# IPFW stateful rules in FreeBSD 6.4 ?



## Unixworld (Dec 15, 2008)

Hi all,

I would like to share some experience with IPFW.
Yesterday i switched from 7.0 RELEASE to the new
6.4 RELEASE.Installed all distributions (except ports and sources) from the DVD,copying both the generic and SMPkernel, and put XFCE 4 from an ftp-mirror. Nothing unusual till now.

After the first reboot, FreeBSD picked and booted with the SMP-kernel, me personally didn't do anything for the kernel-side.I have an old Pentium 4
"Prescott" 2.8 GHz/800 MHz/1 MB cache, S.478.

So..., dunno what happened here, but the way i used
to use IPFW in 7.0 doesn't work here - in 6.4
I've always used "firewall_type=workstation" and
"firewall_rules=/etc/ipfw.rules" in the 7.0 RELEASE,
where the rules were those provided as an example
in the handbook - they were pretty satisfying for me,being a newbie in the FreeBSD world.

Now, in 6.4, i tried same "tactics", which doesn't 
work :\ Though the rules get loaded and IPFW gets active, it blocks the connection (i use PPPoE, so the tun0-interface in my case).

I'd like to ask for some help, leading me to the
right direction - i either make things wrong, or 
the IPFW concept is different in 6.4 ?!

Thanx to all in advance !

Greetings


----------



## caligula (Dec 15, 2008)

Hello Unixworld,

first, why did you do that downgrade? - 7.1-RELEASE is coming soon.

The /etc/rc.firewall script from 6.4 and 7.0 are different ones:
 - 6.4

```
/home/caligula> grep '$FreeBSD' /etc/rc.firewall
# $FreeBSD: src/etc/rc.firewall,v 1.47.10.4.2.1 2008/10/02 02:57:24 kensmith Exp $
```
 - 7.0

```
/home/caligula> grep '$FreeBSD' /etc/rc.firewall
# $FreeBSD: src/etc/rc.firewall,v 1.52.4.1 2008/01/29 00:22:32 dougb Exp $
```

"grep 'workstation'" in /etc/rc.firewall shows that "firewall_type=workstation" is unknown in 6.4.

And if you built the kernel with "IPFIREWALL_DEFAULT_TO_DENY", then the last rule would always be "65535 deny ip from any to any".

So, either upgrade back to 7.0, or show me the output of "ipfw list" or "ipfw show" in order to find out which rule blocks your traffic.

edit:
Having read the example ruleset of the handbook, I would say that the pubilc interface "pif" isn't properly set (in your case it should be pif="tun0"), and the last rule "00999 deny log all from any to any" does its job. 
Do an "ipfw show" and we will see.


bye


----------



## Unixworld (Dec 15, 2008)

Hailz, Caligula,

thank you for your time answering me back.
Just got home from work, so didn't have time till now 
to give you that info needed.

Well, the output is (just rechecked the matter) :
FreeBSD# /etc/rc.d/ipfw start
Flushed all rules.
Line 5: bad command `ipfw'
Firewall rules loaded.
Firewall logging enabled.
net.inet.ip.fw.enable: 0 -> 1
FreeBSD# ipfw -t list
65535 Mon Dec 15 17:11:08 2008 deny ip from any to any

$ sudo ipfw show
65535 371 51665 deny ip from any to any

It just doesn't show all these rules that are in the
handbook (non-NAT) ruleset as it used to before...

IPFW always "complains" about an error in one of the
first lines, whichever rulesets i put in the ipfw.rules and try,
and whichever line i change, always murmuring:

################ Start of IPFW rules file############
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="tun0"     # public interface name of NIC
              # facing the public Internet

#####################################################

I always set the PPPoE-if "tun0" in here, as mentioned - never
had any troubles in the 7.0-version 
I also changed the "firewall_type="/etc/ipfw.rules" in rc.conf,
but i think these were last desperate measures before going
back to the 7.0-th colossus 

Please, answer back, if you have that time, i think i would
roll back to the 7.0-release very soon 

Thanx alot for your support & cheers !


----------



## caligula (Dec 15, 2008)

Hello Unixworld,



> $ sudo ipfw show
> 65535 371 51665 deny ip from any to any


Well, your ruleset isn't loaded at all, so only the default last rule 65535 (deny all rom any to any) is active.



> It just doesn't show all these rules that are in the
> handbook (non-NAT) ruleset as it used to before...


because they aren't loaded.


Why is your ruleset not loaded? - Answer:


> ...
> [FreeBSD# /etc/rc.d/ipfw start
> Flushed all rules.
> Line 5: bad command `ipfw'
> ...




So, fix the error and your rules will be loaded. 
I suppose your /etc/ipfw.rules misses a "#!/bin/sh" in the first line.
ipfw.rules is a shell-script. Put an hashbang there. 
Else, replace in your ruleset each "$cmd" by "ipfw add".


Nevertheless, why did you downgrade?
"7.0-th colossus" is not a reason. => Choose "Minimal Install" in sysinstall.


----------



## Unixworld (Dec 15, 2008)

*Very close to... ? *

Hello, Caligula,

Thanx alot again for your support.

Well,the ruleset is a schellscript - the "#!/bin/sh" - thingy
is there all the time 

Will try now with the cmd-thing and post back in here 
P.S. What about "firewall_type=?" Was mine correct (i hihgly
doubt it was, hehe)

Greetings !


----------



## caligula (Dec 15, 2008)

ahh, oh yes, of course, I'm blind.

Try
firewall_script=""

see /etc/defaults/rc.conf

firewall_type="" is for the rc.firewall script.

When you secify a "type" which is not defined in rc.firewall, it will be interpreted as a ruleset.
So in that case firewall_type="/etc/ipfw.rules" should look like:

```
add 100 allow all from any to any via lo0
add 110 deny log all from any to 127.0.0.0/8
add 120 deny log ip from 127.0.0.0/8 to any
...
```

And firewall_rules="" has no effect.


----------



## komeylian (Dec 21, 2008)

hi,

Do you know how I can filter string on my BSD machine by ipfw alike below:

add deny string "mail.yahoo.com" ip from  any to any via fxp0


thanks in advance.


----------

