conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute
$firewall_script not read it
Sean McNeil
sean at mcneil.com
Tue Jun 19 00:30:12 UTC 2007
The following reply was made to PR conf/78762; it has been noted by GNATS.
From: Sean McNeil <sean at mcneil.com>
To: bug-followup at FreeBSD.org, jonw at whoweb.com
Cc:
Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute
$firewall_script not read it
Date: Mon, 18 Jun 2007 17:05:45 -0700
This is a bad idea and has broken the new feature of rcNG allowing us to
place options into /etc/rc.conf.d/ipfw and /etc/rc.conf.d/ip6fw. The
commit to src/etc/rc.d/ipfw revision 1.15 and src/etc/rc.d/ip6fw 1.9
have now broken this basic concept.
IMHO, the correct thing is: Don't use exit in your firewall script. I
offer 3 solutions, however, below.
What has been broken:
/etc/rc.conf.d/ipfw
firewall_enable="YES"
firewall_type="/etc/fw/rc.firewall.rules"
/etc/rc.conf.d/ip6fw
ipv6_firewall_enable="YES"
ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
Now, this no longer works and I must once again pollute and move more
stuff back into /etc/rc.conf. Namely,
firewall_type="/etc/fw/rc.firewall.rules"
ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
must now be in /etc/rc.conf or /etc/rc.conf.local.
Solution:
1) revert to sourcing the rc.firewall script.
2) Fix rc.firewall and rc.firewall6 to somehow get stuff
from /etc/rc.conf.d as it should (as ipfw and ip6fw?).
3) completely remove rc.conf.d support as more things fail to work with
it.
More information about the freebsd-ipfw
mailing list