Bug 148656 - rc.firewall(8): {oip} and {iip} variables in rc.firewall script undefined in FreeBSD 7.2 and 8.0
Summary: rc.firewall(8): {oip} and {iip} variables in rc.firewall script undefined in ...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-16 00:10 UTC by John J. Donohue
Modified: 2018-01-03 05:12 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John J. Donohue 2010-07-16 00:10:01 UTC
under FreeBSD versions up to 7.0, the oif, onet, omask, oip, iif, inet,
imask, and iip variables were explicitly defined in the SIMPLE segment
of rc.firewall, as in;

	# set these to your outside interface network and netmask and ip
	oif="xl0"
	onet="192.168.224.0"
	omask="255.255.255.0"
	oip="192.168.224.4"

	# set these to your inside interface network and netmask and ip
	iif="xl1"
	inet="192.168.240.0"
	imask="255.255.255.0"
	iip="192.168.240.1"

under version 7.2 and 8.0, oif, onet, iif, and inet are defined in
rc.conf;

firewall_simple_oif="xl0"
firewall_simple_onet="192.168.224.0/24"
firewall_simple_iif="xl1"
firewall_simple_inet="192.168.240.0/24"

and then substituted in the SIMPLE segment of rc.firewall;

	# Configuration:
	#  firewall_simple_iif:		Inside network interface.
	#  firewall_simple_inet:	Inside network address.
	#  firewall_simple_oif:		Outside network interface.
	#  firewall_simple_onet:	Outside network address.
	############

	# set these to your outside interface network
	oif="$firewall_simple_oif"
	onet="$firewall_simple_onet"

	# set these to your inside interface network
	iif="$firewall_simple_iif"
	inet="$firewall_simple_inet"

oip and iip are not defined, declared or extracted anywhere and substitute
as a value of '0' in script statements such as

  ${fwcmd} add pass tcp from 192.168.240.0/24 to ${iip} 22 via ${iif} setup

which upon an 'ipfw show' lists as

   allow tcp from 192.168.240.0/24 to 0.0.0.22 via xl1 setup
                                      ^^^^^^^^
instead of

   allow tcp from 192.168.240.0/24 to 192.168.240.1 dst-port 22 via xl1 setup
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^
which was the original intent.

Fix: 

MY SOLUTION:

I added the following to /etc/rc.conf;

firewall_simple_oip="192.168.224.4"
firewall_simple_iip="192.168.240.1"

and the following to the SIMPLE segment of rc.firewall;

	# Configuration:
	#  firewall_simple_iif:		Inside network interface.
	#  firewall_simple_inet:	Inside network address.
-->	#  firewall_simple_iip:         Inside ip address.
	#  firewall_simple_oif:		Outside network interface.
	#  firewall_simple_onet:	Outside network address.
-->	#  firewall_simple_oip:         Outside ip address.
	############

	# set these to your outside interface network
	oif="$firewall_simple_oif"
	onet="$firewall_simple_onet"
-->	oip="$firewall_simple_oip"

	# set these to your inside interface network
	iif="$firewall_simple_iif"
	inet="$firewall_simple_inet"
-->	iip="$firewall_simple_iip"
How-To-Repeat: run the default included /etc/rc.firewall script using /etc/rc.conf:firewall_type="SIMPLE" and using any active ipfw statements that include {oip} and/or {iip} variable references
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2010-07-16 17:21:32 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-rc

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:55 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped