>Number: 148656
>Category: misc
>Synopsis: {oip} and {iip} variables in rc.firewall script undefined in
>FreeBSD 7.2 and 8.0
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 15 23:10:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: John J. Donohue
>Release: 6.1, 7.0, 7.2, 8.0
>Organization:
McAllen Public Library (City of McAllen)
>Environment:
FreeBSD internal-dns2.mcallen.lib.tx.us 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat
Nov 21 15:48:17 UTC 2009
r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
-----
FreeBSD maindhcp3.mcallen.lib.tx.us 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Thu Feb
25 10:26:00 CST 2010
r...@template.mcallen.lib.tx.us:/usr/src/sys/i386/compile/MIDDLEMAN i386
>Description:
under FreeBSD versions up to 7.0, the oif, onet, omask, oip, iif, inet,
imask, and iip variables were explicitly defined in the SIMPLE segment
of rc.firewall, as in;
# set these to your outside interface network and netmask and ip
oif="xl0"
onet="192.168.224.0"
omask="255.255.255.0"
oip="192.168.224.4"
# set these to your inside interface network and netmask and ip
iif="xl1"
inet="192.168.240.0"
imask="255.255.255.0"
iip="192.168.240.1"
under version 7.2 and 8.0, oif, onet, iif, and inet are defined in
rc.conf;
firewall_simple_oif="xl0"
firewall_simple_onet="192.168.224.0/24"
firewall_simple_iif="xl1"
firewall_simple_inet="192.168.240.0/24"
and then substituted in the SIMPLE segment of rc.firewall;
# Configuration:
# firewall_simple_iif: Inside network interface.
# firewall_simple_inet: Inside network address.
# firewall_simple_oif: Outside network interface.
# firewall_simple_onet: Outside network address.
############
# set these to your outside interface network
oif="$firewall_simple_oif"
onet="$firewall_simple_onet"
# set these to your inside interface network
iif="$firewall_simple_iif"
inet="$firewall_simple_inet"
oip and iip are not defined, declared or extracted anywhere and substitute
as a value of '0' in script statements such as
${fwcmd} add pass tcp from 192.168.240.0/24 to ${iip} 22 via ${iif} setup
which upon an 'ipfw show' lists as
allow tcp from 192.168.240.0/24 to 0.0.0.22 via xl1 setup
^^^^^^^^
instead of
allow tcp from 192.168.240.0/24 to 192.168.240.1 dst-port 22 via xl1 setup
^^^^^^^^^^^^^^^^^^^^^^^^^
which was the original intent.
>How-To-Repeat:
run the default included /etc/rc.firewall script using
/etc/rc.conf:firewall_type="SIMPLE" and using any active ipfw statements that
include {oip} and/or {iip} variable references
>Fix:
MY SOLUTION:
I added the following to /etc/rc.conf;
firewall_simple_oip="192.168.224.4"
firewall_simple_iip="192.168.240.1"
and the following to the SIMPLE segment of rc.firewall;
# Configuration:
# firewall_simple_iif: Inside network interface.
# firewall_simple_inet: Inside network address.
--> # firewall_simple_iip: Inside ip address.
# firewall_simple_oif: Outside network interface.
# firewall_simple_onet: Outside network address.
--> # firewall_simple_oip: Outside ip address.
############
# set these to your outside interface network
oif="$firewall_simple_oif"
onet="$firewall_simple_onet"
--> oip="$firewall_simple_oip"
# set these to your inside interface network
iif="$firewall_simple_iif"
inet="$firewall_simple_inet"
--> iip="$firewall_simple_iip"
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
