From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 21 06:00:25 2014 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 35F75E92 for ; Sun, 21 Sep 2014 06:00:25 +0000 (UTC) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.allbsd.org", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B7F1D9B for ; Sun, 21 Sep 2014 06:00:21 +0000 (UTC) Received: from alph.d.allbsd.org ([IPv6:2001:2f0:104:e010:862b:2bff:febc:8956]) (authenticated bits=56) by mail.allbsd.org (8.14.9/8.14.8) with ESMTP id s8L5xulj039418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 21 Sep 2014 15:00:07 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.d.allbsd.org (8.14.8/8.14.8) with ESMTP id s8L5xsfH011449 for ; Sun, 21 Sep 2014 14:59:56 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Sun, 21 Sep 2014 14:58:12 +0900 (JST) Message-Id: <20140921.145812.325633000583440554.hrs@allbsd.org> To: ipfw@FreeBSD.org Subject: net.inet{,6}.fw.enable in /etc/rc From: Hiroki Sato X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.6 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (mail.allbsd.org [IPv6:2001:2f0:104:e001::32]); Sun, 21 Sep 2014 15:00:15 +0900 (JST) X-Spam-Status: No, score=-97.9 required=13.0 tests=CONTENT_TYPE_PRESENT, RDNS_NONE,SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2014 06:00:25 -0000 ----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Sun_Sep_21_14_58_12_2014_119)--" Content-Transfer-Encoding: 7bit ----Next_Part(Sun_Sep_21_14_58_12_2014_119)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, I would like your comments about the attached patch to /etc/rc. The problem I want to fix by this patch is as follows. net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW kernel module is loaded or statically compiled into a kernel. And by default IPFW has only a "deny ip from any to any" rule if it is compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case, the default-deny rule can prevent rc.d scripts before rc.d/ipfw from working as described in the patch. To fix this, the patch turns IPFW off before running rc.d scripts at boot time, and enables it again in rc.d/ipfw script. I think most of users use GENERIC kernel + ipfw kernel module. In that case, IPFW is not activated before rc.d/ipfw script regardless of this patch, so there is no user-visible change. This patch affects only a combination of a kernel with IPFW compiled and rc.d scripts running before rc.d/ipfw. The behavior will be almost the same as GENERIC kernel + ipfw kernel module's. Please let me know if I am missing something. -- Hiroki ----Next_Part(Sun_Sep_21_14_58_12_2014_119)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc_ipfw.20140921-1.diff" Index: etc/rc =================================================================== --- etc/rc (revision 271853) +++ etc/rc (working copy) @@ -87,6 +87,17 @@ fi fi +# Clear *.fw.enable sysctls. At boot time, some of network initialization +# before rc.d/ipfw script requires network communications (e.g. DHCP and +# IPv6 Duplicate Address Detection). When *.fw.enable=1 and "default deny" +# policy was applied---this can happen when IPFW is complied into the kernel +# or ipfw kernel module is loaded by loader before rc.d/ipfw runs, those +# comminucations are blocked. To prevent this, set *.fw.enable=0 before +# calling rc.d scripts. The rc.d/ipfw script set this to 1 after +# configuration. +/sbin/sysctl -q net.inet.ip.fw.enable=0 +/sbin/sysctl -q net.inet6.ip6.fw.enable=0 + # If the firstboot sentinel doesn't exist, we want to skip firstboot scripts. if ! [ -e ${firstboot_sentinel} ]; then skip_firstboot="-s firstboot" ----Next_Part(Sun_Sep_21_14_58_12_2014_119)---- ----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEABECAAYFAlQeaPQACgkQTyzT2CeTzy2GSgCgvpjesyjBQRPKYB/07xS6vSXw zHsAoKCXXLYQn2OkdgogQqn0o0fjmog3 =c4CS -----END PGP SIGNATURE----- ----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)----