Theres no informatoin in man ipfw or man rc.conf about these options found in /etc/defaults/rc.conf for the firewall. firewall_myservices="" # List of TCP ports on which this host firewall_allowservices="" # List of IPs which has access to # $firewall_myservices firewall_trusted="" # List of IPs which has full access to this host firewall_logdeny="NO" # Set to YES to log default denied incoming firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports An explanation was provided to moe for some of them by Giorgos Keramidas on the comp.unix.bsd.freebsd.misc news group. He asked that I submit a PR so he can work on it. Some of the options are explained by him as follows. The lists are space- or TAB-separated. These rc.conf options are only used in for-loops of shell code in the `/etc/rc.firewall' script. You can delimit entries with space or TAB characters. If you carefully quote the list of values, you can even use multiple lines like: firewall_trusted="192.168.1.1/32 192.168.1.3 192.168.1.254" The firewall_allowservices and firewall_myservices work closely together: * The first one is a simple (space separated) list of hosts that connections may originate from. * The second is a simple (space separated) list of local services that will be open for all hosts in ${firewall_allowservices}. One rule is added to the final firewall ruleset for every combination of `firewall_allowservices' and `firewall_myservices', so if you use in your `rc.conf' file something like: firewall_allowservices="192.168.1.1 192.168.1.2" firewall_myservices="ssh smtp" Then your final firewall will contain the rules: add pass tcp from 192.168.1.1 to me ssh add pass tcp from 192.168.1.2 to me ssh add pass tcp from 192.168.1.1 to me smtp add pass tcp from 192.168.1.2 to me smtp If you are planning to use these options, it's worth considering at least the following details too: * Only TCP services are enabled by these rules. If you have a UDP service, you will have to either (a) edit your `rc.firewall' script, or (b) roll your own ruleset. * The `firewall_allowservices' and `firewall_myservices' options are *only* valid if you are using the pre-configure `workstation' type for your firewall ruleset. If you are using any other set of firewall rules, the current `rc.firewall' script will completely ignore any `rc.conf' value configured for `firewall_allowservices' and `firewall_myservices'! Fix: Giorgos Keramidas in the news group said This is a bug. The firewall_xxx options seem very under-documented. The bug is even more important because the code has already found its way to a STABLE branch, but the documentation bits are still missing. Please take a moment to open a problem report and send me the number, or let me know that you don't have the time to do that just now, so I can open one myself. Then I can work a bit to refine the explanation I wrote above, and commit it to the rc.conf manpage. How-To-Repeat: grep firewall /etc/defaults/rc.conf 'man rc.conf' and search for any of the options listed above in description will show no results. Same for 'man ipfw'
Responsible Changed From-To: freebsd-doc->keramida I'll update rc.conf.5 for the new options.
Release to wild.
^Triage: reset inaccurate In Progress state.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c39dda81923a26116241fbe996351133c86ad97a commit c39dda81923a26116241fbe996351133c86ad97a Author: Tobias Rehbein <tobias.rehbein@web.de> AuthorDate: 2021-03-18 17:01:09 +0000 Commit: Daniel Ebdrup Jensen <debdrup@FreeBSD.org> CommitDate: 2021-03-18 17:39:24 +0000 rc.conf(5): Document the 'workstation' firewall_type Document the workstation ACL ruleset, which uses stateful rules. While here, add a note about where some of the undocumented variables can be found. This is not a perfect solution for bug 127359, but it at at least gives a place to go look, and can be used as a reference for when bug 127359 gets fixed properly. PR: 254358, 127359 share/man/man5/rc.conf.5 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
This bug is not fixed by bug #254358, hence why I'm leaving it open, but at least now there's a reference in case someone (possibly me, down the road) wants to fix this. In the mean time, I'm adding the needs-patch tag, so that it can be found by potential contributors.