From owner-freebsd-questions@FreeBSD.ORG Tue Nov 16 02:52:10 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5AB0F106564A for ; Tue, 16 Nov 2010 02:52:10 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id AAF388FC08 for ; Tue, 16 Nov 2010 02:52:09 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id oAG2q6n7074600; Tue, 16 Nov 2010 13:52:06 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 16 Nov 2010 13:52:06 +1100 (EST) From: Ian Smith To: Dave Robison In-Reply-To: <20101115191049.7CD6C10656F2@hub.freebsd.org> Message-ID: <20101116125620.Y39988@sola.nimnet.asn.au> References: <20101115191049.7CD6C10656F2@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Grant Peel , freebsd-questions@freebsd.org Subject: Re: IPFW at startup. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Nov 2010 02:52:10 -0000 In freebsd-questions Digest, Vol 337, Issue 2, Message: 26 On Mon, 15 Nov 2010 10:52:41 -0800 Dave Robison wrote: > I haven't seen someone use "firewall_type" as a path to the config file. It's not so uncommon. Anyone who's based their ruleset on the handbook section on IPFW will likely be using this method, and Grant has used it correctly. This is only applicable where $firewall_script is set to '/etc/rc.firewall', but that is the default in /etc/defaults/rc.conf > If you check the default rc.firewall file, you will see several types of > default firewall settings, such as "open" and "closed". You want to set > "firewall_type" in rc.conf to be "open" or whatever your firewall type > is in /etc/rc.firewall. Please note the last section in rc.firewall, which specifically tests whether $firewall_type is a readable file, and if so, passes that file as an argument to ipfw(8) (qv). *) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac Also note that in this case, the file is not a shell script, but a set of arguments to the ipfw command. Grant's set is in the correct format. > You can probably get away with editing your existing rc.firewall to > include a firewall type, such as "custom", then defining firewall_type > as "custom" in /etc/rc.conf. You could, but it's not necessary. In the olden days you more or less had to do that, but nowadays you can specify parameters for the client, simple and workstation types, so you can get a minimal reasonably safe and effective firewall going, at least for starters, just using rc.conf variables. This also means you can avoid messing with rc.firewall, so that system updates will properly bring in any changes and additions. The documentation for this is so far really only in /etc/rc.firewall itself and in /etc/defaults/rc.conf .. perhaps one day $someone will re-write the Handbook IPFW section; meanwhile ipfw(8) is definitive. You can also start out using one of the builtin types, then save it to a file with 'ipfw list >file', then modify things it there, add comments etc, then specify that file as firewall_type henceforth. Or, as Chuck has shown, you can get really fancy and use some preprocessor :) cheers, Ian PS: Please don't top-post on FreeBSD lists, and if at all possible avoid posting multiple disclaimers, that are in any case entirely inapplicable to public list postings.