From owner-freebsd-ipfw Wed Apr 12 21:22:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from lamb.sas.com (lamb.sas.com [192.35.83.8]) by hub.freebsd.org (Postfix) with ESMTP id D356937B62A for ; Wed, 12 Apr 2000 21:22:25 -0700 (PDT) (envelope-from brdean@unx.sas.com) Received: from mozart (mozart.unx.sas.com [149.173.6.8]) by lamb.sas.com (8.9.3/8.9.1) with SMTP id AAA14588 for ; Thu, 13 Apr 2000 00:22:23 -0400 (EDT) Received: from dean.pc.sas.com by mozart (5.65c/SAS/Domains/5-6-90) id AA25558; Thu, 13 Apr 2000 00:21:52 -0400 Received: (from brdean@localhost) by dean.pc.sas.com (8.9.3/8.9.1) id AAA77112; Thu, 13 Apr 2000 00:21:52 -0400 (EDT) (envelope-from brdean) From: Brian Dean Message-Id: <200004130421.AAA77112@dean.pc.sas.com> Subject: local firewall rules To: freebsd-ipfw@freebsd.org Date: Thu, 13 Apr 2000 00:21:52 -0400 (EDT) Reply-To: bsd@freebsd.org X-Mailer: ELM [version 2.4ME+ PL61 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I just got my cable modem and decided to tighten things up a bit with a firewall. My firewall/gateway also runs NAT so that my several internal hosts can share this wonderful little pipe. Well, "firewall_type=simple" is not sufficent for this to work (because of NAT), so I started with the 'simple' rules and modified them so that my internal LAN works the way it should. The only problem is that my outside interface gets its address via DHCP, so I can't hardcode it into the firewall rules. Thus, I put my rules into a shell script called 'rc.firewall.local' where I can determine what the interface IP address is at boot time, then set firewall_type=/etc/rc.firewall.local. Then I made the following modification to /etc/rc.firewall: --- /etc/rc.firewall Fri Feb 11 20:14:43 2000 +++ ./rc.firewall Mon Apr 10 20:59:06 2000 @@ -228,7 +228,9 @@ [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) - if [ -r "${firewall_type}" ]; then + if [ -x "${firewall_type}" ]; then + ${firewall_type} + elif [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; This checks to see if the rule file is executable first, and if so, executes it, otherwise it works like before, and feeds it into the 'ipfw' program. This change allows you to run a program that sets up your firewall rules, instead of forcing it be an 'ipfw' rule file, with hardcoded values. If nobody minds, I'd like to commit this change. However, if there's another "proper" way that I should have done this, please let me know. I don't think putting these in /usr/local/etc/rc.d is sufficient, since that's the very last thing to run, and thus there is a window where traffic that you would normally block would be free to pass through the firewall. Thanks, -Brian -- Brian Dean bsd@FreeBSD.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message