Date: Thu, 22 May 2003 18:31:34 -0000 From: Giorgos Keramidas <keramida@linux.gr> To: Philip Payne <philip.payne@uk.mci.com> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: Re: Update Firewall Rules Message-ID: <3ECD16FB.4020604@linux.gr> In-Reply-To: <36D04A8168B2D41182250008C7E6F8780374F76D@ukcamexch2.cbg.uk.corp.eu.uu.net> References: <36D04A8168B2D41182250008C7E6F8780374F76D@ukcamexch2.cbg.uk.corp.eu.uu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Philip Payne wrote: >>Thanks to all who replied, lots of food for thought! >> >>Maybe my setup is a little different than what people use >>because I have different rule sets in /etc/rc.firewall >>(which is the default with OPEN, SIMPLE and CLIENT) >>[...] >>Good advice against lock-outs though. Is generally the >>preferred approach to use different files for different >>rules, rather than keep sets in /etc/rc.firewall? I usually keep a bunch of ipfw rulesets around in files named /etc/ipfw.xxxx or /etc/ipf.yyyy and then set my firewall_type="" (or ipfilter_rules="" to the full path (it *is* important to use the full path, at least for ipfw rulesets) when switching among them: # ipfw -q /etc/ipfw.open # ipfw -q /etc/ipfw.paranoid >>And if so, how do you set this up in /etc/rc.conf, since >>the firewall type by default looks at rc.firewall... There is a post I made in -questions a while ago that explains all this in a bit of detail. Look at the archives, please.. Right now my ISP is having serious problems and I can't reach google.com at all, but look at groups.google.com for something like this: author:keramidas & group:*freebsd* & ipfw & firewall_type and you shouldn't have trouble spotting the correct post. > Using the same approach as writing a script to carry out the > sh /etc/rc.firewall command. > > You could either have different scripts to pass the > firewall_type variable and then do the firewall rules e.g.: > > open-firewall.sh: > --- > #!/bin/sh > FIREWALL_TYPE="OPEN" > sh /etc/rc.firewall > --- Nope, that will probably not work... Capitalization does matter. It's firewall_type in all lowercase. Not FIREWALL_TYPE. But then, even if you get the capitalization right, rc.firewall will load rc.conf and override this value from the environment the script runs. > I'm really not a shell scripting person (networking is my area), > so I can't say this will definitely work but... kind of sounds > right. Perhaps someone with more shell scripting experise can > comment. It'll work fine if rc.conf doesn't override firewall_type :-) > Let me know how you get on. Wouldn't mind knowing for sure what's the > correct approach. I tried to outline all possible ways of loading rules with the rc.firewall script, without it, manually or whatever in the post mentioned above. Just search the archives. I can't help you with the searching ATM :-/ - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ECD16FB.4020604>