Date: Sat, 13 Sep 2008 15:02:33 GMT From: Chuck Rock <carock@epconline.com> To: freebsd-gnats-submit@FreeBSD.org Subject: docs/127359: Undocumented firewall_xxx options for rc.conf in stable branch Message-ID: <200809131502.m8DF2Xvp056654@www.freebsd.org> Resent-Message-ID: <200809131510.m8DFA1ik036069@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127359
>Category: docs
>Synopsis: Undocumented firewall_xxx options for rc.conf in stable branch
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Sep 13 15:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Chuck Rock
>Release: 7.0-RELEASE-p4
>Organization:
EPC, Inc.
>Environment:
FreeBSD boss4.epconline.net 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #0: Tue Sep 2 19:32:35 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Theres no informatoin in man ipfw or man rc.conf about these options found in /etc/defaults/rc.conf for the firewall.
firewall_myservices="" # List of TCP ports on which this host
firewall_allowservices="" # List of IPs which has access to
# $firewall_myservices
firewall_trusted="" # List of IPs which has full access to this host
firewall_logdeny="NO" # Set to YES to log default denied incoming
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
An explanation was provided to moe for some of them by Giorgos Keramidas on the comp.unix.bsd.freebsd.misc news group.
He asked that I submit a PR so he can work on it.
Some of the options are explained by him as follows.
The lists are space- or TAB-separated.
These rc.conf options are only used in for-loops of shell code in the
`/etc/rc.firewall' script. You can delimit entries with space or TAB
characters. If you carefully quote the list of values, you can even use
multiple lines like:
firewall_trusted="192.168.1.1/32
192.168.1.3 192.168.1.254"
The firewall_allowservices and firewall_myservices work closely
together:
* The first one is a simple (space separated) list of hosts that
connections may originate from.
* The second is a simple (space separated) list of local services
that will be open for all hosts in ${firewall_allowservices}.
One rule is added to the final firewall ruleset for every combination of
`firewall_allowservices' and `firewall_myservices', so if you use in
your `rc.conf' file something like:
firewall_allowservices="192.168.1.1 192.168.1.2"
firewall_myservices="ssh smtp"
Then your final firewall will contain the rules:
add pass tcp from 192.168.1.1 to me ssh
add pass tcp from 192.168.1.2 to me ssh
add pass tcp from 192.168.1.1 to me smtp
add pass tcp from 192.168.1.2 to me smtp
If you are planning to use these options, it's worth considering at
least the following details too:
* Only TCP services are enabled by these rules. If you have a UDP
service, you will have to either (a) edit your `rc.firewall' script,
or (b) roll your own ruleset.
* The `firewall_allowservices' and `firewall_myservices' options are
*only* valid if you are using the pre-configure `workstation' type
for your firewall ruleset. If you are using any other set of
firewall rules, the current `rc.firewall' script will completely
ignore any `rc.conf' value configured for `firewall_allowservices'
and `firewall_myservices'!
>How-To-Repeat:
grep firewall /etc/defaults/rc.conf
'man rc.conf' and search for any of the options listed above in description will show no results.
Same for 'man ipfw'
>Fix:
Giorgos Keramidas in the news group said
This is a bug. The firewall_xxx options seem very under-documented.
The bug is even more important because the code has already found its
way to a STABLE branch, but the documentation bits are still missing.
Please take a moment to open a problem report and send me the number, or
let me know that you don't have the time to do that just now, so I can
open one myself. Then I can work a bit to refine the explanation I
wrote above, and commit it to the rc.conf manpage.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809131502.m8DF2Xvp056654>