If ipfw configured in /etc/rc.conf.d/ipfw like this: # cat /etc/rc.conf.d/ipfw firewall_enable="YES" firewall_type="workstation" the firewall_type variable will still be set to UNKNOWN as in /etc/defaults/rc.conf, if set in /etc/rc.conf it overriden correctly. The problem only arises if startup command is "restart". Fix: # diff -u /usr/src/etc/rc.d/ipfw /etc/rc.d/ipfw How-To-Repeat: Set variables in /etc/rc.conf.d/ipfw: firewall_enable="YES" firewall_type="workstation" Run # service ipfw restart
Responsible Changed From-To: freebsd-bugs->freebsd-ipfw Over to maintainer(s).
Created attachment 180254 [details] /etc/rc.d/ipfw patch This patch works on FreeBSD 10.3-RELEASE-p11 whereas I think the previous listed patch does not work. Not sure why they were patching the stop command itself and not the start command where $firewall_type is used.
If ipfw is configured like this: /etc/rc.conf.d/ipfw/_networks 1 firewall_ipv4="172.16.200.0/24 172.17.200.0/24 172.16.10.0/24 172.17.10.0/24" 2 firewall_ipv6="2a01:db8:cafe:f660::/64 2a01:db8:cafe:f666::/64" /etc/rc.conf.d/ipfw/ipfw 1 firewall_enable="YES" 2 firewall_type="workstation" 3 firewall_myservices="ssh/tcp" 4 firewall_allowservices="$firewall_ipv4 $firewall_ipv6" 5 firewall_coscripts="/etc/rc.conf.d/ipfw_local" /etc/rc.conf.d/ipfw/log 1 firewall_quiet="NO" 2 firewall_logging="YES" 3 firewall_logif="YES" 4 firewall_logdeny="YES" the firewall_type variable will still be set to UNKNOWN If i understand: /etc/rc.d/ipfw start - source /etc/rc.subr - call load_rc_config ipfw (firewall_* are available) - $firewall_script is set to /etc/rc.firewall (default) - call /bin/sh /etc/rc.firewall /etc/rc.firewall - test if source_rc_confs_defined (always false) - source /etc/rc.defaults/rc.conf => firewall_type set to 'UNKNOWN' - source rc.subr (but not call load_rc_config !!!) - test firewall_type (UNKNOWN) => fail With attached patch, ipfw is configured as expected: $ sudo ipfw list | grep 22$ 02500 allow tcp from 172.16.200.0/24 to me dst-port 22 02600 allow tcp from 172.17.200.0/24 to me dst-port 22 02700 allow tcp from 172.16.10.0/24 to me dst-port 22 02800 allow tcp from 172.17.10.0/24 to me dst-port 22 02900 allow tcp from 2a01:db8:cafe:f660::/64 to me dst-port 22 03000 allow tcp from 2a01:db8:cafe:f666::/64 to me dst-port 22 With pirzyk'patch i can force firewall_type (using my configuration): $ sudo ipfw list | wc -l 40 $ sudo service ipfw stop $ sudo service ipfw start open $ sudo ipfw list | wc -l 12 $ sudo service ipfw stop $ sudo service ipfw start $ sudo ipfw list | wc -l 40 dsx@vaio>uname -a FreeBSD vaio.bsdsx.fr 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 dsx@vaio>freebsd-version 11.1-RELEASE-p6
Created attachment 189205 [details] patch /etc/rc.firewall
batch change: For bugs that match the following - Status Is In progress AND - Untouched since 2018-01-01. AND - Affects Base System OR Documentation DO: Reset to open status. Note: I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>