From owner-freebsd-security  Tue Feb 20 19:25: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtppop3pub.verizon.net (smtppop3pub.gte.net [206.46.170.22])
	by hub.freebsd.org (Postfix) with ESMTP id 199B037B401
	for <freebsd-security@FreeBSD.ORG>; Tue, 20 Feb 2001 19:25:02 -0800 (PST)
	(envelope-from res03db2@gte.net)
Received: from gte.net (evrtwa1-ar4-4-34-145-186.dsl.gtei.net [4.34.145.186])
	by smtppop3pub.verizon.net  with ESMTP
	; id VAA121598195
	Tue, 20 Feb 2001 21:20:14 -0600 (CST)
Received: (from res03db2@localhost)
	by gte.net (8.9.3/8.9.3) id TAA19217;
	Tue, 20 Feb 2001 19:24:16 -0800 (PST)
	(envelope-from res03db2@gte.net)
Date: Tue, 20 Feb 2001 19:24:16 -0800
From: Robert Clark <res03db2@gte.net>
To: Tony Landells <ahl@austclear.com.au>
Cc: Nick Sayer <nsayer@quack.kfu.com>, freebsd-security@FreeBSD.ORG
Subject: Re: /etc/rc.firewall fixes
Message-ID: <20010220192416.A19188@darkstar.gte.net>
References: <nsayer@quack.kfu.com> <200102202205.JAA04080@tungsten.austclear.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <200102202205.JAA04080@tungsten.austclear.com.au>; from ahl@austclear.com.au on Wed, Feb 21, 2001 at 09:05:02AM +1100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


I'm interested.

[RC]




On Wed, Feb 21, 2001 at 09:05:02AM +1100, Tony Landells wrote:
> I'm in the process of hacking on my rc.firewall because I'm building
> new firewalls, so I'm interested in any ideas people have.
> 
> The stuff that I put in yesterday was to auto-generate my anti-spoofing
> rules (which is a huge saving when you have seven Ethernet interfaces!),
> and organise my rule numbering.
> 
> I also have stuff so that you basically only have to map the logical
> interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.)
> and it sets the other variables for you (oip, omask, iip, imask, etc.).
> Note that I don't bother with onet, inet, etc. because you can get the
> same result by using, for example, ${oip}:${omask}.
> 
> As a result of these bits of hackery, my rc.firewall looks something like:
> 
> 	<generate ?ip and ?mask variables>
> 	<generate anti-spoofing rules>
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 	<start a block of rules at the next multiple of 1000>
> 	rule...
> 
> 	<start a major block of rules at the next multiple of 10000>
> 	rule...
> 
> If anyone wants to see it and has a fairly strong stomach ;-) let me
> know.  If there are a few people interested, I'll post to the group.
> 
> Cheers,
> Tony
> -- 
> Tony Landells					<ahl@austclear.com.au>
> Senior Network Engineer				Ph:  +61 3 9677 9319
> Australian Clearing Services Pty Ltd		Fax: +61 3 9677 9355
> Level 4, Rialto North Tower
> 525 Collins Street
> Melbourne VIC 3000
> Australia
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message