Created attachment 207582 [details] Patch (Revision 1)
Created attachment 207583 [details] Patch (Revision 2) Do the diff from the base /usr/src, not /usr/src/sbin/ipfw
Created attachment 207584 [details] Patch (Revision 3) This also covers add_dat
https://reviews.freebsd.org/D21812
Already committed as of r358858.
This patch has been applied to CURRENT as r358858. It breaks any rc script on CURRENT > r358858 running IPFW with "from any to... " or "from me to ...": [...] (dual stack, IPv6 and IPv4 in use) /etc/rc.conf: [...] firewall_type="WORKSTATION" firewall_myservices="22/tcp" firewall_allowservices="" OR firewall_allowservices="any" [...] results in bricked systems: [...] service ipfw restart Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 ipfw: bad source address any ipfw: bad source address any 00000 check-state :default ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any ipfw: bad destination address any 01000 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out ipfw: bad source address any ipfw: bad source address any 01100 allow udp from fe80::/10 to me 546 in ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any ipfw: bad source address any [...] I think since this is mostly standard rc.conf stuff, the problem can easily being reproduced.
Reopening, some people have issues with my patch.
This patch works for me: root@tiny:/home/neel # ipfw add 2000 deny all from me to any 22 02000 deny ip from me to any 22 root@tiny:/home/neel # telnet neelc.org 22 Trying 66.42.69.219... telnet: connect to address 66.42.69.219: Permission denied Trying 2001:19f0:8001:fed:5400:2ff:fe73:c622... telnet: connect to address 2001:19f0:8001:fed:5400:2ff:fe73:c622: No route to host telnet: Unable to connect to remote host root@tiny:/home/neel # ipfw del 2000 ipfw: DEPRECATED: 'del' matched 'delete' as a sub-string root@tiny:/home/neel # telnet neelc.org 22 Trying 66.42.69.219... Connected to neelc.org. Escape character is '^]'. SSH-2.0-OpenSSH_7.8 FreeBSD-20180909 ^] telnet> quit Connection closed. root@tiny:/home/neel # Can you give me an example of your ipfw script?
Oh, I forgot to recompile IPFW, I see what the issue is.
Created attachment 212336 [details] Patch to fix the IPFW "any" identifier Try this patch, this should fix the "any" identifier.
Phabricator URL: https://reviews.freebsd.org/D24025