From owner-freebsd-questions  Fri Feb 16  2:26:20 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34])
	by hub.freebsd.org (Postfix) with SMTP id 4DCC437B491
	for <freebsd-questions@freebsd.org>; Fri, 16 Feb 2001 02:26:15 -0800 (PST)
Received: (qmail 77300 invoked by uid 1001); 16 Feb 2001 10:26:05 -0000
Date: Fri, 16 Feb 2001 12:26:05 +0200
From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: Wayne Pascoe <wayne.pascoe@realtime.co.uk>
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw reading rules from a file
Message-ID: <20010216122605.A77126@rapier.smartspace.co.za>
References: <m3u25v3pgp.fsf@zaphod.realtime.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <m3u25v3pgp.fsf@zaphod.realtime.co.uk>; from wayne.pascoe@realtime.co.uk on Fri, Feb 16, 2001 at 10:13:42AM +0000
Organization: Building Intelligence
X-Operating-System: FreeBSD 4.2-RELEASE i386
X-URL: http://rucus.ru.ac.za/~nbm/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri 2001-02-16 (10:13), Wayne Pascoe wrote:
> I am trying to 'persuade' ipfw to read rules from a file. For the
> moment, I am just using a very simple rule that will allow access from
> the world. Once this works, I will translate the firewall rules that I
> use under ipf to ipfw.
> 
> In /etc/rc.conf I have the following section
> 
> #
> # Firewall options
> #
> firewall_enable="YES"
> firewall_type="filename"
> firewall_flags="/etc/firewall/ipfw.soften"
> firewall_logging="YES"

Change that to:

firewall_type="/etc/firewall/ipfw.soften"

And remove the firewall_flags line, and it should work.

> I have tried the following for /etc/firewall/ipfw.soften :
> 
> -- try 1 --
> /sbin/ipfw allow all from any to any

This won't work.

> 
> -- try 2 --
> allow all from any to any
> 
> -- try 3 --
> 00100 allow ip from any to any

These should.

> Lastly, does ipfw work on a first match wins basis (like iptables /
> ipchains) or does it work on a last match wins basis (like ipf) ?

First-match.

Neil
-- 
Neil Blakey-Milner
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message