Bug 167822 - [ipfw] [patch] start script doesn't load firewall_type if set in rc.conf.d/ipfw
Summary: [ipfw] [patch] start script doesn't load firewall_type if set in rc.conf.d/ipfw
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 8.2-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ipfw mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-12 13:10 UTC by timon
Modified: 2018-05-28 19:50 UTC (History)
3 users (show)

See Also:


Attachments
file.diff (284 bytes, patch)
2012-05-12 13:10 UTC, timon
no flags Details | Diff
/etc/rc.d/ipfw patch (416 bytes, patch)
2017-02-24 02:42 UTC, Jim Pirzyk
no flags Details | Diff
patch /etc/rc.firewall (682 bytes, patch)
2017-12-29 19:07 UTC, Freddy DISSAUX
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description timon 2012-05-12 13:10:12 UTC
If ipfw configured in /etc/rc.conf.d/ipfw like this:
# cat /etc/rc.conf.d/ipfw
firewall_enable="YES"
firewall_type="workstation"

the firewall_type variable will still be set to UNKNOWN as in /etc/defaults/rc.conf, if set in /etc/rc.conf it overriden correctly. The problem only arises if startup command is "restart".

Fix: # diff -u /usr/src/etc/rc.d/ipfw /etc/rc.d/ipfw
How-To-Repeat: Set variables in /etc/rc.conf.d/ipfw:
firewall_enable="YES"
firewall_type="workstation"

Run # service ipfw restart
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2012-05-17 08:14:56 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-ipfw

Over to maintainer(s).
Comment 2 Jim Pirzyk freebsd_committer 2017-02-24 02:42:05 UTC
Created attachment 180254 [details]
/etc/rc.d/ipfw patch

This patch works on FreeBSD 10.3-RELEASE-p11 whereas I think the previous listed patch does not work.  Not sure why they were patching the stop command itself and not the start command where $firewall_type is used.
Comment 3 Freddy DISSAUX 2017-12-29 19:06:41 UTC
If ipfw is configured like this:

/etc/rc.conf.d/ipfw/_networks
     1  firewall_ipv4="172.16.200.0/24 172.17.200.0/24 172.16.10.0/24 172.17.10.0/24"
     2  firewall_ipv6="2a01:db8:cafe:f660::/64 2a01:db8:cafe:f666::/64"
/etc/rc.conf.d/ipfw/ipfw
     1  firewall_enable="YES"
     2  firewall_type="workstation"
     3  firewall_myservices="ssh/tcp"
     4  firewall_allowservices="$firewall_ipv4 $firewall_ipv6"
     5  firewall_coscripts="/etc/rc.conf.d/ipfw_local"
/etc/rc.conf.d/ipfw/log
     1  firewall_quiet="NO"
     2  firewall_logging="YES"
     3  firewall_logif="YES"
     4  firewall_logdeny="YES"

the firewall_type variable will still be set to UNKNOWN

If i understand:

/etc/rc.d/ipfw start
    - source /etc/rc.subr
    - call load_rc_config ipfw (firewall_* are available)
    - $firewall_script is set to /etc/rc.firewall (default)
    - call /bin/sh /etc/rc.firewall

/etc/rc.firewall
    - test if source_rc_confs_defined (always false)
    - source /etc/rc.defaults/rc.conf => firewall_type set to 'UNKNOWN'
    - source rc.subr (but not call load_rc_config !!!)
    - test firewall_type (UNKNOWN)

=> fail

With attached patch, ipfw is configured as expected:

$ sudo ipfw list | grep 22$
02500 allow tcp from 172.16.200.0/24 to me dst-port 22
02600 allow tcp from 172.17.200.0/24 to me dst-port 22
02700 allow tcp from 172.16.10.0/24 to me dst-port 22
02800 allow tcp from 172.17.10.0/24 to me dst-port 22
02900 allow tcp from 2a01:db8:cafe:f660::/64 to me dst-port 22
03000 allow tcp from 2a01:db8:cafe:f666::/64 to me dst-port 22

With pirzyk'patch i can force firewall_type (using my configuration):

$ sudo ipfw list | wc -l
40
$ sudo service ipfw stop
$ sudo service ipfw start open
$ sudo ipfw list | wc -l
12
$ sudo service ipfw stop
$ sudo service ipfw start
$ sudo ipfw list | wc -l
40
dsx@vaio>uname -a
FreeBSD vaio.bsdsx.fr 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
dsx@vaio>freebsd-version
11.1-RELEASE-p6
Comment 4 Freddy DISSAUX 2017-12-29 19:07:40 UTC
Created attachment 189205 [details]
patch /etc/rc.firewall
Comment 5 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:50:17 UTC
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.