Solved bad command.

rigoletto@

Developer
Hi,

I am moving from PF to IPFW (I never used before) but I am experiencing some problems with the syntax or something.

/etc/rc.conf
Code:
firewall_enable="YES"
firewall_type="/etc/ipfw.sh"

/etc/ipfw.sh
Code:
#!/bin/sh
# set variables
ext_if='10.0.0.10'

#
# flush existing rules
ipfw -q flush

# insert tables
ipfw table 1 add 10.0.0.0/22

# allow established connections
ipfw add 1 check-state

# allow loopback traffic
ipfw add 2 allow all from any to any via lo0

# allow previously established TCP connections
ipfw add 3 allow tcp from any to any established

# reassemble incoming fragmented packets
ipfw add 4 reass all from any to any in

#
# allow all traffic going out
ipfw add 100 set 1 allow udp from $ext_if to any out keep-state
ipfw add 101 set 1 allow tcp from $ext_if to any out setup keep-state

#
# allow private TCP IN
ipfw add 200 set 1 allow tcp from 'table(1)' to $ext_if 80 in setup keep-state
ipfw add 201 set 1 allow tcp from 'table(1)' to $ext_if 6600 in setup keep-state
ipfw add 202 set 1 allow tcp from 'table(1)' to $ext_if 22000 in setup keep-state

# allow prublic TCP IN
ipfw add 300 set 1 allow tcp from any to $ext_if 62820 in setup keep-state

#
# allow public UDP IN
ipfw add 500 set 1 allow udp from any to $ext_if 62820 in setup keep-state

#
# allow common ICMP types in and out
ipfw add 600 set 1 allow icmp from $ext_if to any icmptypes 0,3
ipfw add 601 set 1 allow icmp from any to $ext_if icmptypes 0,3

#
# deny everything else coming in
ipfw add 999 set 1 deny all from any to any

So this script give this out:

Code:
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
Line 4: bad command `ext_if='10.0.0.10''
Firewall rules loaded.

If I remove this variable "ext_if='10.0.0.10'" another bad command error appear on some other rule.

Could someone please review these rules? I can't find the real offender.

Thanks!
 
I just checked an exact copy of your script with my FreeBSD 11.1-RELEASE-p6 test installation in a virtual machine, and it did not error out:
Code:
ipfw: DEPRECATED: inserting data into non-existent table 1. (auto-created)
added: 10.0.0.0/22 0
00001 check-state :default
00002 allow ip from any to any via lo0
00003 allow tcp from any to any established
00004 reass ip from any to any in
00100 allow udp from 10.0.0.10 to any out keep-state :default
00101 allow tcp from 10.0.0.10 to any out setup keep-state :default
00200 allow tcp from table(1) to 10.0.0.10 dst-port 80 in setup keep-state :default
00201 allow tcp from table(1) to 10.0.0.10 dst-port 6600 in setup keep-state :default
00202 allow tcp from table(1) to 10.0.0.10 dst-port 22000 in setup keep-state :default
00300 allow tcp from any to 10.0.0.10 dst-port 62820 in setup keep-state :default
00500 allow udp from any to 10.0.0.10 dst-port 62820 in setup keep-state :default
00600 allow icmp from 10.0.0.10 to any icmptypes 0,3
00601 allow icmp from any to 10.0.0.10 icmptypes 0,3
00999 deny ip from any to any
Anyway, the output in your post does not match the firewall script. Have a closer look at the rule numbers and rules, those in the script output are completely different from those used in the script. My hunch is that you are accidentally calling a wrong script, while trying to fix the errors in a different one.
 
Hi!

I am using it in rc.conf:

Code:
firewall_enable="YES"
firewall_type="/etc/ipfw.sh"

The same file as posted before. o_O

EDIT:

Ok, my fault (as expected).

Now it works:
Code:
firewall_enable="YES"
firewall_script="/etc/ipfw.sh"

Thanks!
 
Back
Top