW compiled in kernel: Where is it reading the config?
    • From: Gary Palmer

• Prev by Date: Re: IPFW compiled in kernel: Where is it reading the config?
• Next by Date: Re: bin/91622: cp(1) does not update atime of the source file
• Previous by thread: Re: IPFW compiled in kernel: Where is it reading the config?
• Next by thread: IPFW: Blocking me out. How to debug?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FreeBSD Gateway problems ... >speed connection for 3 years now, and I've just gotten it back. ... >Well all these other How-Tos I found on FreeBSDDiary.org told me all I needed ... To use ipfw adding these options to your kernel is a good place to start: ... (freebsd-questions) Re: natd -redirect_port ... > into the kernel. ... > IPFW is delivered as an bootable module. ... > You need this in rc.conf to enable ipfw, ... (freebsd-questions) Firewall and nmap ... I'm compiled a Kernel using the GENERIC config-file that ... So I flushed all rools for the firewall with ipfw flush (the still ... my kernel, ipfw -c list told me that this is true.) ... Anyway, nothing changes, all ports seem to be closed running nmap, ... (freebsd-questions) IPFW config ... handbook guide to loading the ipfw kernel module to setup a firewall. ... (freebsd-questions) Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ... (freebsd-current)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2007-12