• IPFW seems changed since using RC instead of OpenRC

Posted: **Tue Aug 31, 2021 5:07 am**

Somewhere in the last couple of updates the nature of ipfw has changed. I used to run this script to open ports for SIP with Linphone:

#!/bin/sh
sudo ipfw add 10000 allow tcp from any to any 5060 in keep-state :default
sudo ipfw add 10001 allow udp from any to any 5060 in keep-state :default
sudo ipfw add 10002 allow tcp from any to any 5061 in keep-state :default
sudo ipfw add 10003 allow udp from any to any 5061 in keep-state :default
sudo ipfw add 10004 allow udp from any to any 7078 in keep-state :default
sudo ipfw add 10005 allow udp from any to any 9078 in keep-state :defau

lt

This would report:

10000 allow tcp from any to any 5060 in keep-state :default
10001 allow udp from any to any 5060 in keep-state :default
10002 allow tcp from any to any 5061 in keep-state :default
10003 allow udp from any to any 5061 in keep-state :default
10004 allow udp from any to any 7078 in keep-state :default
10005 allow udp from any to any 9078 in keep-state :default

It now reports:

ipfw: getsockopt(IP_FW_XADD): Protocol not available

What's changed in the way ipfw runs?
What am I missing please?
Thanks,
Steve

Posted: **Tue Aug 31, 2021 5:48 am**

Make sure you have firewall_enable="YES" and ipfw_enable="YES" in /etc/rc.conf

Posted: **Tue Aug 31, 2021 5:50 pm**

Hi Eric,
I added
firewall_enable="YES" and ipfw_enable="YES"
to rc.conf
and it's now running.
Look like everyone will need to add the actions to their rc.conf.

For some reason the vpn now won't run.
I've rolled back to openrc version for present as I can't fathom why the ipfw won't let my vpn run on the rc version.
I'm no expert on configuring a firewall.
Steve

Posted: **Tue Aug 31, 2021 6:38 pm**

can you run this?

Code: Select all

rc_system

What is the output?
Also is the output of

Code: Select all

pkg query '%v' os-generic-userland-base

Posted: **Wed Sep 01, 2021 12:57 am**

for
# rc_system
and
# sudo rc_system
Report:
zsh: command not found: rc_system
For
# pkg query '%v' os-generic-userland-base
it reports:
21.08.17
The old OpenRC version is 21.06.23

Posted: **Wed Sep 01, 2021 6:23 am**

Oh meant kenv rc_system

What sudo service ipfw start does?

Posted: **Thu Sep 02, 2021 5:34 am**

Sorry for the delay - life got in the way...
Now,
Remembering we've manually added
firewall_enable="YES"
ipfw_enable="YES"
to
/etc/rc.conf.
Then,
# sudo service ipfw start
reports:
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
Firewall rules loaded.

# kenv rc_system
reports:
bsdrc

Posted: **Thu Sep 02, 2021 7:33 am**

Seems to be fixed now.

IPFW seems changed since using RC instead of OpenRC

IPFW seems changed since using RC instead of OpenRC

Re: IPFW seems changed since using RC instead of OpenRC

Re: IPFW seems changed since using RC instead of OpenRC

Re: IPFW seems changed since using RC instead of OpenRC

Re: IPFW seems changed since using RC instead of OpenRC

Re: IPFW seems changed since using RC instead of OpenRC

Re: IPFW seems changed since using RC instead of OpenRC

Re: IPFW seems changed since using RC instead of OpenRC