From studded@dalnet.webmaster.com Tue Oct 14 20:59:17 1997 Received: from dalnet.webmaster.com (dalnet.webmaster.com [206.86.127.216]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA12429 for ; Tue, 14 Oct 1997 20:59:16 -0700 (PDT) (envelope-from studded@dalnet.webmaster.com) Received: (from root@localhost) by dalnet.webmaster.com (8.8.7/8.7.3) id UAA28549; Tue, 14 Oct 1997 20:59:14 -0700 (PDT) Message-Id: <199710150359.UAA28549@dalnet.webmaster.com> Date: Tue, 14 Oct 1997 20:59:14 -0700 (PDT) From: studded@dal.net Reply-To: studded@dal.net To: FreeBSD-gnats-submit@freebsd.org Subject: Changes to rc* scripts for ipfw X-Send-Pr-Version: 3.2 >Number: 4766 >Category: misc >Synopsis: Simple changes to make ipfw safer and easier to use >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Oct 14 21:00:01 PDT 1997 >Closed-Date: Thu Mar 12 02:25:37 PST 1998 >Last-Modified: Thu Mar 12 02:26:54 PST 1998 >Originator: Studded >Release: FreeBSD 2.2.5-971012-BETA i386 >Organization: DALnet IRC network >Environment: All FreeBSD 2.2x systems. (Note that I'm unsure about the category.) >Description: The ipfw functionality is a valuable part of FreeBSD, however compiling it into the kernel or enabling the option in rc.conf (which currently loads the kernel module from rc.network) can lead to a system accidentally being closed off from the internet. This is especially dangerous when administering a system remotely. >How-To-Repeat: Load ipfw. >Fix: The following patch (in both unified and context format because I can never remember what y'all like :) make a few small changes to rc.conf to make things more clear, add some safety features to rc.network and rc.firewall so that the default firewall type is open, and makes sure that rc.firewall is loaded if there is ipfw functionality in the kernel. It also makes a small change to the rc.firewall script so that the rules in the script look like the rules you see when doing 'ipfw list.' Finally it makes rc.firewall and rc.network friendlier to a mistake in case for "YES" vs. "yes." I realize that making the default rule "open" is a controversial thing, however it would be trivial for someone who *wanted* a closed system to make the firewall type "CLOSED." On the other hand, someone compiling the ipfw option into the kernel or enabling it in rc.conf without doing their "homework" will find themself with anything from a mysterious situation to a catastrophic error for someone administering a system remotely. Even if the powers that be do not accept my proposal for changing the default rule, I'd like serious consideration for the expanded and clarified warning messages, and the change from "pass all" to "allow ip" in rc.firewall. There is currently a discussion on this topic happening on freebsd-stable. Hope this helps, Doug Context format: diff -cr ../etc-1014/rc.conf ./rc.conf *** ../etc-1014/rc.conf Sun Oct 12 13:33:28 1997 --- ./rc.conf Tue Oct 14 18:19:56 1997 *************** *** 4,10 **** # This is rc.conf - a file full of useful variables that you can set # to change the default startup behavior of your system. # ! # All arguments must be in double or single quotes. # # $Id: rc.conf,v 1.1.2.26 1997/10/12 20:33:28 imp Exp $ --- 4,12 ---- # This is rc.conf - a file full of useful variables that you can set # to change the default startup behavior of your system. # ! # All arguments must be in double or single quotes, and are case sensitive. ! # Therefore you should use CAPITAL LETTERS for the YES/NO options. ! # "NO" is not the same as "no". # # $Id: rc.conf,v 1.1.2.26 1997/10/12 20:33:28 imp Exp $ *************** *** 28,35 **** hostname="myname.my.domain" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). firewall_enable="NO" # Set to YES to enable firewall functionality - firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display tcp_extensions="YES" # Allow RFC1323 & RFC1544 extensions (or NO). network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. --- 30,38 ---- hostname="myname.my.domain" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). firewall_enable="NO" # Set to YES to enable firewall functionality firewall_quiet="NO" # Set to YES to suppress rule display + firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) + # "OPEN" allows all traffic to pass by default. Other options are available. tcp_extensions="YES" # Allow RFC1323 & RFC1544 extensions (or NO). network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. diff -cr ../etc-1014/rc.firewall ./rc.firewall *** ../etc-1014/rc.firewall Thu Sep 18 15:47:10 1997 --- ./rc.firewall Tue Oct 14 19:50:42 1997 *************** *** 4,13 **** ############ # Define the firewall type in /etc/rc.conf. Valid values are: ! # open - will allow anyone in ! # client - will try to protect just this machine ! # simple - will try to protect a whole network ! # closed - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # --- 4,13 ---- ############ # Define the firewall type in /etc/rc.conf. Valid values are: ! # OPEN - will allow anyone in ! # CLIENT - will try to protect just this machine ! # SIMPLE - will try to protect a whole network ! # CLOSED - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # *************** *** 39,49 **** if [ "x$1" != "x" ]; then firewall_type=$1 fi ############ # Set quiet mode if requested ! if [ "x$firewall_quiet" = "xYES" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" --- 39,51 ---- if [ "x$1" != "x" ]; then firewall_type=$1 + else + firewall_type=OPEN fi ############ # Set quiet mode if requested ! if [ "x$firewall_quiet" = "xYES" -o "x$firewall_quiet" = "xyes" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" *************** *** 53,77 **** # Flush out the list before we begin. $fwcmd -f flush ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. You can also ! # do this as your only action by setting the firewall_type to ``open''. ! # $fwcmd add 65000 pass all from any to any ############ # Only in rare cases do you want to change this rule ! $fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 # Prototype setups. ! if [ "${firewall_type}" = "open" ]; then ! $fwcmd add 65000 pass all from any to any ! elif [ "${firewall_type}" = "client" ]; then ############ # This is a prototype setup that will protect your system somewhat against --- 55,85 ---- # Flush out the list before we begin. $fwcmd -f flush + # In the examples below, the words "allow" and "ip" are equivalent to + # "pass" and "all" as used in this file previously, and accurately reflect + # how ipfw will list the rules when you use ipfw list. See man ipfw(8) + # for more details. + ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. You can also ! # do this as your only action by setting the firewall_type to "OPEN" in ! # /etc/rc.conf. ! # $fwcmd add 65000 allow ip from any to any ############ # Only in rare cases do you want to change this rule ! $fwcmd add 100 allow ip from 127.0.0.1 to 127.0.0.1 # Prototype setups. ! if [ "${firewall_type}" = "OPEN" -o "${firewall_type}" = "open" ]; then ! $fwcmd add 65000 allow ip from any to any ! elif [ "${firewall_type}" = "CLIENT" -o "${firewall_type}" = "client" ]; then ############ # This is a prototype setup that will protect your system somewhat against *************** *** 84,115 **** ip="192.168.4.17" # Allow any traffic to or from my own net. ! $fwcmd add pass all from ${ip} to ${net}:${mask} ! $fwcmd add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded ! $fwcmd add pass tcp from any to any established # Allow setup of incoming email ! $fwcmd add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ! $fwcmd add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world ! $fwcmd add pass udp from any 53 to ${ip} ! $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world ! $fwcmd add pass udp from any 123 to ${ip} ! $fwcmd add pass udp from ${ip} to any 123 # Everything else is denied as default. ! elif [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine --- 92,125 ---- ip="192.168.4.17" # Allow any traffic to or from my own net. ! $fwcmd add allow ip from ${ip} to ${net}:${mask} ! $fwcmd add allow ip from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded ! $fwcmd add allow tcp from any to any established # Allow setup of incoming email ! $fwcmd add allow tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ! $fwcmd add allow tcp from ${ip} to any setup # Disallow setup of all other TCP connections $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world ! # (BIND 8.1.1 and later do not use port 53 by ! # default, but it can be configured to do so.) ! $fwcmd add allow udp from any 53 to ${ip} ! $fwcmd add allow udp from ${ip} to any 53 # Allow NTP queries out in the world ! $fwcmd add allow udp from any 123 to ${ip} ! $fwcmd add allow udp from ${ip} to any 123 # Everything else is denied as default. ! elif [ "${firewall_type}" = "SIMPLE" -o "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine *************** *** 130,171 **** iip="192.168.3.17" # Stop spoofing ! $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} ! $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ! $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} ! $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} ! $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded ! $fwcmd add pass tcp from any to any established # Allow setup of incoming email ! $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ! $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW ! $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ! $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world ! $fwcmd add pass udp from any 53 to ${oip} ! $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ! $fwcmd add pass udp from any 123 to ${oip} ! $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. ! elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi --- 140,185 ---- iip="192.168.3.17" # Stop spoofing ! $fwcmd add deny ip from ${inet}:${imask} to any in via ${oif} ! $fwcmd add deny ip from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ! $fwcmd add deny ip from 192.168.0.0:255.255.0.0 to any via ${oif} ! $fwcmd add deny ip from 172.16.0.0:255.240.0.0 to any via ${oif} ! $fwcmd add deny ip from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded ! $fwcmd add allow tcp from any to any established # Allow setup of incoming email ! $fwcmd add allow tcp from any to ${oip} 25 setup # Allow access to our DNS ! # (BIND 8.1.1 and later do not use port 53 by ! # default, but it can be configured to do so.) ! $fwcmd add allow tcp from any to ${oip} 53 setup # Allow access to our WWW ! $fwcmd add allow tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ! $fwcmd add allow tcp from any to any setup # Allow DNS queries out in the world ! # (BIND 8.1.1 and later do not use port 53 by ! # default, but it can be configured to do so.) ! $fwcmd add allow udp from any 53 to ${oip} ! $fwcmd add allow udp from ${oip} to any 53 # Allow NTP queries out in the world ! $fwcmd add allow udp from any 123 to ${oip} ! $fwcmd add allow udp from ${oip} to any 123 # Everything else is denied as default. ! elif [ "${firewall_type}" != "UNKNOWN -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi diff -cr ../etc-1014/rc.network ./rc.network *** ../etc-1014/rc.network Thu Sep 18 15:47:12 1997 --- ./rc.network Tue Oct 14 20:28:16 1997 *************** *** 55,88 **** ifconfig ${ifn} done ! # Initialize IP filtering using ipfw ! echo "" /sbin/ipfw -q flush > /dev/null 2>&1 ! if [ $? = 1 ] ; then firewall_in_kernel=0 else firewall_in_kernel=1 fi ! if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then ! modload /lkm/ipfw_mod.o ! if [ $? = 0 ]; then ! firewall_in_kernel=1 # module loaded successfully ! echo "Kernel firewall module loaded." ! else ! echo "Warning: firewall kernel module failed to load." fi fi ! # Load the filters if required if [ $firewall_in_kernel = 1 ]; then ! if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ ! "x$firewall_enable" = "xYES" ] ; then ! . /etc/rc.firewall ! echo "Firewall rules loaded." else ! echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." ! echo " All ip services are disabled." fi fi --- 55,95 ---- ifconfig ${ifn} done ! echo "Initializing IP filtering using ipfw." ! /sbin/ipfw -q flush > /dev/null 2>&1 ! if [ $? != 0 ]; then firewall_in_kernel=0 else firewall_in_kernel=1 fi ! if [ "x$firewall_enable" = "xYES" -o "x$firewall_enable" = "xyes" ]; then ! ! if [ $firewall_in_kernel = 0 ]; then ! /sbin/modload /lkm/ipfw_mod.o ! ! if [ $? = 0 ]; then ! firewall_in_kernel=1 ! echo "Kernel firewall module loaded successfully." ! else ! echo "Warning: Firewall is enabled in /etc/rc.conf, but it is not compiled" ! echo "Warning: into the kernel, and the kernel module failed to load." ! fi fi fi ! # Load the filters if ipfw is in the kernel or loaded above. ! if [ $firewall_in_kernel = 1 ]; then ! if [ -r /etc/rc.firewall ]; then ! . /etc/rc.firewall ! echo "Firewall rules loaded from /etc/rc.firewall." else ! echo "Warning: Firewall functionality is enabled, but firewall rules were" ! echo "Warning: not loaded from /etc/rc.firewall." ! echo "" ! echo "Warning: *** All IP services are disabled. ***" fi fi Unified format: diff -ur ../etc-1014/rc.conf ./rc.conf --- ../etc-1014/rc.conf Sun Oct 12 13:33:28 1997 +++ ./rc.conf Tue Oct 14 18:19:56 1997 @@ -4,7 +4,9 @@ # This is rc.conf - a file full of useful variables that you can set # to change the default startup behavior of your system. # -# All arguments must be in double or single quotes. +# All arguments must be in double or single quotes, and are case sensitive. +# Therefore you should use CAPITAL LETTERS for the YES/NO options. +# "NO" is not the same as "no". # # $Id: rc.conf,v 1.1.2.26 1997/10/12 20:33:28 imp Exp $ @@ -28,8 +30,9 @@ hostname="myname.my.domain" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). firewall_enable="NO" # Set to YES to enable firewall functionality -firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display +firewall_type="OPEN" # Firewall type (see /etc/rc.firewall) +# "OPEN" allows all traffic to pass by default. Other options are available. tcp_extensions="YES" # Allow RFC1323 & RFC1544 extensions (or NO). network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. diff -ur ../etc-1014/rc.firewall ./rc.firewall --- ../etc-1014/rc.firewall Thu Sep 18 15:47:10 1997 +++ ./rc.firewall Tue Oct 14 19:50:42 1997 @@ -4,10 +4,10 @@ ############ # Define the firewall type in /etc/rc.conf. Valid values are: -# open - will allow anyone in -# client - will try to protect just this machine -# simple - will try to protect a whole network -# closed - totally disables IP services except via lo0 interface +# OPEN - will allow anyone in +# CLIENT - will try to protect just this machine +# SIMPLE - will try to protect a whole network +# CLOSED - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # @@ -39,11 +39,13 @@ if [ "x$1" != "x" ]; then firewall_type=$1 +else + firewall_type=OPEN fi ############ # Set quiet mode if requested -if [ "x$firewall_quiet" = "xYES" ]; then +if [ "x$firewall_quiet" = "xYES" -o "x$firewall_quiet" = "xyes" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" @@ -53,25 +55,31 @@ # Flush out the list before we begin. $fwcmd -f flush +# In the examples below, the words "allow" and "ip" are equivalent to +# "pass" and "all" as used in this file previously, and accurately reflect +# how ipfw will list the rules when you use ipfw list. See man ipfw(8) +# for more details. + ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. You can also -# do this as your only action by setting the firewall_type to ``open''. +# do this as your only action by setting the firewall_type to "OPEN" in +# /etc/rc.conf. -# $fwcmd add 65000 pass all from any to any +# $fwcmd add 65000 allow ip from any to any ############ # Only in rare cases do you want to change this rule -$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 +$fwcmd add 100 allow ip from 127.0.0.1 to 127.0.0.1 # Prototype setups. -if [ "${firewall_type}" = "open" ]; then +if [ "${firewall_type}" = "OPEN" -o "${firewall_type}" = "open" ]; then - $fwcmd add 65000 pass all from any to any + $fwcmd add 65000 allow ip from any to any -elif [ "${firewall_type}" = "client" ]; then +elif [ "${firewall_type}" = "CLIENT" -o "${firewall_type}" = "client" ]; then ############ # This is a prototype setup that will protect your system somewhat against @@ -84,32 +92,34 @@ ip="192.168.4.17" # Allow any traffic to or from my own net. - $fwcmd add pass all from ${ip} to ${net}:${mask} - $fwcmd add pass all from ${net}:${mask} to ${ip} + $fwcmd add allow ip from ${ip} to ${net}:${mask} + $fwcmd add allow ip from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded - $fwcmd add pass tcp from any to any established + $fwcmd add allow tcp from any to any established # Allow setup of incoming email - $fwcmd add pass tcp from any to ${ip} 25 setup + $fwcmd add allow tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only - $fwcmd add pass tcp from ${ip} to any setup + $fwcmd add allow tcp from ${ip} to any setup # Disallow setup of all other TCP connections $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world - $fwcmd add pass udp from any 53 to ${ip} - $fwcmd add pass udp from ${ip} to any 53 + # (BIND 8.1.1 and later do not use port 53 by + # default, but it can be configured to do so.) + $fwcmd add allow udp from any 53 to ${ip} + $fwcmd add allow udp from ${ip} to any 53 # Allow NTP queries out in the world - $fwcmd add pass udp from any 123 to ${ip} - $fwcmd add pass udp from ${ip} to any 123 + $fwcmd add allow udp from any 123 to ${ip} + $fwcmd add allow udp from ${ip} to any 123 # Everything else is denied as default. -elif [ "${firewall_type}" = "simple" ]; then +elif [ "${firewall_type}" = "SIMPLE" -o "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine @@ -130,42 +140,46 @@ iip="192.168.3.17" # Stop spoofing - $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} - $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} + $fwcmd add deny ip from ${inet}:${imask} to any in via ${oif} + $fwcmd add deny ip from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface - $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + $fwcmd add deny ip from 192.168.0.0:255.255.0.0 to any via ${oif} + $fwcmd add deny ip from 172.16.0.0:255.240.0.0 to any via ${oif} + $fwcmd add deny ip from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded - $fwcmd add pass tcp from any to any established + $fwcmd add allow tcp from any to any established # Allow setup of incoming email - $fwcmd add pass tcp from any to ${oip} 25 setup + $fwcmd add allow tcp from any to ${oip} 25 setup # Allow access to our DNS - $fwcmd add pass tcp from any to ${oip} 53 setup + # (BIND 8.1.1 and later do not use port 53 by + # default, but it can be configured to do so.) + $fwcmd add allow tcp from any to ${oip} 53 setup # Allow access to our WWW - $fwcmd add pass tcp from any to ${oip} 80 setup + $fwcmd add allow tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection - $fwcmd add pass tcp from any to any setup + $fwcmd add allow tcp from any to any setup # Allow DNS queries out in the world - $fwcmd add pass udp from any 53 to ${oip} - $fwcmd add pass udp from ${oip} to any 53 + # (BIND 8.1.1 and later do not use port 53 by + # default, but it can be configured to do so.) + $fwcmd add allow udp from any 53 to ${oip} + $fwcmd add allow udp from ${oip} to any 53 # Allow NTP queries out in the world - $fwcmd add pass udp from any 123 to ${oip} - $fwcmd add pass udp from ${oip} to any 123 + $fwcmd add allow udp from any 123 to ${oip} + $fwcmd add allow udp from ${oip} to any 123 # Everything else is denied as default. -elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then +elif [ "${firewall_type}" != "UNKNOWN -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi diff -ur ../etc-1014/rc.network ./rc.network --- ../etc-1014/rc.network Thu Sep 18 15:47:12 1997 +++ ./rc.network Tue Oct 14 20:28:16 1997 @@ -55,34 +55,41 @@ ifconfig ${ifn} done - # Initialize IP filtering using ipfw - echo "" + echo "Initializing IP filtering using ipfw." + /sbin/ipfw -q flush > /dev/null 2>&1 - if [ $? = 1 ] ; then + if [ $? != 0 ]; then firewall_in_kernel=0 else firewall_in_kernel=1 fi - if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then - modload /lkm/ipfw_mod.o - if [ $? = 0 ]; then - firewall_in_kernel=1 # module loaded successfully - echo "Kernel firewall module loaded." - else - echo "Warning: firewall kernel module failed to load." + if [ "x$firewall_enable" = "xYES" -o "x$firewall_enable" = "xyes" ]; then + + if [ $firewall_in_kernel = 0 ]; then + /sbin/modload /lkm/ipfw_mod.o + + if [ $? = 0 ]; then + firewall_in_kernel=1 + echo "Kernel firewall module loaded successfully." + else +echo "Warning: Firewall is enabled in /etc/rc.conf, but it is not compiled" +echo "Warning: into the kernel, and the kernel module failed to load." + fi fi fi - # Load the filters if required + # Load the filters if ipfw is in the kernel or loaded above. + if [ $firewall_in_kernel = 1 ]; then - if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ - "x$firewall_enable" = "xYES" ] ; then - . /etc/rc.firewall - echo "Firewall rules loaded." + if [ -r /etc/rc.firewall ]; then + . /etc/rc.firewall + echo "Firewall rules loaded from /etc/rc.firewall." else - echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." - echo " All ip services are disabled." +echo "Warning: Firewall functionality is enabled, but firewall rules were" +echo "Warning: not loaded from /etc/rc.firewall." +echo "" +echo "Warning: *** All IP services are disabled. ***" fi fi >Release-Note: >Audit-Trail: From: Studded To: freebsd-gnats-submit@freebsd.org Cc: Subject: Re: misc/4766: Simple changes to make ipfw safer and easier to use Date: Thu, 12 Mar 1998 02:16:03 -0800 Feel free to close this. Thanks, Doug -- *** Chief Operations Officer, DALnet IRC network *** *** Proud operator, designer and maintainer of the world's largest *** Internet Relay Chat server. 5,328 clients and still growing. *** Try spider.dal.net on ports 6662-4 (Powered by FreeBSD) State-Changed-From-To: open->closed State-Changed-By: eivind State-Changed-When: Thu Mar 12 02:25:37 PST 1998 State-Changed-Why: Closed at the request of the originator. >Unformatted: