IPFW seems changed since using RC instead of OpenRC

Help with setting up network cards, including WiFi cards.
Post Reply
nevets
Posts: 57
Joined: Tue Jun 23, 2020 3:54 am

IPFW seems changed since using RC instead of OpenRC

Post by nevets »

Somewhere in the last couple of updates the nature of ipfw has changed. I used to run this script to open ports for SIP with Linphone:
#!/bin/sh
sudo ipfw add 10000 allow tcp from any to any 5060 in keep-state :default
sudo ipfw add 10001 allow udp from any to any 5060 in keep-state :default
sudo ipfw add 10002 allow tcp from any to any 5061 in keep-state :default
sudo ipfw add 10003 allow udp from any to any 5061 in keep-state :default
sudo ipfw add 10004 allow udp from any to any 7078 in keep-state :default
sudo ipfw add 10005 allow udp from any to any 9078 in keep-state :defau
lt

This would report:
10000 allow tcp from any to any 5060 in keep-state :default
10001 allow udp from any to any 5060 in keep-state :default
10002 allow tcp from any to any 5061 in keep-state :default
10003 allow udp from any to any 5061 in keep-state :default
10004 allow udp from any to any 7078 in keep-state :default
10005 allow udp from any to any 9078 in keep-state :default
It now reports:
ipfw: getsockopt(IP_FW_XADD): Protocol not available
What's changed in the way ipfw runs?
What am I missing please?
Thanks,
Steve
User avatar
ericbsd
Developer
Posts: 1833
Joined: Mon Nov 19, 2012 7:54 pm

Re: IPFW seems changed since using RC instead of OpenRC

Post by ericbsd »

Make sure you have firewall_enable="YES" and ipfw_enable="YES" in /etc/rc.conf
nevets
Posts: 57
Joined: Tue Jun 23, 2020 3:54 am

Re: IPFW seems changed since using RC instead of OpenRC

Post by nevets »

Hi Eric,
I added
firewall_enable="YES" and ipfw_enable="YES"
to rc.conf
and it's now running.
Look like everyone will need to add the actions to their rc.conf.

For some reason the vpn now won't run.
I've rolled back to openrc version for present as I can't fathom why the ipfw won't let my vpn run on the rc version.
I'm no expert on configuring a firewall.
Steve
User avatar
ericbsd
Developer
Posts: 1833
Joined: Mon Nov 19, 2012 7:54 pm

Re: IPFW seems changed since using RC instead of OpenRC

Post by ericbsd »

can you run this?

Code: Select all

rc_system
What is the output?
Also is the output of

Code: Select all

pkg query '%v' os-generic-userland-base
nevets
Posts: 57
Joined: Tue Jun 23, 2020 3:54 am

Re: IPFW seems changed since using RC instead of OpenRC

Post by nevets »

for
# rc_system
and
# sudo rc_system
Report:
zsh: command not found: rc_system
For
# pkg query '%v' os-generic-userland-base
it reports:
21.08.17
The old OpenRC version is 21.06.23
User avatar
ericbsd
Developer
Posts: 1833
Joined: Mon Nov 19, 2012 7:54 pm

Re: IPFW seems changed since using RC instead of OpenRC

Post by ericbsd »

Oh meant kenv rc_system

What sudo service ipfw start does?
nevets
Posts: 57
Joined: Tue Jun 23, 2020 3:54 am

Re: IPFW seems changed since using RC instead of OpenRC

Post by nevets »

Sorry for the delay - life got in the way...
Now,
Remembering we've manually added
firewall_enable="YES"
ipfw_enable="YES"
to
/etc/rc.conf.
Then,
# sudo service ipfw start
reports:
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
Firewall rules loaded.

# kenv rc_system
reports:
bsdrc
User avatar
ericbsd
Developer
Posts: 1833
Joined: Mon Nov 19, 2012 7:54 pm

Re: IPFW seems changed since using RC instead of OpenRC

Post by ericbsd »

Seems to be fixed now.
Post Reply