Summary: | [ipfw] [patch] start script doesn't load firewall_type if set in rc.conf.d/ipfw | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | timon | ||||||||
Component: | conf | Assignee: | freebsd-ipfw (Nobody) <ipfw> | ||||||||
Status: | Open --- | ||||||||||
Severity: | Affects Only Me | CC: | dsx, osidorkin, pirzyk | ||||||||
Priority: | Normal | Keywords: | patch | ||||||||
Version: | 8.2-RELEASE | ||||||||||
Hardware: | Any | ||||||||||
OS: | Any | ||||||||||
Attachments: |
|
Description
timon
2012-05-12 13:10:12 UTC
Responsible Changed From-To: freebsd-bugs->freebsd-ipfw Over to maintainer(s). Created attachment 180254 [details]
/etc/rc.d/ipfw patch
This patch works on FreeBSD 10.3-RELEASE-p11 whereas I think the previous listed patch does not work. Not sure why they were patching the stop command itself and not the start command where $firewall_type is used.
If ipfw is configured like this: /etc/rc.conf.d/ipfw/_networks 1 firewall_ipv4="172.16.200.0/24 172.17.200.0/24 172.16.10.0/24 172.17.10.0/24" 2 firewall_ipv6="2a01:db8:cafe:f660::/64 2a01:db8:cafe:f666::/64" /etc/rc.conf.d/ipfw/ipfw 1 firewall_enable="YES" 2 firewall_type="workstation" 3 firewall_myservices="ssh/tcp" 4 firewall_allowservices="$firewall_ipv4 $firewall_ipv6" 5 firewall_coscripts="/etc/rc.conf.d/ipfw_local" /etc/rc.conf.d/ipfw/log 1 firewall_quiet="NO" 2 firewall_logging="YES" 3 firewall_logif="YES" 4 firewall_logdeny="YES" the firewall_type variable will still be set to UNKNOWN If i understand: /etc/rc.d/ipfw start - source /etc/rc.subr - call load_rc_config ipfw (firewall_* are available) - $firewall_script is set to /etc/rc.firewall (default) - call /bin/sh /etc/rc.firewall /etc/rc.firewall - test if source_rc_confs_defined (always false) - source /etc/rc.defaults/rc.conf => firewall_type set to 'UNKNOWN' - source rc.subr (but not call load_rc_config !!!) - test firewall_type (UNKNOWN) => fail With attached patch, ipfw is configured as expected: $ sudo ipfw list | grep 22$ 02500 allow tcp from 172.16.200.0/24 to me dst-port 22 02600 allow tcp from 172.17.200.0/24 to me dst-port 22 02700 allow tcp from 172.16.10.0/24 to me dst-port 22 02800 allow tcp from 172.17.10.0/24 to me dst-port 22 02900 allow tcp from 2a01:db8:cafe:f660::/64 to me dst-port 22 03000 allow tcp from 2a01:db8:cafe:f666::/64 to me dst-port 22 With pirzyk'patch i can force firewall_type (using my configuration): $ sudo ipfw list | wc -l 40 $ sudo service ipfw stop $ sudo service ipfw start open $ sudo ipfw list | wc -l 12 $ sudo service ipfw stop $ sudo service ipfw start $ sudo ipfw list | wc -l 40 dsx@vaio>uname -a FreeBSD vaio.bsdsx.fr 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 dsx@vaio>freebsd-version 11.1-RELEASE-p6 Created attachment 189205 [details]
patch /etc/rc.firewall
batch change: For bugs that match the following - Status Is In progress AND - Untouched since 2018-01-01. AND - Affects Base System OR Documentation DO: Reset to open status. Note: I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed. Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi> |