Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Feb 2001 19:24:16 -0800
From:      Robert Clark <res03db2@gte.net>
To:        Tony Landells <ahl@austclear.com.au>
Cc:        Nick Sayer <nsayer@quack.kfu.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: /etc/rc.firewall fixes
Message-ID:  <20010220192416.A19188@darkstar.gte.net>
In-Reply-To: <200102202205.JAA04080@tungsten.austclear.com.au>; from ahl@austclear.com.au on Wed, Feb 21, 2001 at 09:05:02AM %2B1100
References:  <nsayer@quack.kfu.com> <200102202205.JAA04080@tungsten.austclear.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 


I'm interested.

[RC]




On Wed, Feb 21, 2001 at 09:05:02AM +1100, Tony Landells wrote:
> I'm in the process of hacking on my rc.firewall because I'm building
> new firewalls, so I'm interested in any ideas people have.
> 
> The stuff that I put in yesterday was to auto-generate my anti-spoofing
> rules (which is a huge saving when you have seven Ethernet interfaces!),
> and organise my rule numbering.
> 
> I also have stuff so that you basically only have to map the logical
> interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.)
> and it sets the other variables for you (oip, omask, iip, imask, etc.).
> Note that I don't bother with onet, inet, etc. because you can get the
> same result by using, for example, ${oip}:${omask}.
> 
> As a result of these bits of hackery, my rc.firewall looks something like:
> 
> 	<generate ?ip and ?mask variables>
> 	<generate anti-spoofing rules>
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 
> 	<start a major block of rules at the next multiple of 10000>
> 	rule...
> 
> If anyone wants to see it and has a fairly strong stomach ;-) let me
> know.  If there are a few people interested, I'll post to the group.
> 
> Cheers,
> Tony
> -- 
> Tony Landells					<ahl@austclear.com.au>
> Senior Network Engineer				Ph:  +61 3 9677 9319
> Australian Clearing Services Pty Ltd		Fax: +61 3 9677 9355
> Level 4, Rialto North Tower
> 525 Collins Street
> Melbourne VIC 3000
> Australia
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010220192416.A19188>