IPFW Version check fails (BSD-Firewall)

[bsiege]

FreeBSD 10.3-STABLE FreeBSD 10.3-STABLE #0 r303766 Webmin 1.800 from ports

On all my systems there is version 1 determined, but i am pretty sure that it is Version 2 because it allows MAC addresses.... What seems to be a difference according edit_rule.cgi . But i cannot find where/how the version is determined. Manually edit /usr/local/etc/webmin/ipfw/version does not help.

[jcameron]

What does the ipfw -h command output on your system?

[bsiege]

On 12.08.16 05:51, Jamie Cameron wrote:

What does the |ipfw -h| command output on your system?

ipfw -h

ipfw syntax summary (but please do read the ipfw(8) manpage):

ipfw [-abcdefhnNqStTv] <command>

where is one of the following:

add [num] [set N] [prob x] RULE-BODY {pipe|queue} N config PIPE-BODY [pipe|queue] {zero|delete|show} [N{,N}] nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset| reverse|proxy_only|redirect_addr linkspec| redirect_port linkspec|redirect_proto linkspec} set [disable N... enable N...] | move [rule] X to Y | swap X Y | show set N {show|list|zero|resetlog|delete} [N{,N}] | flush table N {add ip[/bits] [value] | delete ip[/bits] | flush | list} table all {flush | list}

RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST] ACTION: check-state | allow | count | deny | unreach{,6} CODE | skipto N | {divert|tee} PORT | forward ADDR | pipe N | queue N | nat N | setfib FIB | reass PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME] ADDR: [ MAC dst src ether_type ] [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ] [ ipv6|ip6 from IP6ADDR [ PORT ] to IP6ADDR [ PORTLIST ] ] IPADDR: [not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST } IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST } IP6LIST: { ip6 | ip6/bits }[,IP6LIST] IPLIST: { ip | ip/bits | ip:mask }[,IPLIST] OPTION_LIST: OPTION [OPTION_LIST] OPTION: bridged | diverted | diverted-loopback | diverted-output | {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR | {dst-port|src-port} LIST | estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST | iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC | ipttl LIST | ipversion VER | keep-state | layer2 | limit ... | icmp6types LIST | ext6hdr LIST | flow-id N[,N] | fib FIB | mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} | setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC | tcpdatalen LIST | verrevpath | versrcreach | antispoof

[jcameron]

Are you sure that's version 2 ? Webmin looks for the preproc option to determine if it's version 2 or not.

[bsiege]

On 13.08.16 06:35, Jamie Cameron wrote:

Are you sure that's version 2 ? Webmin looks for the |preproc| option to determine if it's version 2 or not.

ipfw -p test

ipfw: An absolute pathname must be used with -p option.

It seems, that it is there, but not mentioned in ipfw -h .

[user@host:/usr/src/sbin/ipfw] # ll total 332 -rw-r--r-- 1 root wheel 294 Aug 5 11:06 Makefile -rw-r--r-- 1 root wheel 3330 Aug 5 11:06 altq.c -rw-r--r-- 1 root wheel 49550 Aug 5 11:06 dummynet.c -rw-r--r-- 1 root wheel 103394 Aug 5 11:06 ipfw.8 -rw-r--r-- 1 root wheel 105147 Aug 5 11:06 ipfw2.c -rw-r--r-- 1 root wheel 7479 Aug 5 11:06 ipfw2.h -rw-r--r-- 1 root wheel 13290 Aug 5 11:06 ipv6.c -rw-r--r-- 1 root wheel 15907 Aug 5 11:06 main.c -rw-r--r-- 1 root wheel 23714 Aug 5 11:06 nat.c

[jcameron]

I guess what I really need is a way to detect if IPFW verson 2 is in use. Or is ipfw version 1 now so old that nobody is using it, and thus support can be dropped?

[bsiege]

Sorry i am no expert for ipfw. Just ran into a installation and tried to make sense out of the rule-set. Then i found this little Bug. But maybe you can really drop:

HISTORY The ipfw utility first appeared in FreeBSD 2.0. dummynet(4) was intro- duced in FreeBSD 2.2.8. Stateful extensions were introduced in FreeBSD 4.0. ipfw2 was introduced in Summer 2002.

[jcameron]

Ok, I think I'll just have Webmin assume IPFW version 2 from now on (but give the user an option to revert to version 2 behavior)