IPFW loading rules in jail

[gtp04]

I have setup a ruleset in a jail for ipfw in freenas 9.2.1.5 After a jail boot I run an "ipfw list" in the ssh connection and I only get one rule .... "65535 allow ip from any to any" which isn't a rule I specified... Its my understanding that comes from the kernel is compiled with IPFIREWALL_DEFAULT_TO_ACCEPT. None of the MY rules are specified.. if I do a "service ipfw start" its starts correctly and the "ipfw list" command reports back all my rules with the additional rule "65535 allow ip from any to any" at the bottom...

MY questions is why no matter how I attempt to load the rules I want at jail boot... via script or via jail rule file it will not???? What am I missing?

Dan
Windows Expert turned FreeBSD /Linux NOVICE.

 

[Gonzalo]

1) Inside the Jail, execute: echo firewall_enable="YES" >> /etc/rc.conf and echo firewall_type="/etc/ipfw_rules" >> /etc/rc.conf.
2) Create the file /etc/ipfw_rules with the rules you want.
3) Restart the system and execute ipfw list.

Note: You can change the name or path of ipfw_rules.

 

[gtp04]

I already have the above done... the problem is its not executing the script on boot of the jail... Only after a do the "service ipfw start" command...


I know I am missing something... but why will it start and load my rules only manually?????

could it be a permissions issue with the rules file?



Dan

 

[Gonzalo]

I have ipfw running in a jail without issues... please, share your rc.conf and ipfw_rules files (also permissions).

 

[gtp04]

rc.conf

Code:

portmap_enable="NO"
sshd_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="bit_1"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
transmission_enable="YES"
transmission_conf_dir="/media/config"
transmission_flags="-e /media "

and my script is as follows

Code:

fwcmd="/sbin/ipfw"
${fwcmd} -f flush
${fwcmd} add 01000 allow log udp from 192.168.0.0/24 to 208.67.222.222 dst-port 53 keep-state
        ${fwcmd} add 01002 allow log udp from 192.168.0.0/24 to xxx.xxx.xxx.xxx dst-port 53 keep-state
        ${fwcmd} add 01004 allow log udp from 192.168.0.0/24 to 208.67.220.220 dst-port 53 keep-state
        ${fwcmd} add 01006 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 02000 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 02004 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 02008 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 02012 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 02014 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 02016 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 02018 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
        ${fwcmd} add 04000 allow ip from 127.0.0.1 to any
        ${fwcmd} add 05000 allow ip from xxx.xxx.xxx.xxx to any
        ${fwcmd} add 05002 allow ip from any xxx.xxx.xxx.xxx
        ${fwcmd} add 65534 deny ip from any to any

 

[Gonzalo]

I see the problem. In rc.conf, change firewall_script by firewall_type.

 

[gtp04]

-rw-rw-rw- 1 root 1011 1140 Jan 18 21:23 ipfw.rules

-rw------- 1 root wheel 455 Jan 21 13:14 rc.conf

my rules script has been edited to mask ip addresses..

Dan

 

[gtp04]

trying it now.... brb

 

[gtp04]

no dice


root@bit_1:/ # ipfw list
65535 allow ip from any to any

 

[gtp04]

also with out specifying in rc.config that it is a script im calling the rules will not load at all

Dan

 

[Gonzalo]

Change ipfw.rules to:

Code:

add 01000 allow log udp from 192.168.0.0/24 to 208.67.222.222 dst-port 53 keep-state
add 01002 allow log udp from 192.168.0.0/24 to xxx.xxx.xxx.xxx dst-port 53 keep-state
add 01004 allow log udp from 192.168.0.0/24 to 208.67.220.220 dst-port 53 keep-state
add 01006 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 02000 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 02008 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 02012 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 02014 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 02016 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 02018 allow ip from 192.168.0.0/24 to xxx.xxx.xxx.xxx keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from xxx.xxx.xxx.xxx to any
add 05002 allow ip from any xxx.xxx.xxx.xxx
add 65534 deny ip from any to any

 

[gtp04]

put it back to firewall_script=ipfw.rules and the rules will load with a service ipfw start

 

[gtp04]

trying now

 

[gtp04]

same
not loading but now it will load the rules with service ipfw start


root@bit_1:/ # ipfw list
65535 allow ip from any to any

 

[Gonzalo]

Did you try firewall_type in rc.conf and ipfw.rules changed like I said?

 

[gtp04]

yes sir

 

[gtp04]

that is how it is right now....

 

[gtp04]

anything else I can try? I feel so out of element with FreeBSD and Linux ....
at least I have command line dos experience from the early 90s lol when I was a young teen....
Dan

 

[Gonzalo]

I don't know what else you can try... mine is working with a similar setup... could you try again in a new jail?

 

[gtp04]

the jail was created from the transmission plugin.... I suppose I could redo the whole thing..... doesn't sound fun....lol
and if it doesn't fix it I will not be happy...
but then again its not working the way I need it now anyways unless I manually start the ipfw service...


I think I may just make a jail and try it with out disturbing transmission...

Dan