From owner-freebsd-security@FreeBSD.ORG Thu Dec 13 18:39:58 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B66016A419 for ; Thu, 13 Dec 2007 18:39:58 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: from server1.grabweb.com (split.grabweb.net [67.15.22.16]) by mx1.freebsd.org (Postfix) with ESMTP id B348013C469 for ; Thu, 13 Dec 2007 18:39:57 +0000 (UTC) (envelope-from WD@US-Webmasters.com) Received: (qmail 16924 invoked from network); 13 Dec 2007 12:39:55 -0600 Received: from batv-01-192.dsl.netins.net (HELO Sabrina.US-Webmasters.com) (207.199.193.192) by uswdns.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 13 Dec 2007 12:39:55 -0600 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 13 Dec 2007 12:39:44 -0600 To: Gary Palmer From: "W. D." In-Reply-To: <20071213110009.GB986@in-addr.com> References: <20071213081155.ABBC813C4D5@mx1.freebsd.org> <20071213110009.GB986@in-addr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <20071213183957.B348013C469@mx1.freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: IPFW compiled in kernel: Where is it reading the config? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2007 18:39:58 -0000 At 05:00 12/13/2007, Gary Palmer wrote: >=20 >> The config file locaton that I specify in rc.conf doesn't=20 >> appear to be being used: >>=20 >> firewall_script=3D"/usr/local/etc/ipfw.rules" > >You require > >firewall_enable=3D"YES" > >in /etc/rc.conf for the rules to be looked at > >Also, firewall_script may be the wrong configuration parameter to use. =20 >firewall_script is expected to be a shell script to configure the=20 >firewall. If you just want a file of rules, set firewall_type instead. >e.g. > >firewall_type=3D"/etc/rc.firewall.rules" >firewall_enable=3D"YES" > >and then put your rules one line at a time into the specified file. i.e. > >add allow ip from any to any via lo0 >(etc) > >ipfw is a kernel module. It will not show up in "ps aux". If >"ipfw list" does not come back with an error message, then it >is likely running. You can check for the ipfw module using > >kldstat > >(assuming you did not compile ipfw into a custom kernel) > >To check the syntax of a list of rules (note: not a shell script) then >you can use > >ipfw -n /path/to/rules/file > >>From the man page > > -n Only check syntax of the command strings, without actually= pass- > ing them to the kernel. > >Regards, > >Gary Thanks, Gary! This is much of what I was looking for. Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/