Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Feb 2001 09:05:02 +1100
From:      Tony Landells <ahl@austclear.com.au>
To:        Nick Sayer <nsayer@quack.kfu.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: /etc/rc.firewall fixes 
Message-ID:  <200102202205.JAA04080@tungsten.austclear.com.au>
In-Reply-To: Message from Nick Sayer <nsayer@quack.kfu.com>  of "Tue, 20 Feb 2001 12:05:46 -0800." <200102202005.f1KK5kv83619@medusa.kfu.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
I'm in the process of hacking on my rc.firewall because I'm building
new firewalls, so I'm interested in any ideas people have.

The stuff that I put in yesterday was to auto-generate my anti-spoofing
rules (which is a huge saving when you have seven Ethernet interfaces!),
and organise my rule numbering.

I also have stuff so that you basically only have to map the logical
interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.)
and it sets the other variables for you (oip, omask, iip, imask, etc.).
Note that I don't bother with onet, inet, etc. because you can get the
same result by using, for example, ${oip}:${omask}.

As a result of these bits of hackery, my rc.firewall looks something like:

	<generate ?ip and ?mask variables>
	<generate anti-spoofing rules>
	<start a block of rules at the next multiple of 1000>
	rule...
	<start a block of rules at the next multiple of 1000>
	rule...
	<start a block of rules at the next multiple of 1000>
	rule...
	<start a block of rules at the next multiple of 1000>
	rule...

	<start a major block of rules at the next multiple of 10000>
	rule...

If anyone wants to see it and has a fairly strong stomach ;-) let me
know.  If there are a few people interested, I'll post to the group.

Cheers,
Tony
-- 
Tony Landells					<ahl@austclear.com.au>
Senior Network Engineer				Ph:  +61 3 9677 9319
Australian Clearing Services Pty Ltd		Fax: +61 3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102202205.JAA04080>