IPFW script not loading at boot

[Khang Nguyen]

Hello,

I am new to FreeNas so please bear with me. I am following instructions from this article to configure IPFW for my FreeNAS. https://www.freebsd.org/doc/handbook/firewalls-ipfw.html

In my rc.conf I have these two firewall statements;
firewall_enable="yes"
firewall_script="/etc/myrules.sh"

In myrules.sh script has all the rules and it runs fine when I execute it manually (sh myrules.sh)

However, I have 2 problems.

1. The myrules.sh script will not run at boot. After I reboot the FreeNAS and run "ipfw -show", it shows "65535 allow ip from any to any" and none of my rules in my rules script shows.
   
2. If I manually execute the myrules.sh script and run "ipfw -show" again, it will list all my rules first and the 65535 allow ip from any to any" at bottom.

I thought /etc/rc.d/ipfw controls how IPFW is loaded via rc.conf, and if I specified firewall_script in /etc/rc.conf, then /etc/rc.d/ipfw loads only that script at boot.

My question is why my rule script is not running at boot and where is the "65535 allow ip from any to any" loading from? Please let me know if you have any advice on how to fix this.

Thanks,
Khang

 

[joeschmuck]

You need to provide more information per our forum rules in order to provide you some help.

1) What version of FreeNAS are you runing?
2) We don't need hardware configuration really provided you are running the recommended minimum requirements.
3) While you are being descriptive for the most part with your problem, you are quoting the FreeBSD manual and trying to implement changes in rc.conf directly I suspect. Read the FreeNAS user manual about the tunables and rc.conf settings, that may solve your problems.
4) If you still need help, tell us enough so we can try to recreate your problem and test why your changes are not working.

 

[Khang Nguyen]

Hi Joe,

Please see below for my responses to your questions.

1) What version of FreeNAS are you runing? I am running FreeNAS 9.10.
2) We don't need hardware configuration really provided you are running the recommended minimum requirements. Yes, server hardware (128GB RAM, 110GB SSD disk.)
3) While you are being descriptive for the most part with your problem, you are quoting the FreeBSD manual and trying to implement changes in rc.conf directly I suspect. Read the FreeNAS user manual about the tunables and rc.conf settings, that may solve your problems.
4) If you still need help, tell us enough so we can try to recreate your problem and test why your changes are not working.
It is so easy to recreate the problem. If you set up a new FreeNAS OS, make changes to the "/conf/base/etc/rc.conf" file (adding 2 lines firewall_enable="yes" and firewall_script="/etc/myrules.sh"), create some rules for the myrules.sh file, reboot the FreeNAS and you will see the issues that I mentioned earlier.

Please let me know if you need additional information.

Thanks,
Khang

 

[Mirfster]

It is so easy to recreate the problem. If you set up a new FreeNAS OS, make changes to the "/conf/base/etc/rc.conf" file (adding 2 lines firewall_enable="yes" and firewall_script="/etc/myrules.sh"), create some rules for the myrules.sh file, reboot the FreeNAS and you will see the issues that I mentioned earlier.

While I have not fully tested this personally, I believe the proper way to do this is:

Set firewall_enable="yes" in [System] - [Tunables]

​

Add an Init/Shutdown Script in [Tasks] - [Init/Shutdown Scripts]

 

[jgreco]

Hello,

I am new to FreeNas so please bear with me. I am following instructions from this article to configure IPFW for my FreeNAS. https://www.freebsd.org/doc/handbook/firewalls-ipfw.html

FreeNAS is not the same as FreeBSD, even if FreeNAS is based on FreeBSD. You should not be following FreeBSD instructions to do this.

 

[jgreco]

While I have not fully tested this personally, I believe the proper way to do this is:

Set firewall_enable="yes" in [System] - [Tunables]

View attachment 12733
​

Add an Init/Shutdown Script in [Tasks] - [Init/Shutdown Scripts]

View attachment 12734​

No, at least partially wrong in both cases (sorry @Mirfster I hate to be the party pooper). The FreeBSD firewall_enable directive in rc.conf causes the FreeBSD base system to invoke the system's configured firewall script. You do not want or need this.

You also do not want to install your firewall script in /etc. You want to install it in your pool, so that it survives upgrades/reinstalls.

You *do* want to add your firewall script that you've saved to your pool as an Init/Shutdown Script as @Mirfster shows. You also want to make sure that your firewall script is marked executable and has the appropriate shebang at the top.

So, in summary, substituting your pool name for ${pool},

1) Undo any damage that you've done to your base system, including any system tunables for firewall, and anything in /conf/base/etc, /etc, that's been changed by hand

2) Save your script as /mnt/${pool}/firewall.sh

3) chmod a+x /mnt/${pool}/firewall.sh

4) Test by executing /mnt/${pool}/firewall.sh from the command line

5) Add an init/shutdown script in Tasks for /mnt/${pool}/firewall.sh

6) Reboot and verify that the rules were installed

Then you should probably tell us the environment you're in, because generally a FreeNAS system shouldn't need a firewall, and if it does, you are probably doing something that is dangerous and risky. If you are placing a FreeNAS system directly on the Internet, for example, you need to restrict access upstream of the FreeNAS host, not *on* the FreeNAS host. A reinstall or other issue might render your firewall disabled, without your being aware of this, which could have adverse effects on your system security. Relying on an on-host firewall for FreeNAS security is almost always a mistake, because the system defaults to allow all.

 

[Mirfster]

Agreed, I questioned myself when replying thinking "Why would anyone really want to set firewall rules on FreeNAS". Good catches on all the other points as well; especially about having scripts reside on the pool..

Glad to have been corrected. :)

 

[jgreco]

Glad to have been corrected. :)

And thanks for taking it in a positive manner... I hate making these sorts of corrections, I can never figure out how to do it gently.

 

[joeschmuck]

@jgreco That is almost exactly how I've done this stuff in the past, I do use a tunable due to the way I write many of my scripts and it's just a holdover from the 8.x days. If the script is looking for the "firewall_enable=yes" then the script will need to be adjusted to remove that check.

 

[Khang Nguyen]

Sorry for the late response. Following @Mirfster 's and @jgreco's instructions, I was able to make the firewall script to run at boot. However, when I run "ipfw show", it lists all my rules first and the "65535 allow ip from any to any" at bottom. Right above the "65535 allow ip from any to any" is the "65000 deny log all from any to any" rule. I know ipfw processes rules from top down, so I believe it is fine to have the 65535 allow ip from any to any" at bottom. However, is there a way to get rid of this "65535 allow ip from any to any" rule?

The FreeNAS system is not facing the Internet directly and yes, there is hardware firewall protection. The reason I use ipfw because I want to limit the access to the FreeNAS system for certain internal subnets. (I have several subnets in my internal networks and don't want users from all subnets to connect to the FreeNAS.)

Thanks,
Khang

 

[Mirfster]

Just as an FYI, you can limit connections within Freenas without having to do all the scripting...

 

[Khang Nguyen]

Hi Mirfster,

Could you give me more detail on how to do it?

Thanks,
Khang

 

[Mirfster]

On vacation right now and limited Internet, but you can actually set shares to only be bound to certain IP ranges, subnets, etc. Others may comment in and give more details.

 

[Khang Nguyen]

Hi Mirfster,

I figured it out. I use Hosts Allow and Hosts Deny (Shares settings). I have "ALL" in Hosts Deny and have the subnets that I want to grant access in Hosts Allow.

Thanks,
Khang

 

[Mirfster]

Not a problem, glad you got it all set.