From owner-freebsd-security  Tue Feb 20 14: 5: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132])
	by hub.freebsd.org (Postfix) with ESMTP id 5D0DB37B401
	for <freebsd-security@FreeBSD.ORG>; Tue, 20 Feb 2001 14:05:03 -0800 (PST)
	(envelope-from ahl@austclear.com.au)
Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1])
	by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA93282;
	Wed, 21 Feb 2001 09:05:02 +1100 (EST)
Received: from tungsten (tungsten [192.168.70.1])
        by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA04080;
        Wed, 21 Feb 2001 09:05:02 +1100 (EST)
Message-Id: <200102202205.JAA04080@tungsten.austclear.com.au>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Nick Sayer <nsayer@quack.kfu.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: /etc/rc.firewall fixes 
In-Reply-To: Message from Nick Sayer <nsayer@quack.kfu.com> 
   of "Tue, 20 Feb 2001 12:05:46 -0800." <200102202005.f1KK5kv83619@medusa.kfu.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 21 Feb 2001 09:05:02 +1100
From: Tony Landells <ahl@austclear.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I'm in the process of hacking on my rc.firewall because I'm building
new firewalls, so I'm interested in any ideas people have.

The stuff that I put in yesterday was to auto-generate my anti-spoofing
rules (which is a huge saving when you have seven Ethernet interfaces!),
and organise my rule numbering.

I also have stuff so that you basically only have to map the logical
interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.)
and it sets the other variables for you (oip, omask, iip, imask, etc.).
Note that I don't bother with onet, inet, etc. because you can get the
same result by using, for example, ${oip}:${omask}.

As a result of these bits of hackery, my rc.firewall looks something like:

	<generate ?ip and ?mask variables>
	<generate anti-spoofing rules>
	<start a block of rules at the next multiple of 1000>
	rule...
	<start a block of rules at the next multiple of 1000>
	rule...
	<start a block of rules at the next multiple of 1000>
	rule...
	<start a block of rules at the next multiple of 1000>
	rule...

	<start a major block of rules at the next multiple of 10000>
	rule...

If anyone wants to see it and has a fairly strong stomach ;-) let me
know.  If there are a few people interested, I'll post to the group.

Cheers,
Tony
-- 
Tony Landells					<ahl@austclear.com.au>
Senior Network Engineer				Ph:  +61 3 9677 9319
Australian Clearing Services Pty Ltd		Fax: +61 3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message