From owner-freebsd-security Tue Feb 20 19:37:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id EE9C537B4EC for ; Tue, 20 Feb 2001 19:37:16 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA24134; Tue, 20 Feb 2001 20:36:55 -0700 (MST) Message-Id: <4.3.2.7.2.20010220203519.045e7b90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 20 Feb 2001 20:36:52 -0700 To: Tony Landells , Nick Sayer From: Brett Glass Subject: Re: /etc/rc.firewall fixes Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200102202205.JAA04080@tungsten.austclear.com.au> References: <200102202005.f1KK5kv83619@medusa.kfu.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:05 PM 2/20/2001, Tony Landells wrote: >I'm in the process of hacking on my rc.firewall because I'm building >new firewalls, so I'm interested in any ideas people have. > >The stuff that I put in yesterday was to auto-generate my anti-spoofing >rules (which is a huge saving when you have seven Ethernet interfaces!), >and organise my rule numbering. > >I also have stuff so that you basically only have to map the logical >interfaces (oif, iif, etc.) to the physical interfaces (fxp0, fxp1, etc.) >and it sets the other variables for you (oip, omask, iip, imask, etc.). There's a rule generation script on the IPFilter site (I believe it's called "mkfilter") that does some of this already, though it makes the mistake of using IP addresses instead of interface names. (When your address is assigned via DHCP, as many are, you want to use interface names so that the rules are independent of your current IP.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message