7.0-B2 & IPFW/IP6FW interaction
Robert Huff
roberthuff at rcn.com
Sat Nov 10 12:10:06 PST 2007
Bob Johnson writes:
> On my test system, the IPv6 ruleset is loaded first, and then
> when the IPv4 ruleset is loaded, the flush command in rc.firewall
> removes all of the IPv6 rules, so I end up with default deny for
> IPv6, plus all of my normal IPv4 rules. It's possible that this
> interaction explains the other oddities I thought I've seen but
> haven't reliably reproduced.
>
> I fixed it by removing the flush commands from both rc.firewall
> and rc.firewall6, but I expect this broke the proper operation of
> "/etc/rc.d/ipfw restart" (although I haven't actually tested
> that. I just manually flush the rules if I need to restart the
> firewall).
There are a number of good reasons to Not Do That, which others
can explain better than I.
Instead let me suggest you make a copy of those scripts, then
ponder this part of my rc.conf:
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_script="/etc/ipfw.master" # Use this instead of /etc/rc.firewall
ipv6_firewall_enable="YES" # Set to YES to enable IPv6 firewall
ipv6_firewall_type="UNKNOWN" # see /etc/rc.firewall6
ipv6_firewall_script="/etc/ipfw.v6.set" # Which script to run to
# set up the IPv6 firewall
ipv6_firewall_flags="" # see /etc/rc.firewall6
Robert Huff
More information about the freebsd-questions
mailing list