Does IPFW load default rules

S

SteveB

I'm new to firewalls so please bear with me. In my rc.conf I have just these two firewall statements;

Code: 
firewall_enable="yes"
firewall_type="open"

I notice that when I run ipfw list I get the following list of rules;

Code: 
thx1138# ipfw list
00050 divert 8668 ip4 from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any

Since I haven't specified a rule script, where are these rules coming from? Does IPFW insert a base set of default rules if nothing else is specified?

As always, your help is greatly appreciated.
 
/etc/rc.d/ipfw controls how IPFW is loaded via rc.conf, and this lists /etc/rc.firewall as the default rules script is none if specified. In there is a section for the "open" firewall type, which loads the rules you are seeing.

IPFW by itself only loads a single rule, number 65535, which is "deny ip from any to any" unless you compile a custom kernel with IPFIREWALL_DEFAULT_TO_ACCEPT which then changes it to "allow ip from any to any".
 
Thank you Phoenix!

So, if I specify a rules script other than /etc/rc.firewall using the 'firewall_script' statement in rc.conf, are the rules I place in this script superseding those in /etc/rc.firewall or are they loaded in addition to those in /etc/rc.firewall? I'm thinking that since the first statement in my rules script flushes all rules (ipfw -q -f flush) that my script must be the one and only rules set but I just wanted to confirm.

Thanks.
 
You must log in or register to reply here.
Back
Top