Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 29 Jan 2002 15:43:15 +1100
From:      "Andrew Cowan" <andrew.cowan@hsd.com.au>
To:        "Thomas Hurst" <tom.hurst@clara.net>
Cc:        "Nate Williams" <nate@yogotech.com>, "Freebsd-Stable" <freebsd-stable@FreeBSD.ORG>
Subject:   RE: Proposed Solution To Recent "firewall_enable" Thread. [Please Read]
Message-ID:  <NEBBJIKPNGEHLCBOLMDMAECCFPAC.andrew.cowan@hsd.com.au>
In-Reply-To: <20020129041803.GA69785@voi.aagh.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
<snip>

> 	ipfw_firewall_rules_file={open,simple,etc,/etc/myfirewall.rule}
>
> The -stable firewalls are scripts, not rule files.  Rule files are
> a different thing again :)

I understand that, however from a users point of view they would be handled
by the sample script.

> > If ipfw_firewall_rules_file is not specified then it does not load
> > one. (defaults to kernel setting or deny_all I think)
>
> Except ipfw_firewall_rules_file=open specifies a firewall *type*, not a
> file.

ditto

<snip>

> How about something more along the lines of:
>
> ipfw_enable  = {yes, no}
> ipfw_type    = {script, rule, builtin}
> ipfw_rule    = {/path/to/rule/file}
> ipfw_script  = {/path/to/script}
> ipfw_builtin = {open, closed, simple, client}

Way to complicated though.
Maybe something along the lines of ppp.conf?? We could then have OPEN,
SIMPLE, etc and CUSTOM.
Then you would have a fixed config file location and could reduce the
rc.conf requirement to:
ipfw_load_rules={OPEN,SIMPLE,CLOSED,CLIENT,CUSTOM}

Then for kernel compiled versions - defaults to kernel setting - loads rules
as (and if) specified. While un-kerneled versions would only load module it
rule is loaded?

It just does not need to be as complicated as it is - not that the current
way is hard - rather it is nonsensical.

If you could redesign the system from scratch how would you do it?
It would be easy to mantain backwards compatibility so why not pretend it is
from scratch?

<snip>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBJIKPNGEHLCBOLMDMAECCFPAC.andrew.cowan>