Hello!
I tried to configure ipfw on 15 beta, but my custom ruleset is not being
properly loaded by the ipfw command.
If I manually run this script (with bash or directly), the custom
rules are applied and work.
If I run
bash -x for /etc/rc.firewall, I get the error that ipfw is a bad
command.
It seems that the script is not being run by bash like the shebang
says, but by ipfw and that doesn't understand its syntax.
The handbook describes the syntax this way:
docs.freebsd.org
My file has this content:
kind regards
Marco
I tried to configure ipfw on 15 beta, but my custom ruleset is not being
properly loaded by the ipfw command.
Code:
[m@test ~]$ grep firewall /etc/rc.conf
firewall_logging="YES"
firewall_enable="YES"
firewall_type="/etc/myfw.conf"
[m@test ~]$
[m@test ~]$ ls -la /etc/myfw.conf
-rwxr-xr-x 1 root wheel 1492 Oct 25 11:37 /etc/myfw.conf
[m@test ~]$rules are applied and work.
If I run
bash -x for /etc/rc.firewall, I get the error that ipfw is a bad
command.
Code:
+ case ${firewall_type} in
+ case ${firewall_type} in
+ '[' -r /etc/myfw.conf ']'
+ /sbin/ipfw /etc/myfw.conf
Line 3: bad command `ipfw'says, but by ipfw and that doesn't understand its syntax.
The handbook describes the syntax this way:
Chapter 33. Firewalls
FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them
My file has this content:
Code:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="le0"
${cmd} allow ip from any to any via lo0
${cmd} deny ip from any to 127.0.0.0/8
${cmd} deny ip from 127.0.0.0/8 to any
${cmd} deny ip from any to ::1
${cmd} deny ip from ::1 to any
${cmd} allow ipv6-icmp from :: to ff02::/16
${cmd} allow ipv6-icmp from fe80::/10 to fe80::/10
${cmd} allow ipv6-icmp from fe80::/10 to ff02::/16
${cmd} allow ipv6-icmp from any to any icmp6types 1
${cmd} allow ipv6-icmp from any to any icmp6types 2,135,136
${cmd} check-state :default
${cmd} allow tcp from me to any established
${cmd} allow tcp from me to any setup keep-state :default
${cmd} allow udp from me to any keep-state :default
${cmd} allow icmp from me to any keep-state :default
${cmd} allow ipv6-icmp from me to any keep-state :default
${cmd} allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
${cmd} allow udp from any 67 to me 68 in
${cmd} allow log tcp from any to me 22 in
${cmd} allow udp from any 67 to 255.255.255.255 68 in
${cmd} allow udp from fe80::/10 to me 546 in
${cmd} allow icmp from any to any icmptypes 8
${cmd} allow ipv6-icmp from any to any icmp6types 128,129
${cmd} allow icmp from any to any icmptypes 3,4,11
${cmd} allow ipv6-icmp from any to any icmp6types 3
${cmd} count ip from any to any
${cmd} unreach filter-prohib log ip4 from any to any
${cmd} unreach6 admin-prohib log ip6 from any to any
${cmd} deny ip from any to any #this is implicitMarco