From owner-freebsd-questions@FreeBSD.ORG Wed Nov 29 20:04:21 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF63316A506 for ; Wed, 29 Nov 2006 20:04:21 +0000 (UTC) (envelope-from lane@joeandlane.com) Received: from elasmtp-spurfowl.atl.sa.earthlink.net (elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8788E43CF3 for ; Wed, 29 Nov 2006 20:03:08 +0000 (GMT) (envelope-from lane@joeandlane.com) Received: from [66.47.111.183] (helo=joeandlane.com) by elasmtp-spurfowl.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GpVe7-0002k5-19 for freebsd-questions@freebsd.org; Wed, 29 Nov 2006 15:03:07 -0500 Received: from joeandlane.com (localhost.localnet.local [127.0.0.1]) by joeandlane.com (8.13.8/8.13.1) with ESMTP id kATK5tcv070180 for ; Wed, 29 Nov 2006 14:05:55 -0600 (CST) (envelope-from lane@joeandlane.com) Received: from localhost (localhost [[UNIX: localhost]]) by joeandlane.com (8.13.8/8.13.1/Submit) id kATK5t7S070179 for freebsd-questions@freebsd.org; Wed, 29 Nov 2006 14:05:55 -0600 (CST) (envelope-from lane@joeandlane.com) From: Lane To: freebsd-questions@freebsd.org Date: Wed, 29 Nov 2006 14:05:54 -0600 User-Agent: KMail/1.9.3 References: <20061129143557.S55795@prime.gushi.org> In-Reply-To: <20061129143557.S55795@prime.gushi.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611291405.54995.lane@joeandlane.com> X-CD-SOLUTIONS-MailScanner-Information: Please contact the ISP for more information X-CD-SOLUTIONS-MailScanner: Found to be clean X-CD-SOLUTIONS-MailScanner-From: lane@joeandlane.com X-ELNK-Trace: e56a4b6ca9bdfda11aa676d7e74259b7b3291a7d08dfec79e4cab13be9a845b344b6e52934cd1b01350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 66.47.111.183 Subject: Re: Command to "dump" firewall rules to be persistent across reboots. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2006 20:04:21 -0000 On Wednesday 29 November 2006 13:38, Dan Mahoney, System Admin wrote: > Hey all, I'm experimenting with ipfw as means of controlling some > interesting anomalies like with portsenty or some ssh anti-brute-force > scripts (i.e. adding bad hosts to tables, adding deny rules > for certain hosts, etc), and I was wondering if there was (either in the > form of a script, or a builtin command I can't find) some way to just > "dump" all the ipfw data (pipes, queues, tables, etc) to a single file to > be re-read on boot? > > I'd be willing to try and write something like this if it doesn't already > exist, but I'm rather surprised it doesn't. > > -Dan Mahoney > > -- > > "A single death is a tragedy. A million deaths is a statistic." > > -Josef Stalin, As quoted on the cover to Savatage's "Dead Winter Dead" > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > ICQ: 13735144 AIM: LarpGM > Site: http://www.gushi.org > --------------------------- Dan, Take a look at "man rc.shutdown" I don't know if it's exactly what you want, but there may be another way: Write a script in /usr/local/etc/rc.d that responds to the "start" and "stop" parameters. In the "stop" section you can output "ipfw list" to a file. Then in the "start" section you can read that file and run each line, essentially unmodified, agains ipfw. good luck! lane