# Line 1: bad command `ipfw'



## hm2k (Aug 8, 2011)

I've recently noticed that the firewall on this FreeBSD system has stopped working, so I went to restart it but it keeps giving me an error:


```
Line 1: bad command `ipfw'
```

I've tried adjusting my /etc/ipfw.rules file to say /sbin/ipfw (based on *which ipfw*) instead, but the error just evolves into:


```
Line 1: bad command `/sbin/ipfw'
```

Here's what you need to know:


```
[root@amber ~]# /etc/rc.d/ipfw restart
net.inet.ip.fw.enable: 1 -> 0
Starting divert daemons:Flushed all rules.
Line 1: bad command `ipfw'
Firewall rules loaded.
net.inet.ip.fw.enable: 0 -> 1
[root@amber ~]# cat /etc/ipfw.rules
ipfw -q -f flush
ipfw -q add 00100 allow ip from any to any via lo0
ipfw -q add 00220 deny log ip from me to any in
ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin
ipfw -q add 00230 check-state
ipfw -q add 00235 deny tcp from any to any in established
ipfw -q add 00240 allow ip from any to any out keep-state
# allow traffic controlling icmp
ipfw -q add 00300 allow icmp from any to any icmptype 3
ipfw -q add 00301 allow icmp from any to any icmptype 4
ipfw -q add 00302 allow icmp from any to any icmptype 11
# allowing services: ftp, ssh, http, dns, identd
ipfw -q add 00501 allow tcp from any to any 21 keep-state setup
ipfw -q add 00502 allow tcp from any to any 22 keep-state setup
ipfw -q add 00503 allow tcp from any to any 53 keep-state setup
ipfw -q add 00504 allow udp from any to any 53 keep-state setup
ipfw -q add 00505 allow tcp from any to any 80 keep-state setup
ipfw -q add 00506 allow tcp from any to any 113 keep-state setup
# allowed ports for users
ipfw -q add 01000 allow tcp from any to any 6000-7005 keep-state setup
ipfw -q add 02000 allow tcp from any to any 10000-40000 keep-state setup

[root@amber ~]# grep '$FreeBSD' /etc/rc.firewall
# $FreeBSD: src/etc/rc.firewall,v 1.47.10.1 2005/11/19 06:06:59 ume Exp $
[root@amber ~]# uname -a
FreeBSD amber.phurix.com 6.2-RELEASE-p12 FreeBSD 6.2-RELEASE-p12 #0: Tue Jul 15 13:49:44 BST 2008   
  james@amber.phurix.com:/usr/obj/usr/src/sys/SPECIFIC  i386
[root@amber ~]# ipfw show
65535 362908031 62053275482 allow ip from any to any
```

What am I overlooking here?

Thanks.


----------



## DutchDaemon (Aug 8, 2011)

Try getting better diagnostic output with 

```
sh -x /etc/rc.d/ipfw restart > /tmp/output.1 2>&1
and/or
sh -xv /etc/rc.d/ipfw restart > /tmp/output.2 2>&1
```

Examine the output closely. This may be an inherited error (triggered by an error earlier in the process).


----------



## SirDice (Aug 8, 2011)

Remove the "ipfw -q" from every line.


----------



## DutchDaemon (Aug 8, 2011)

That was the first reply I posted, but it should work. There are many examples of ipfw.rules files with full *ipfw* commands, or $fwcmd variables instead. I guess it depends on how the file is invoked?


----------



## SirDice (Aug 8, 2011)

That might be it.

hm2k: Please post all the relevant ipwf entries from /etc/rc.conf.


----------



## hm2k (Aug 8, 2011)

```
[root@amber ~]# cat /etc/rc.conf | grep firewall
firewall_enable="YES"
firewall_logging="NO"
firewall_type="/etc/ipfw.rules"
firewall_flags=""
```

What's odd is that I'm sure it *was* working, but I'm not sure when it stopped working.


----------



## hm2k (Aug 8, 2011)

The solution was to remove the command and the flags, ie:


```
flush
add 00100 allow ip from any to any via lo0
add 00220 deny log ip from me to any in
add 00225 deny log tcp from any to any in tcpflags syn,fin
add 00230 check-state
add 00235 deny tcp from any to any in established
add 00240 allow ip from any to any out keep-state
# allow traffic controlling icmp
add 00300 allow icmp from any to any icmptype 3
add 00301 allow icmp from any to any icmptype 4
add 00302 allow icmp from any to any icmptype 11
# allowing services: ftp, ssh, http, dns, identd
add 00501 allow tcp from any to any 21 keep-state setup
add 00502 allow tcp from any to any 22 keep-state setup
add 00503 allow tcp from any to any 53 keep-state setup
add 00504 allow udp from any to any 53 keep-state setup
add 00505 allow tcp from any to any 80 keep-state setup
add 00506 allow tcp from any to any 113 keep-state setup
# allowed ports for users
add 01000 allow tcp from any to any 6000-7005 keep-state setup
add 02000 allow tcp from any to any 10000-40000 keep-state setup
```


----------



## DutchDaemon (Aug 9, 2011)

Like I said, I've seen rules files with and without commands, so it seems to depend on how the file is invoked or read. Anyway, if it works, it works. P.S. no advertising/promotions in signatures, see forum rule 8.


----------



## DutchDaemon (Aug 9, 2011)

I think there's a difference between 'firewall_type' and 'firewall_rules' in /etc/rc.conf or something like that, but it's been a long time since I used IPFW. This might explain why one needs commands, and the other one doesn't.


----------



## phoenix (Aug 9, 2011)

If you pass a rules file to ipfw(8) itself, then you do not include the "ipfw -whatever -options" in the files.  Just the body of the rules.  IPFW then reads the entire file and loads all the rules at once.  Similar to how PF works.

If you create a shell script using ipfw(8), then you have to include the "ipfw -whatever -options" on every line, since you are executing IPFW for each rule.

The former is much faster.  The latter gives you much more freedom in how you create the rules, use loops, use variables, call other files, etc.

Neither is inherently better.  It all depends on how you use them.


----------



## ghostcorps (Oct 5, 2011)

phoenix said:
			
		

> If you pass a rules file to ipfw(8) itself, then you do not include the "ipfw -whatever -options" in the files.  Just the body of the rules.  IPFW then reads the entire file and loads all the rules at once.  Similar to how PF works.
> 
> If you create a shell script using ipfw(8), then you have to include the "ipfw -whatever -options" on every line, since you are executing IPFW for each rule.
> 
> ...




Would this be why my config below blocks all traffic? 


```
# cat /etc/rc.conf | grep firewall
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="open"
```


/etc/ipfw.rules

```
IPF="ipfw -q add"
ipfw -q -f flush

# loopback
$IPF 10 allow all from any to any via lo0

# allow all internal connections
$IPF 11 allow all from me to me

# statefull
$IPF 20 check-state
$IPF 25 allow tcp from any to any established
$IPF 30 allow all from any to any out keep-state
$IPF 40 allow icmp from any to any

# Passive ports
$IPF 60 allow all from any to localhost 1024-4443

##### Open #####

# ftp
$IPF 101 allow all from any to localhost 21 in
# ssh
$IPF 103 allow all from any to localhost 22 in
# http
$IPF 105 allow all from any to localhost 80 in

##### Closed #####

#$IPF 500 deny log all from any to any
```


 When I start ipfw using the config above all traffic is blocked except established links, thankfully. When I list the ipfw rules they look fine. The odd thing is that the rules were copied directly from a production 8.1 RELEASE server which functions perfectly.

 In either case I am not using ipfw from any other programs, but for the sake of trying all options would this be correct?

/etc/ipfw.rules

```
flush

# loopback
add 00010 allow all from any to any via lo0

# allow all internal connections
add 00011 allow all from me to me

# statefull
add 00020 check-state
add 00025 allow tcp from any to any established
add 00030 allow all from any to any out keep-state
add 00040 allow icmp from any to any

# Passive ports
add 0060 allow all from any to localhost 1024-4443

##### Open #####

# ftp
add 00101 allow all from any to localhost 21 in
# ssh
add 00103 allow all from any to localhost 22 in
# http
add 00105 allow all from any to localhost 80 in

##### Closed #####

add 00500 deny log all from any to any
```

I would test it but I just locked myself out when I flushed the rules. I won't be home for a while.


----------



## wmoreno3 (Jul 31, 2012)

Solution: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

```
firewall_enable="YES"
firewall_type="filename"           // without any command-line options for ipfw
firewall_script="/etc/ipfw.rules"  // executable script that includes ipfw commands
firewall_logging="YES"
```


----------

