From owner-freebsd-ipfw Fri Sep 13 4:49:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D28A137B400 for ; Fri, 13 Sep 2002 04:49:09 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5808343E65 for ; Fri, 13 Sep 2002 04:49:08 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g8DBl6x27808 for ; Fri, 13 Sep 2002 08:47:06 -0300 Message-ID: <3D81D03A.8050009@tcoip.com.br> Date: Fri, 13 Sep 2002 08:47:06 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@FreeBSD.ORG Subject: ipfw2 and rc.firewall Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG rc.firewall, atm, has the following: ############ # Flush out the list before we begin. # ${fwcmd} -f flush What *I* am using, post-ipfw2, is the following: if [ -z ${IPFWSET} ] then # Clear and disable ipfw delete set 30 IPFWSET="set 30" ipfw set disable 30 fi then ${IPFWSET} in each rule, and then: ipfw set swap 0 `echo ${IPFWSET} | cut -d ' ' -f 2` at the end. This insert all rules on set 30, disabled, and then swap all of them at once, _if_ rc.firewall is succesfully executed to the end. It also makes it easy to roll back if you need. Switching between the two forms depending on whether you have ipfw2 or not relatively simple. The rules themselves, if IPFWSET is unset, will work fine under ipfw1. All we would need is someway to tell ipfw2 and ipfw1 appart so that we can select between flush and the disabled set at the beginning/end of rc.firewall. What do you people think? -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net It's not enough to be Hungarian; you must have talent too. -- Alexander Korda To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message