On Tue, Jun 18, 2019 at 9:27 PM Ronald F. Guilmette <r...@tristatelogic.com>
wrote:
> In message <CAPS9+Stc5VpbEsho8OUdAe2AT=
> p6ukxfa4zthtrzwnxtpzi...@mail.gmail.com>
> Andreas Nilsson <andrn...@gmail.com> wrote:
>
> >I have no ipv6 rules in ipfw when configuring rc.conf as:
> >
> >firewall_enable="YES"
> >firewall_script="/etc/ipfw.rules".
>
> I don't know what to say, other than that this was not my experience.
>
> When I first noiced that /etc/rc.firewall was injecting rules into ipfw,
> prior to my own set of explicitly specified rules, I went into the
> script and edited it to try to cause it to stop doing at least some
> of this (unwanted) behavior. For example, please note the lines in
> the following function which have been commented out:
>
> setup_loopback() {
> ############
> # Only in rare cases do you want to change these rules
> #
> ${fwcmd} add 100 pass all from any to any via lo0
> # ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> # ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> # if [ $ipv6_available -eq 0 ]; then
> # ${fwcmd} add 400 deny all from any to ::1
> # ${fwcmd} add 500 deny all from ::1 to any
> # fi
> }
>
> Commenting out the lines shown above (as commented out) *did* make a
> difference.
>
> To be crystal clear, I found that even when I was explicitly requesting
> that my own custom rule set be used, as per the instructions in the
> Handbook (and as I have been doing already for lo these many years)
> I found that "ipfw -a list" was showing that I was getting several
> additional rules (which I personally DID NOT specify in my rules file)
> and these additional rules were appearing in the output of "ipfw -a list"
> AHEAD OF my own explicitly specified rules. I traced this down and
> quickly saw that these additional rules could only have come from the
> (now commented out) lines shown above. After I had commented those
> lines out of the /etc/rc.firewall script an rebooted the system, the
> rules in question no longer were visible in the output of "ipfw -a list".
>
> I also made one other local change to the /etc/rc.firewall script, which is
> illustrated by the following (locally revised) code snippet:
>
But why are you even running rc.firewall if it does not do what you want?
Just set firewall_script="/path/to/script" and your good to go, no ipv6
anywhere to be found.
>
> afexists inet6
> #ipv6_available=$?
> # disable creation of any/all IPv6 rules
> ipv6_available=1
>
> I can't remember anymore now if this had the desired effect or not. It
> certainly didn't seem to hurt anything, at least from my personal
> perspective. (But please remember, I am striving to -not- use IPv6
> at all.)
>
> Even with these multiple changes, the /etc/rc.firewall script is *still*
> injecting its own "pass all from any to any via lo0" rule ahead of my
> own explicitly specified rules. (See the setup_loopback() function above.)
>
> I do not have any objection to that perfectly sensible rule, so I did not
> comment out the specific line of /etc/rc.firewall where that is added,
> ahead
> of all user-specified rules. But the point remains that /etc/rc.firewall
> *is* injecting its own rules, even when the user has followed the
> Handbook's
> prescription for how to take complete control of his/her own IPFW rule
> writing.
>
>
> Regards,
> rfg
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
