From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 22 18:03:19 2014 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADD9A247; Mon, 22 Sep 2014 18:03:19 +0000 (UTC) Received: from forward5l.mail.yandex.net (forward5l.mail.yandex.net [IPv6:2a02:6b8:0:1819::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6676CDFC; Mon, 22 Sep 2014 18:03:19 +0000 (UTC) Received: from smtp19.mail.yandex.net (smtp19.mail.yandex.net [95.108.252.19]) by forward5l.mail.yandex.net (Yandex) with ESMTP id 19B97C40EAE; Mon, 22 Sep 2014 22:03:15 +0400 (MSK) Received: from smtp19.mail.yandex.net (localhost [127.0.0.1]) by smtp19.mail.yandex.net (Yandex) with ESMTP id AE59CBE03BB; Mon, 22 Sep 2014 22:03:14 +0400 (MSK) Received: from 84.201.166.31-vpn.dhcp.yndx.net (84.201.166.31-vpn.dhcp.yndx.net [84.201.166.31]) by smtp19.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id slB1giwR6s-3EFe3fFB; Mon, 22 Sep 2014 22:03:14 +0400 (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) X-Yandex-Uniq: 299b6d13-9dc2-440d-acbc-4c795caefb86 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1411408994; bh=Twfn9izl0SoQ/wJYA/xOIzi5re1H8XRN+3ZqYOXtIq0=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:X-Enigmail-Version:Content-Type: Content-Transfer-Encoding; b=RIKdTI1rGnGlEoDep1HoYGUrNyzC5dAGXiaZc71j3BGuIKsEH8VbW2Ob/XmtiFpjn aolOV5j2+TcJbr8z6IxZNIEUjd8sAlSoMOkoiD2JDNvisP+x9E66CLFIcSAJ3Xh9Ui diFISVDg2GaEZVT2j9qYZj4lwpbunVqVr2QbPQ/o= Authentication-Results: smtp19.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <542063F3.8080600@yandex.ru> Date: Mon, 22 Sep 2014 22:01:23 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Hiroki Sato , ipfw@FreeBSD.org Subject: Re: net.inet{,6}.fw.enable in /etc/rc References: <20140921.145812.325633000583440554.hrs@allbsd.org> In-Reply-To: <20140921.145812.325633000583440554.hrs@allbsd.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 18:03:19 -0000 On 21.09.2014 09:58, Hiroki Sato wrote: > Hi, > > I would like your comments about the attached patch to /etc/rc. > > The problem I want to fix by this patch is as follows. > net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW > kernel module is loaded or statically compiled into a kernel. And by > default IPFW has only a "deny ip from any to any" rule if it is > compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case, > the default-deny rule can prevent rc.d scripts before rc.d/ipfw from > working as described in the patch. > > To fix this, the patch turns IPFW off before running rc.d scripts at > boot time, and enables it again in rc.d/ipfw script. Hi, I think this should be configurable, the change can be an unexpected for someone. -- WBR, Andrey V. Elsukov