# Does IPFW load default rules



## SteveB (Jan 8, 2012)

I'm new to firewalls so please bear with me. In my rc.conf I have just these two firewall statements;


```
firewall_enable="yes"
firewall_type="open"
```

I notice that when I run *ipfw list* I get the following list of rules;


```
thx1138# ipfw list
00050 divert 8668 ip4 from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any
```

Since I haven't specified a rule script, where are these rules coming from? Does IPFW insert a base set of default rules if nothing else is specified?

As always, your help is greatly appreciated.


----------



## phoenix (Jan 8, 2012)

/etc/rc.d/ipfw controls how IPFW is loaded via rc.conf, and this lists /etc/rc.firewall as the default rules script is none if specified.  In there is a section for the "open" firewall type, which loads the rules you are seeing.

IPFW by itself only loads a single rule, number 65535, which is "deny ip from any to any" unless you compile a custom kernel with IPFIREWALL_DEFAULT_TO_ACCEPT which then changes it to "allow ip from any to any".


----------



## SteveB (Jan 9, 2012)

Thank you Phoenix!

So, if I specify a rules script other than /etc/rc.firewall using the 'firewall_script' statement in rc.conf, are the rules I place in this script superseding those in /etc/rc.firewall or are they loaded in addition to those in /etc/rc.firewall? I'm thinking that since the first statement in my rules script flushes all rules (*ipfw -q -f flush*) that my script must be the one and only rules set but I just wanted to confirm.

Thanks.


----------



## phoenix (Jan 9, 2012)

If you specify *firewall_script* in /etc/rc.conf, then /etc/rc.d/ipfw loads only that script.


----------



## SteveB (Jan 9, 2012)

Excellent. Thanks again phoenix for your assistance.
Problem solved.


----------

