Date: Tue, 20 Feb 2001 20:36:52 -0700 From: Brett Glass <brett@lariat.org> To: Tony Landells <ahl@austclear.com.au>, Nick Sayer <nsayer@quack.kfu.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <4.3.2.7.2.20010220203519.045e7b90@localhost> In-Reply-To: <200102202205.JAA04080@tungsten.austclear.com.au> References: <Message from Nick Sayer <nsayer@quack.kfu.com> <200102202005.f1KK5kv83619@medusa.kfu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:05 PM 2/20/2001, Tony Landells wrote: >I'm in the process of hacking on my rc.firewall because I'm building >new firewalls, so I'm interested in any ideas people have. > >The stuff that I put in yesterday was to auto-generate my anti-spoofing >rules (which is a huge saving when you have seven Ethernet interfaces!), >and organise my rule numbering. > >I also have stuff so that you basically only have to map the logical >interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.) >and it sets the other variables for you (oip, omask, iip, imask, etc.). There's a rule generation script on the IPFilter site (I believe it's called "mkfilter") that does some of this already, though it makes the mistake of using IP addresses instead of interface names. (When your address is assigned via DHCP, as many are, you want to use interface names so that the rules are independent of your current IP.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010220203519.045e7b90>