IPFW in FreeBSDD V7.0 - BSD

This is a discussion on IPFW in FreeBSDD V7.0 - BSD ; I'm upgrading my NAT gateway and I found some new options in rc.conf for the IPFW. I have not been able to find any information on the Internet for them though. Does someone know where I can find out more ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: IPFW in FreeBSDD V7.0

  1. IPFW in FreeBSDD V7.0

    I'm upgrading my NAT gateway and I found some new options in rc.conf for the
    IPFW.

    I have not been able to find any information on the Internet for them
    though. Does someone know where I can find out more info on these specific
    options, or have an answer for me?

    firewall_allowservices="" # List of IPs which has access to
    # $firewall_myservices
    firewall_trusted="" # List of IPs which has full access to
    this host
    firewall_myservices="" # List of TCP ports on which this host
    # offers services

    Are these delimited with spaces, commas, or other ?

    Theres no informatoin in man ipfw or man rc.conf about these.

    Thanks,
    Chuck



  2. Re: IPFW in FreeBSDD V7.0

    On Fri, 12 Sep 2008 11:47:46 -0500, "Chuck Rock" wrote:
    > I'm upgrading my NAT gateway and I found some new options in rc.conf
    > for the IPFW.
    >
    > I have not been able to find any information on the Internet for them
    > though. Does someone know where I can find out more info on these
    > specific options, or have an answer for me?
    >
    > firewall_allowservices="" # List of IPs which has access to
    > # $firewall_myservices
    > firewall_trusted="" # List of IPs which has full access to this host
    > firewall_myservices="" # List of TCP ports on which this host
    > # offers services
    >
    > Are these delimited with spaces, commas, or other ?


    Hi Chuck,

    The lists are space- or TAB-separated.

    These rc.conf options are only used in for-loops of shell code in the
    `/etc/rc.firewall' script. You can delimit entries with space or TAB
    characters. If you carefully quote the list of values, you can even use
    multiple lines like:

    firewall_trusted="192.168.1.1/32
    192.168.1.3 192.168.1.254"

    The firewall_allowservices and firewall_myservices work closely
    together:

    * The first one is a simple (space separated) list of hosts that
    connections may originate from.

    * The second is a simple (space separated) list of local services
    that will be open for all hosts in ${firewall_allowservices}.

    One rule is added to the final firewall ruleset for every combination of
    `firewall_allowservices' and `firewall_myservices', so if you use in
    your `rc.conf' file something like:

    firewall_allowservices="192.168.1.1 192.168.1.2"
    firewall_myservices="ssh smtp"

    Then your final firewall will contain the rules:

    add pass tcp from 192.168.1.1 to me ssh
    add pass tcp from 192.168.1.2 to me ssh
    add pass tcp from 192.168.1.1 to me smtp
    add pass tcp from 192.168.1.2 to me smtp

    If you are planning to use these options, it's worth considering at
    least the following details too:

    * Only TCP services are enabled by these rules. If you have a UDP
    service, you will have to either (a) edit your `rc.firewall' script,
    or (b) roll your own ruleset.

    * The `firewall_allowservices' and `firewall_myservices' options are
    *only* valid if you are using the pre-configure `workstation' type
    for your firewall ruleset. If you are using any other set of
    firewall rules, the current `rc.firewall' script will completely
    ignore any `rc.conf' value configured for `firewall_allowservices'
    and `firewall_myservices'!

    > Theres no informatoin in man ipfw or man rc.conf about these.


    This is a bug. The firewall_xxx options seem very under-documented.
    The bug is even more important because the code has already found its
    way to a STABLE branch, but the documentation bits are still missing.

    Please take a moment to open a problem report and send me the number, or
    let me know that you don't have the time to do that just now, so I can
    open one myself. Then I can work a bit to refine the explanation I
    wrote above, and commit it to the rc.conf manpage.


  3. Re: IPFW in FreeBSDD V7.0

    All set. I sent it to your E-mail address listed here, but in case you don't
    receive it, I'm posting it here too.

    Thank you very much for your problem report.
    It has the internal identification `docs/127359'.
    The individual assigned to look at your
    report is: freebsd-doc.

    Thank you very much, your response was much appreciated.

    Chuck

    "Giorgos Keramidas" wrote in message
    news:877i9gr9r8.fsf@kobe.laptop...
    > On Fri, 12 Sep 2008 11:47:46 -0500, "Chuck Rock"
    > wrote:
    >> I'm upgrading my NAT gateway and I found some new options in rc.conf
    >> for the IPFW.
    >>
    >> I have not been able to find any information on the Internet for them
    >> though. Does someone know where I can find out more info on these
    >> specific options, or have an answer for me?
    >>
    >> firewall_allowservices="" # List of IPs which has access to
    >> # $firewall_myservices
    >> firewall_trusted="" # List of IPs which has full access to
    >> this host
    >> firewall_myservices="" # List of TCP ports on which this host
    >> # offers services
    >>
    >> Are these delimited with spaces, commas, or other ?

    >
    > Hi Chuck,
    >
    > The lists are space- or TAB-separated.
    >
    > These rc.conf options are only used in for-loops of shell code in the
    > `/etc/rc.firewall' script. You can delimit entries with space or TAB
    > characters. If you carefully quote the list of values, you can even use
    > multiple lines like:
    >
    > firewall_trusted="192.168.1.1/32
    > 192.168.1.3 192.168.1.254"
    >
    > The firewall_allowservices and firewall_myservices work closely
    > together:
    >
    > * The first one is a simple (space separated) list of hosts that
    > connections may originate from.
    >
    > * The second is a simple (space separated) list of local services
    > that will be open for all hosts in ${firewall_allowservices}.
    >
    > One rule is added to the final firewall ruleset for every combination of
    > `firewall_allowservices' and `firewall_myservices', so if you use in
    > your `rc.conf' file something like:
    >
    > firewall_allowservices="192.168.1.1 192.168.1.2"
    > firewall_myservices="ssh smtp"
    >
    > Then your final firewall will contain the rules:
    >
    > add pass tcp from 192.168.1.1 to me ssh
    > add pass tcp from 192.168.1.2 to me ssh
    > add pass tcp from 192.168.1.1 to me smtp
    > add pass tcp from 192.168.1.2 to me smtp
    >
    > If you are planning to use these options, it's worth considering at
    > least the following details too:
    >
    > * Only TCP services are enabled by these rules. If you have a UDP
    > service, you will have to either (a) edit your `rc.firewall' script,
    > or (b) roll your own ruleset.
    >
    > * The `firewall_allowservices' and `firewall_myservices' options are
    > *only* valid if you are using the pre-configure `workstation' type
    > for your firewall ruleset. If you are using any other set of
    > firewall rules, the current `rc.firewall' script will completely
    > ignore any `rc.conf' value configured for `firewall_allowservices'
    > and `firewall_myservices'!
    >
    >> Theres no informatoin in man ipfw or man rc.conf about these.

    >
    > This is a bug. The firewall_xxx options seem very under-documented.
    > The bug is even more important because the code has already found its
    > way to a STABLE branch, but the documentation bits are still missing.
    >
    > Please take a moment to open a problem report and send me the number, or
    > let me know that you don't have the time to do that just now, so I can
    > open one myself. Then I can work a bit to refine the explanation I
    > wrote above, and commit it to the rc.conf manpage.
    >




  4. Re: IPFW in FreeBSDD V7.0

    On Sat, 13 Sep 2008 13:17:19 -0500, "Chuck Rock" wrote:
    > All set. I sent it to your E-mail address listed here, but in case you
    > don't receive it, I'm posting it here too.
    >
    > Thank you very much for your problem report.
    > It has the internal identification `docs/127359'.


    Excellent! My email address in Usenet posts is valid, so I got the copy
    just fine.

    > Thank you very much, your response was much appreciated.


    You are welcome.

    The main reasons I asked you to file the bug report are that:

    * This way you get email updates when it changes.

    * The PR is properly atributed in the related commits to the person
    who really found it, and not me.

    As I update the PR you should be receiving regular updates about the
    manpage changes.

    Regards,
    Giorgos


+ Reply to Thread