Date: Tue, 16 Nov 2010 13:52:06 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Dave Robison <daver@vicor.com> Cc: Grant Peel <gpeel@thenetnow.com>, freebsd-questions@freebsd.org Subject: Re: IPFW at startup. Message-ID: <20101116125620.Y39988@sola.nimnet.asn.au> In-Reply-To: <20101115191049.7CD6C10656F2@hub.freebsd.org> References: <20101115191049.7CD6C10656F2@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 337, Issue 2, Message: 26
On Mon, 15 Nov 2010 10:52:41 -0800 Dave Robison <daver@vicor.com> wrote:
> I haven't seen someone use "firewall_type" as a path to the config file.
It's not so uncommon. Anyone who's based their ruleset on the handbook
section on IPFW will likely be using this method, and Grant has used it
correctly. This is only applicable where $firewall_script is set to
'/etc/rc.firewall', but that is the default in /etc/defaults/rc.conf
> If you check the default rc.firewall file, you will see several types of
> default firewall settings, such as "open" and "closed". You want to set
> "firewall_type" in rc.conf to be "open" or whatever your firewall type
> is in /etc/rc.firewall.
Please note the last section in rc.firewall, which specifically tests
whether $firewall_type is a readable file, and if so, passes that file
as an argument to ipfw(8) (qv).
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
Also note that in this case, the file is not a shell script, but a set
of arguments to the ipfw command. Grant's set is in the correct format.
> You can probably get away with editing your existing rc.firewall to
> include a firewall type, such as "custom", then defining firewall_type
> as "custom" in /etc/rc.conf.
You could, but it's not necessary. In the olden days you more or less
had to do that, but nowadays you can specify parameters for the client,
simple and workstation types, so you can get a minimal reasonably safe
and effective firewall going, at least for starters, just using rc.conf
variables. This also means you can avoid messing with rc.firewall, so
that system updates will properly bring in any changes and additions.
The documentation for this is so far really only in /etc/rc.firewall
itself and in /etc/defaults/rc.conf .. perhaps one day $someone will
re-write the Handbook IPFW section; meanwhile ipfw(8) is definitive.
You can also start out using one of the builtin types, then save it to a
file with 'ipfw list >file', then modify things it there, add comments
etc, then specify that file as firewall_type henceforth. Or, as Chuck
has shown, you can get really fancy and use some preprocessor :)
cheers, Ian
PS: Please don't top-post on FreeBSD lists, and if at all possible avoid
posting multiple disclaimers, that are in any case entirely inapplicable
to public list postings.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101116125620.Y39988>