From owner-freebsd-questions@FreeBSD.ORG Thu May 22 08:10:40 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA9837B401 for ; Thu, 22 May 2003 08:10:40 -0700 (PDT) Received: from cyclone.emea.mci.com (cyclone.wcom.co.uk [193.131.254.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CA3343FA3 for ; Thu, 22 May 2003 08:10:39 -0700 (PDT) (envelope-from philip.payne@uk.mci.com) Received: from borg ([166.59.191.249] helo=borg.emea.mci.com) by cyclone.emea.mci.com with esmtp (Exim 4.12) id 19Iri7-0000Mt-00; Thu, 22 May 2003 16:10:27 +0100 Received: from [62.191.1.65] (helo=ukcamgate1.cbg.uk.corp.eu.uu.net) by borg.emea.mci.com with esmtp (Exim 4.14) id 19IriF-0005e8-VH; Thu, 22 May 2003 15:10:35 +0000 Received: by ukcamgate1.cbg.uk.corp.eu.uu.net with Internet Mail Service (5.5.2653.19) id ; Thu, 22 May 2003 16:11:38 +0100 Message-ID: <36D04A8168B2D41182250008C7E6F8780374F76D@ukcamexch2.cbg.uk.corp.eu.uu.net> From: Philip Payne To: 'Carolyn Longfoot' Date: Thu, 22 May 2003 14:26:23 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Score: -3.2 (---) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19Iri7-0000Mt-00*.PwLMyVhBX.* cc: "'freebsd-questions@freebsd.org'" Subject: RE: Update Firewall Rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2003 15:10:40 -0000 Hi. > Thanks to all who replied, lots of food for thought! > > Maybe my setup is a little different than what people use > because I have > different rule sets in /etc/rc.firewall (which is the default > with OPEN, > SIMPLE and CLIENT) and one of them is configured in /etc/rc.conf. > > So my question is how I change from one rule set to another > that is defined > in rc.firewall. The problem should simply be how to pass the > parameter (and > to what) because > sh /etc/rc.firewall OPEN > does not work, this simply reloads the same rule set that's > defined in > /etc/rc.conf. > > Good advice against lock-outs though. Is generally the > preferred approach to > use different files for different rules, rather than keep sets in > /etc/rc.firewall? And if so, how do you set this up in > /etc/rc.conf, since > the firewall type by default looks at rc.firewall... Using the same approach as writing a script to carry out the sh /etc/rc.firewall command. You could either have different scripts to pass the firewall_type variable and then do the firewall rules e.g.: open-firewall.sh: --- #!/bin/sh FIREWALL_TYPE="OPEN" sh /etc/rc.firewall --- closed-firewall.sh: --- #!/bin.sh FIREWALL_TYPE="CLOSED" sh /etc/rc.firewall --- I'm really not a shell scripting person (networking is my area), so I can't say this will definitely work but... kind of sounds right. Perhaps someone with more shell scripting experise can comment. Alternatively, couldn't you just specify the variable on the command line before running the implementation script? e.g in bash: # FIREWALL_TYPE=OPEN # export FIREWALL_TYPE # install-fwrules.sh Again, never tried it myself... Let me know how you get on. Wouldn't mind knowing for sure what's the correct approach. Ta, Phil.