Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 Nov 2012 08:29:58 +0900 (JST)
From:      Hiroki Sato <hrs@FreeBSD.org>
To:        utisoft@gmail.com
Cc:        freebsd-rc@FreeBSD.org
Subject:   Re: conf/93815 Adding save and reload ability to ipfw
Message-ID:  <20121118.082958.1681649715655191312.hrs@allbsd.org>
In-Reply-To: <201210291630.q9TGU1t6059484@freefall.freebsd.org>
References:  <201210291630.q9TGU1t6059484@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
----Security_Multipart(Sun_Nov_18_08_29_58_2012_617)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Chris Rees <utisoft@gmail.com> wrote
  in <201210291630.q9TGU1t6059484@freefall.freebsd.org>:

ut> The following reply was made to PR conf/93815; it has been noted by GNATS.
ut>
ut> From: Chris Rees <utisoft@gmail.com>
ut> To: bug-followup@freebsd.org
ut> Cc:
ut> Subject: Re: conf/93815 Adding save and reload ability to ipfw
ut> Date: Mon, 29 Oct 2012 16:21:46 +0000
ut>
ut>  Nowadays we have much simpler firewall scripts.
ut>
ut>  http://www.bayofrum.net/~crees/patches/firewall-saved-rulesets.diff
ut>
ut>  What does everyone think about this?

 I took a look at this feature but dumping all of the ipfw rules is
 not so easy (definitions of nat, pipe, queue, sched, table will not
 be listed by "ipfw -q", for example).  We need a way to dump them
 first to realize this functionality.  The directives "add" and
 "delete" in ipfw_load() and ipfw_unload() do not always work.

 For the script, the current rc.d/ipfw and rc.firewall are able to
 load a rule file when firewall_script=/path/to/file, so ipfw_load
 should use it simply.  Generally speaking, writing the rules as a
 shell script to /foo and then ". /foo" is dangerous in the rc.d
 scripts because it can break the script if /foo is broken in some
 way.  Just to let ipfw(8) load a rule file as another set and swap
 the current set with it is much safer.

-- Hiroki

----Security_Multipart(Sun_Nov_18_08_29_58_2012_617)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)

iEYEABECAAYFAlCoHfYACgkQTyzT2CeTzy00EACfZtH8TmuAL1nWuBvxrqFxdO4n
9SgAn2yCCFBMs8p3RT/XW4xUlDiosdAA
=TlK9
-----END PGP SIGNATURE-----

----Security_Multipart(Sun_Nov_18_08_29_58_2012_617)----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121118.082958.1681649715655191312.hrs>