2

I set this lines in my rc.conf:

firewall_enable="YES"
firewall_type="/etc/ipfw.rules"

cat /etc/ipfw.rules

add 02020 deny ip from table(10) to any
add 02030 deny ip from table(11) to any dst-port 25

...

But after reboot, ipfw show :

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
 ... after that, my rules

But i have not this lines about ip6 in my ipfw.rules.

How to disable this useless rules?

Community
  • 1
Korjavin Ivan
  • 2,230
  • 2
  • 25
  • 39

1 Answers1

2

You have enabled the IPv6 Firewall without configuring it,so it is defaulting to type "unknown".

Either disable the IPv6 firewall by removing ipv6_firewall_enable="YES", or configure rules for the IPv6 firewall and load them as you are with the IPv4 firewall.

Edit:
The above is true for previous versions of FreeBSD. As of 9.0-STABLE the IPv6 and IPv4 firewall configurations are merged. The new Answer is:

Those firewall entries are considered "mandatory" and can only be disabled by editing the configuration script or rolling your own configuration script.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • ipv6_firewall_enable="NO" doesnt help. Also i cant find any ipv6_firewal in /etc/default/. I understand you idea, thanks, but for now cant implement this. Nothing interesting nether in rc.firewal about ip6, nether in /etc/defaults – Korjavin Ivan Aug 27 '12 at 13:50
  • What version of FreeBSD are you running? – Chris S Aug 27 '12 at 14:03
  • 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #0: Tue Aug 21 22:39:46 YEKT 2012 – Korjavin Ivan Aug 27 '12 at 14:07