From owner-freebsd-questions  Wed Mar  5 14:47:55 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 09CF437B431
	for <freebsd-questions@FreeBSD.ORG>; Wed,  5 Mar 2003 14:47:52 -0800 (PST)
Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8E9E043F93
	for <freebsd-questions@FreeBSD.ORG>; Wed,  5 Mar 2003 14:47:50 -0800 (PST)
	(envelope-from keramida@ceid.upatras.gr)
Received: from gothmog.gr (patr530-b127.otenet.gr [212.205.244.135])
	by mailsrv.otenet.gr (8.12.8/8.12.8) with ESMTP id h25MlkVu007578;
	Thu, 6 Mar 2003 00:47:48 +0200 (EET)
Received: from gothmog.gr (gothmog [127.0.0.1])
	by gothmog.gr (8.12.8/8.12.8) with ESMTP id h25Mljjs095420;
	Thu, 6 Mar 2003 00:47:45 +0200 (EET)
	(envelope-from keramida@ceid.upatras.gr)
Received: (from giorgos@localhost)
	by gothmog.gr (8.12.8/8.12.8/Submit) id h25MajhI065976;
	Thu, 6 Mar 2003 00:36:45 +0200 (EET)
	(envelope-from keramida@ceid.upatras.gr)
Date: Thu, 6 Mar 2003 00:36:44 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Brian Henning <b1henning@hotmail.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: firewall revisited
Message-ID: <20030305223644.GA29314@gothmog.gr>
References: <OE14i67EKRuYDlrjbud000010a0@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <OE14i67EKRuYDlrjbud000010a0@hotmail.com>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On 2003-03-05 09:32, Brian Henning <b1henning@hotmail.com> wrote:
> Hello-
> currently my rc.conf is set up like this for my gateway router.
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_type="OPEN"
> natd_enable="YES"
> natd_interface="rl1"     # natd -interface rl1, public interface
> natd_flags=""            # sysctl net.inet.ip.forwarding=1
>
> how can i have the script /etc/ipfw.rules run instead of
> /etc/rc.firewall. can i change
> firewall_type="OPEN" to firewall_type="" and create the entry
> firewall_script="/etc/ipfw.rules"?

Why are you confused?

That depends on what you're trying to do and what the contents of
/etc/ipfw.rules are.  There are currently the following ways to set up
a completely custom set of firewall rules:

1. Rewrite /etc/rc.firewall

   This can easily be done, if you replace /etc/rc.firewall with your
   custom script.  This isn't recommended though since you'd have to
   carefully track all changes to the official version of the
   rc.firewall script and merge any interesting stuff back to your
   version of the script.

2. Add a new firewall "type" to rc.firewall

   Copying one of the existing firewall types you cann easily add a
   new one, and make sure that it loads all (and only) the ipfw(8)
   rules that you want.  This can be difficult to keep up to date
   after changes to the rc.firewall script, but not as difficult to
   keep up to date as option #1.

3. Write your own version of a firewall script

   Copy `rc.firewall' to a new script (i.e., `rc.firewall.local') and
   make your changes to the new script.  Then set firewall_script to
   point to the new script in `/etc/rc.conf'.  For example:

	% cat /etc/rc.firewall.local
	fwcmd="/sbin/ipfw"
	${fwcmd} -q flush
	${fwcmd} add 1 pass ip from any to any

	% grep firewall_script /etc/rc.conf
	firewall_script="/etc/rc.firewall.local"

   This is a fairly nic way of doing things, but it doesn't work
   correctly if you want to tweak the way ipfw(8) is called by
   settings things like firewall_quiet="YES" in your `rc.conf' file.
   Mostly because the logic for all those firewall_xxx options is
   implemented as part of the existing `rc.firewall' script.

4. Create a ruleset file, and point rc.firewall to it

   You can always write your own set of firewall rules, without a
   ${fwcmd} prefix, and save it to a file, i.e. `/etc/ipfw.rules'.
   This is a plain text file that contains *only* firewall rules.
   No shell commands.  You can use `#' for comments (as shown in the
   sample file below):

	% cat /etc/ipfw.rules
	flush
	add allow ip from any to any

   Then you just need to make sure that your `rc.conf' contains the
   following two lines:

	firewall_enable="YES"
	firewall_type="/etc/ipfw.rules"

   The firewall_type value is the *FULL* path to the ruleset file.  It
   is important to include the leading `/' character.  This way,
   ipfw(8) will know that this is the path of a rule file and not the
   name of a command (like `add' in `ipfw add ...').

   This is the way I usually prefer setting ipfw(8) up.  For various
   reasons.  One of them is that my firewall rules are not lost in
   between the lines of some shell script that I don't remember I have
   edited.  Another reason is that having made no changes to the
   original `rc.firewall' script, there is no need to take care for
   merging changes later with mergemaster(8).

Phew.  This was long.

- Giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message