Date: Thu, 13 Dec 2007 06:00:09 -0500 From: Gary Palmer <gpalmer@freebsd.org> To: "W. D." <WD@US-Webmasters.com> Cc: freebsd-security@freebsd.org Subject: Re: IPFW compiled in kernel: Where is it reading the config? Message-ID: <20071213110009.GB986@in-addr.com> In-Reply-To: <20071213081155.ABBC813C4D5@mx1.freebsd.org> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 13, 2007 at 01:44:46AM -0600, W. D. wrote: > Hi peeps, > > After compiling ipfw into the new 6.2 kernel, and typing "ipfw list", > all I get is: > > "65535 deny ip from any to any" > > From reading the docs, this might indicate that this is the > default rule. (I am certainly protected this way--but can't > be very productive ;^) ) > > By the way, when I run "man ipfw" I get nothing. Using this > instead: http://www.hmug.org/man/8/ipfw.php How to install > the man pages? > > How do I tell where ipfw is reading its config from? Is > there a default config file? > > The config file locaton that I specify in rc.conf doesn't > appear to be being used: > > firewall_script="/usr/local/etc/ipfw.rules" You require firewall_enable="YES" in /etc/rc.conf for the rules to be looked at Also, firewall_script may be the wrong configuration parameter to use. firewall_script is expected to be a shell script to configure the firewall. If you just want a file of rules, set firewall_type instead. e.g. firewall_type="/etc/rc.firewall.rules" firewall_enable="YES" and then put your rules one line at a time into the specified file. i.e. add allow ip from any to any via lo0 (etc) ipfw is a kernel module. It will not show up in "ps aux". If "ipfw list" does not come back with an error message, then it is likely running. You can check for the ipfw module using kldstat (assuming you did not compile ipfw into a custom kernel) To check the syntax of a list of rules (note: not a shell script) then you can use ipfw -n /path/to/rules/file >From the man page -n Only check syntax of the command strings, without actually pass- ing them to the kernel. Regards, Gary > > What is the proper name for the ipfw ruleset file? Some > on the Web say that it is "ipfw.rules". Other say > it is "rc.firewall" > > What is the proper location for the ruleset file? I see > all of the following: > > /etc/ipfw.rules > /usr/local/etc/ipfw.rules > > /etc/rc.firewall > /usr/local/etc/psa/modules/firewall/rc.firewall > > Are line numbers required? I see some examples that use line > numbers and some do not. > > Is there a program to easily "syntax check" a config/ruleset > file? > > How do I tell if ipfw is running? "ps aux | grep ipfw" > doesn't show anything. > > I would really appreciate very much some help with this. Many > thanks if you can help. > > > > > > > Start Here to Find It Fast!? -> http://www.US-Webmasters.com/best-start-page/ > $8.77 Domain Names -> http://domains.us-webmasters.com/ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071213110009.GB986>