IPFW Simple IPFW Setup From Handbook Locks Me Out

dave

Well-Known Member

Reaction score: 24
Messages: 415

Hello,

/etc/rc.conf
Code:
firewall_enable="YES"
firewall_type="open"
...followed by...
sudo service ipfw start

...results in immediate loss of all connectivity.

Am I missing something?

FreeBSD 10.2-RELEASE-p7
 

sidetone

Daemon

Reaction score: 384
Messages: 1,067

Run ipfw show to check which rules are set. Sometimes it doesn't flush the rules from a closed configuration before loading the open ipfw rules. I think it's a bug. Try ipfw flush, then load the configuration file.
 
OP
OP
dave

dave

Well-Known Member

Reaction score: 24
Messages: 415

Thanks.

It would seems strange that the built-in firewall script would lock me out. I had not rebooted; I simply added the config above to my /etc/rc.conf and then issued the command to start the service. Now that I have rebooted the machine and got back in, here are the rules I see:

Code:
00100   1289    120680 allow ip from any to any via lo0
00200      0         0 deny ip from any to 127.0.0.0/8
00300      0         0 deny ip from 127.0.0.0/8 to any
00400      0         0 deny ip from any to ::1
00500      0         0 deny ip from ::1 to any
00600      4       304 allow ipv6-icmp from :: to ff02::/16
00700      0         0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800      0         0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900      0         0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000      0         0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 131190 105913503 allow ip from any to any
65535      1        84 deny ip from any to any
This does not seem like it would lock me out?
 

Jeckt

Member

Reaction score: 17
Messages: 71

This sounds like you're doing it remotely. In that case a flush will drop all current connections (including the one you're using to load the new firewall rules). A few things work together to make this a bit more complicated than it should be, but a part of the problem is the default to deny. For this reason it's suggested adding net.inet.ip.fw.default_to_accept="1" to loader.conf, then adding the expicit last rule "drop all from any to any" (assuming that's what you want to do). In some high security situations maybe you'd want it to always drop everything, but I speak from experience after years of no issues I finally got hosed on a remote server.

I don't have a good solution to reloading ipfw this way, and actually I have a custom perl script I wrote to do the reloading (holding connections open by inserting "allow all from any to me established" as the first rule). I suspect if you look at the server when doing ipfw reload, what you'll find is no rules loaded because it stopped after the flush.
 
Last edited by a moderator:

sidetone

Daemon

Reaction score: 384
Messages: 1,067

I read you can crontab a command to stop the firewall every 5 or so minutes for testing. If you're using a remote connection, all you would have to do is wait for the crontab script.
 
OP
OP
dave

dave

Well-Known Member

Reaction score: 24
Messages: 415

I read you can crontab a command to stop the firewall every 5 or so minutes for testing. If you're using a remote connection, all you would have to do is wait for the crontab script.
Good thinking.
 
Top