Date: Wed, 04 May 2011 10:40:12 +0900 From: KIRIYAMA Kazuhiko <kiri@pis.elm.toba-cmt.ac.jp> To: Ian Smith <smithi@nimnet.asn.au> Cc: KIRIYAMA Kazuhiko <kiri@pis.elm.toba-cmt.ac.jp>, freebsd-stable@freebsd.org Subject: Re: /etc/rc.d/ipfw can't deal with firewall_type? Message-ID: <201105040140.p441eClM054591@pis.elm.toba-cmt.ac.jp> In-Reply-To: <20110504030404.O85801@sola.nimnet.asn.au> References: <BANLkTik8cAOt1iAP1tOu0EVrRL07uHA8Ng@mail.gmail.com> <201105031543.p43Fh92T041708@pis.elm.toba-cmt.ac.jp> <20110504030404.O85801@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
At Wed, 4 May 2011 03:47:02 +1000 (EST),
Ian Smith wrote:
>
> On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
> > Hi all,
> > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but
> > all packets could not over nat box. I've researched and found
> > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does
> > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw
> > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is
> > there any problem to do this?
>
> Yes. Assuming using the default firewall_script="/etc/rc.firewall",
> then as it says early in /etc/rc.firewall, you just needed to:
>
> # Define the firewall type in /etc/rc.conf. Valid values are:
> [..]
>
> Sure, /etc/rc.firewall can set firewall_type to a parameter if you pass
> it one, but otherwise uses whatever $firewall_type is set to when you
> start ipfw. I guess the code below allows you to use syntax like:
>
> # /etc/rc.d/ipfw start client
I missed it intended to use in commandline but usually /etc/rc.d/* script
uses at startup rc. If /etc/rc.d/ipfw must be 2 arguments,firewall_type
always undefined at startup nevertheless it specified in /etc/rc.conf. It
is the very serious problem isn't it?
> to override the $firewall_type set in /etc/rc.conf, but it's not the
> common usage, nor is it how ipfw is started normally by rc.
>
> So just set firewall_type in rc.conf and you should be fine .. unless
> you meant that you're trying to run ipfw & natd INSIDE a jail?
The network being configure is as follows:
xxxx.xxxx.xxxx.xxxx/27
-------------------------+----------------------------------------
|53
+----------------------+---------------------------------------+
| bge0 jailed natd box |
| t2.st.foo (ipfw `OPEN') |
| +--------+--------+--------+--------+--------+--------+
|firewall| ns | ldap |diskless| mail | web | ftp |
| bge1 | bge1 | bge1 | bge1 | bge1 | bge1 | bge1 |
+----+---+----+---+----+---+----+---+----+---+----+---+----+---+
254| 1| 2| 3| 4| 5| 6|
-------+--------+--------+--------+--------+--------+--------+----
192.168.2.0/24
> cheers, Ian
>
> > --- /etc/rc.d/ipfw.org 2011-05-03 18:19:28.000000000 +0900
> > +++ /etc/rc.d/ipfw 2011-05-03 22:08:14.000000000 +0900
> > @@ -35,15 +35,11 @@
> >
> > ipfw_start()
> > {
> > - local _firewall_type
> > -
> > - _firewall_type=$1
> > -
> > # set the firewall rules script if none was specified
> > [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
> >
> > if [ -r "${firewall_script}" ]; then
> > - /bin/sh "${firewall_script}" "${_firewall_type}"
> > + /bin/sh "${firewall_script}" "${firewall_type}"
> > echo 'Firewall rules loaded.'
> > elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
> > echo 'Warning: kernel has firewall functionality, but' \
For the case of commandline usage, above patch should be modified as
follows:
--- /etc/rc.d/ipfw.org 2011-05-03 18:19:28.000000000 +0900
+++ /etc/rc.d/ipfw 2011-05-04 09:31:09.000000000 +0900
@@ -37,7 +37,11 @@
{
local _firewall_type
- _firewall_type=$1
+ if [ -n "${1}" ]; then
+ _firewall_type=$1
+ elif [ -n "${firewall_type}" ]
+ _firewall_type=${firewall_type}
+ fi
# set the firewall rules script if none was specified
[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105040140.p441eClM054591>