From owner-freebsd-questions@FreeBSD.ORG Thu Jan 12 21:48:29 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A59416A41F for ; Thu, 12 Jan 2006 21:48:29 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5311B43D4C for ; Thu, 12 Jan 2006 21:48:27 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) by aiolos.otenet.gr (8.13.4/8.13.4/Debian-8) with SMTP id k0CLmDh8029942; Thu, 12 Jan 2006 23:48:17 +0200 Received: by flame.pc (Postfix, from userid 1001) id 45F9711723; Thu, 12 Jan 2006 23:46:38 +0200 (EET) Date: Thu, 12 Jan 2006 23:46:38 +0200 From: Giorgos Keramidas To: Greg Barniskis Message-ID: <20060112214638.GA97115@flame.pc> References: <200601121958.k0CJw9hn091722@dc.cis.okstate.edu> <43C6C55E.5000703@scls.lib.wi.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43C6C55E.5000703@scls.lib.wi.us> Cc: Martin McCormick , freebsd-questions@freebsd.org Subject: Re: Strange Failure Mode in FreeBSD 4.11 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2006 21:48:29 -0000 On 2006-01-12 15:08, Greg Barniskis wrote: >Martin McCormick wrote: >> In rc.firewall, there is a place where one can include a table of >> local rules and that's where I am doing something wrong. The place >> in rc.firewall reads: >> >># filename - will load the rules in the given filename (full path required) > > This section of rc.firewall refers to valid values you can place in > rc.conf for firewall_type. No, it refers that exactly what the comment says. You can write your rules (just the rules, without any ipfw(8) command invocations) in a file and use: firewall_type="/etc/ipfw.rules" in your `rc.conf' file. The manpage of rc.conf explains this in detail at the firewall_xxxx variables part: firewall_type (str) Names the firewall type from the selection in /etc/rc.firewall, or the file which contains the local firewall ruleset. Valid selections from /etc/rc.firewall are: open unrestricted IP access closed all IP services disabled, except via ``lo0'' client basic protection for a workstation simple basic protection for a LAN. If a filename is specified, the full path must be given. > Well, OK, surely there is a way to do that, but that functionality > is not the intent of this part of rc.firewall and rc.conf as I > understand it. It works, it's supported and it does exactly what it says it should do. Why not? :-) > I'm sure that if you put your custom rules in a shell file that > you can use rc or cron to load those rules at boot time; you'd > just need to be careful with rule numbering, maybe use ipfw > sets for rule ordering, etc. > > Maybe easier to just > > cp rc.firewall custom.ipfw, edit to your needs and use > firewall_type="/etc/custom.ipfw" This is probably more error-prone than writing just: add block ip from 10.0.0.0/8 to any since shell scripts come with all sorts of quoting, meta-character evaluation, etc. I find it much much easier to use an `ipfw.rules' file that contains only the rules. No shell commands at all. But then, this is clearly a matter of personal taste :)