Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Jan 2006 23:46:38 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Greg Barniskis <nalists@scls.lib.wi.us>
Cc:        Martin McCormick <martin@dc.cis.okstate.edu>, freebsd-questions@freebsd.org
Subject:   Re: Strange Failure Mode in FreeBSD 4.11
Message-ID:  <20060112214638.GA97115@flame.pc>
In-Reply-To: <43C6C55E.5000703@scls.lib.wi.us>
References:  <200601121958.k0CJw9hn091722@dc.cis.okstate.edu> <43C6C55E.5000703@scls.lib.wi.us>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2006-01-12 15:08, Greg Barniskis <nalists@scls.lib.wi.us> wrote:
>Martin McCormick wrote:
>> In rc.firewall, there is a place where one can include a table of
>> local rules and that's where I am doing something wrong.  The place
>> in rc.firewall reads:
>>
>>#   filename - will load the rules in the given filename (full path required)
>
> This section of rc.firewall refers to valid values you can place in
> rc.conf for firewall_type.

No, it refers that exactly what the comment says.  You can write your
rules (just the rules, without any ipfw(8) command invocations) in a
file and use:

        firewall_type="/etc/ipfw.rules"

in your `rc.conf' file.  The manpage of rc.conf explains this in detail
at the firewall_xxxx variables part:

     firewall_type
                 (str) Names the firewall type from the selection
                 in /etc/rc.firewall, or the file which contains
                 the local firewall ruleset.  Valid selections
                 from /etc/rc.firewall are:

                 open    unrestricted IP access
                 closed  all IP services disabled, except via ``lo0''
                 client  basic protection for a workstation
                 simple  basic protection for a LAN.

                 If a filename is specified, the full path must
                 be given.

> Well, OK, surely there is a way to do that, but that functionality
> is not the intent of this part of rc.firewall and rc.conf as I
> understand it.

It works, it's supported and it does exactly what it says it
should do.  Why not? :-)

> I'm sure that if you put your custom rules in a shell file that
> you can use rc or cron to load those rules at boot time; you'd
> just need to be careful with rule numbering, maybe use ipfw
> sets for rule ordering, etc.
>
> Maybe easier to just
>
> cp rc.firewall custom.ipfw, edit to your needs and use
> firewall_type="/etc/custom.ipfw"

This is probably more error-prone than writing just:

        add block ip from 10.0.0.0/8 to any

since shell scripts come with all sorts of quoting, meta-character
evaluation, etc.  I find it much much easier to use an `ipfw.rules'
file that contains only the rules.  No shell commands at all.

But then, this is clearly a matter of personal taste :)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060112214638.GA97115>