From: Jamie C. <jca...@we...> - 2014-09-12 04:55:33
|
Another possible explanation is that Webmin is detecting the wrong ipfw format. If you convert the ipfw.rules file to put "ipfw add" at the start and then add a new rule using Webmin, does it keep the same format? On 11/Sep/2014 07:04 Michel Blais <mi...@ta...> wrote .. > I tryed it and it can be use with the firewall_scriptoption from > rc.conf, at least, not in FBSD 10. I saw message about this problem in > older FBSD version > > # grep firewall /etc/rc.conf > firewall_enable="YES" > firewall_script="/usr/local/etc/webmin/ipfw/ipfw.rules" > #firewall_type="webmin" > > # cat /usr/local/etc/webmin/ipfw/ipfw.rules > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1 > 01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 2,135,136 > # Local - Allow policy > 65500 allow all from any to any via re2 > 65535 deny ip from any to any > > # reboot > > after reboot > > # ipfw list > 65535 deny ip from any to any > > I may be wroung but from the dococumentation I readed, IPFW don't seem > to support loading ruleset from file. It's not like PF that you create > your ruleset in a file, it's more like iptables where you have to > create a script that will generate the ruleset. > https://www.freebsd.org/doc/handbook/firewalls-ipfw.html > > If I copy the same file at /etc/ipfw.rules and add "ipfw add" at the > beginning of each line. 65535 have been remove because it useless > since the system generate it automaticly. > > # cat /etc/ipfw.rules > ipfw add 00100 allow ip from any to any via lo0 > ipfw add 00200 deny ip from any to 127.0.0.0/8 > ipfw add 00300 deny ip from 127.0.0.0/8 to any > ipfw add 00400 deny ip from any to ::1 > ipfw add 00500 deny ip from ::1 to any > ipfw add 00600 allow ipv6-icmp from :: to ff02::/16 > ipfw add 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > ipfw add 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > ipfw add 00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1 > ipfw add 01000 allow ip6 from any to any proto ipv6-icmp ip6 > icmp6types 2,135,136 > # Local - Allow policy > ipfw add 65500 allow all from any to any via re2 > > # grep firewall /etc/rc.conf > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > #firewall_type="webmin" > > # reboot > > after reboot > > # ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1 > 01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types > 2,135,136 > 65500 allow ip from any to any via re2 > 65535 deny ip from any to any > --- > Cordialement, > > Michel Blais > Administrateur réseau > Targo communications > > > 2014-09-10 17:23 GMT-04:00 Jamie Cameron <jca...@we...>: > > On 10/Sep/2014 07:41 Michel Blais <mi...@ta...> wrote .. > >> I add some problem with the IPFW (BSD Firewall) module for FreeBSD on > >> version 10. Rules where not apply at boot. From my search on the > >> internet, it seem to be a common problem with this module. > >> > >> First thing I noticed is that the ipfw.rules files generated by the > >> module is not standard. Syntax is correct except the "ipfw -q add" > >> option missing at the beginning of each line. If this syntax was > >> respected, we could simply use the "firewall_script" option from > >> rc.conf to apply the ipfw.rules file at boot. > >> > >> What I've done to "temporary" fix it, if it ever fixed someday, is to > >> add a firewall type into rc.firewall and apply the webmin ipfw.rules > >> configuration adding the "ipfw -q add" keyword missing in the syntax > >> at the beggining of each line. After, I just have to use the rc.conf > >> option firewall_type="webmin". > >> > >> My rc.firewall case part script added for webmin if somebody have the > >> same problem eventually: > >> > >> [Ww][Ee][Bb][Mm][Ii][Nn]) > >> ${fwcmd} -q -f flush > >> while read line; do > >> line=$(echo $line | awk -F '#' '{print $1}') > >> if [ -n "$line" ]; then > >> ${fwcmd} add $line > >> fi > >> done < /usr/local/etc/webmin/ipfw/ipfw.rules > >> ;; > > > > I don't think that is actually needed - the ipfw.rules file gets applied > > by running the ipfw command with that file as a parameter, which is supposed > > to apply all the rules in it. > > > > > > ------------------------------------------------------------------------------ > > Want excitement? > > Manually upgrade your production database. > > When you want reliability, choose Perforce > > Perforce version control. Predictably reliable. > > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > > - > > Forwarded by the Webmin mailing list at web...@li... > > To remove yourself from this list, go to > > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list |