From owner-freebsd-stable  Thu Jun 11 18:00:36 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA19729
          for freebsd-stable-outgoing; Thu, 11 Jun 1998 18:00:36 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA19616
          for <freebsd-stable@freebsd.org>; Thu, 11 Jun 1998 18:00:22 -0700 (PDT)
          (envelope-from cschuber@passer.osg.gov.bc.ca)
Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id SAA19961; Thu, 11 Jun 1998 18:00:08 -0700 (PDT)
Message-Id: <199806120100.SAA19961@passer.osg.gov.bc.ca>
Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca"
 via SMTP by localhost, id smtpdaaurca; Thu Jun 11 18:00:05 1998
X-Mailer: exmh version 2.0gamma 1/27/96
Reply-to: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
X-Sender: cschuber
To: durkin <durkin@matter.net>
cc: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>,
        freebsd-stable@FreeBSD.ORG
Subject: Re: rc.firewall and ipfw commands 
In-reply-to: Your message of "Thu, 11 Jun 1998 16:39:39 EDT."
             <Pine.BSF.3.96.980611163509.16460A-100000@gigantor.matter.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 11 Jun 1998 17:59:34 -0700
From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> 
> 
> On Wed, 10 Jun 1998, Cy Schubert - ITSD Open Systems Group wrote:
> 
> > In my firewall configurations I modify rc.firewall to recognize a 
> > "user" firewall type (for user defined) and specify 
> > firewall_type="user" in my rc.conf.  The "user" firewall type executes 
> > /usr/local/etc/rc.firewall.local instead of one of the predefined 
> > firewall types in rc.firewall.  This may be a handy feature in the 
> > stock FreeBSD rc.firewall.  If anyone wishes I can submit a PR to have 
> > this included in the FreeBSD distribution.
> > 
> 
> Actually, FreeBSD's rc.firewall already has the ability to load ipfw
> commands contained within a file. Just specify the firewall type as the
> filename which contains the commands.

That is true, however one may wish to use a shell script to dynamically 
build a firewall based on various dynamic conditions.  rc.firewall gets 
executed early enough in the boot that it may make my point moot, in 
which case rc.firewall would block everything, except DNS and NIS, then 
rc.local would open the firewall a bit, once applications are up using 
a more dynamic firewall setup script which would scan the system 
looking for ports to open up, and make the system useful again, e.g. 
open up ypserver port (which is dynamically assigned) only to NIS 
clients.

You're probably right that no change to the existing rc scripts is 
required.  I'll have to think about this a little more...


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  cschuber@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Government of BC            
                                       




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message