From owner-freebsd-stable Mon Jan 28 20:44:46 2002 Delivered-To: freebsd-stable@freebsd.org Received: from hsd.com.au (CPE-144-132-42-44.vic.bigpond.net.au [144.132.42.44]) by hub.freebsd.org (Postfix) with ESMTP id 1572737B402 for ; Mon, 28 Jan 2002 20:44:40 -0800 (PST) Received: from ariel by hsd.com.au with SMTP (MDaemon.v3.0.1.R) for ; Tue, 29 Jan 2002 15:43:15 +1100 Reply-To: From: "Andrew Cowan" To: "Thomas Hurst" Cc: "Nate Williams" , "Freebsd-Stable" Subject: RE: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Date: Tue, 29 Jan 2002 15:43:15 +1100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020129041803.GA69785@voi.aagh.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-MDaemon-Deliver-To: freebsd-stable@FreeBSD.ORG X-Return-Path: andrew.cowan@hsd.com.au X-MDRcpt-To: freebsd-stable@FreeBSD.ORG Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > ipfw_firewall_rules_file={open,simple,etc,/etc/myfirewall.rule} > > The -stable firewalls are scripts, not rule files. Rule files are > a different thing again :) I understand that, however from a users point of view they would be handled by the sample script. > > If ipfw_firewall_rules_file is not specified then it does not load > > one. (defaults to kernel setting or deny_all I think) > > Except ipfw_firewall_rules_file=open specifies a firewall *type*, not a > file. ditto > How about something more along the lines of: > > ipfw_enable = {yes, no} > ipfw_type = {script, rule, builtin} > ipfw_rule = {/path/to/rule/file} > ipfw_script = {/path/to/script} > ipfw_builtin = {open, closed, simple, client} Way to complicated though. Maybe something along the lines of ppp.conf?? We could then have OPEN, SIMPLE, etc and CUSTOM. Then you would have a fixed config file location and could reduce the rc.conf requirement to: ipfw_load_rules={OPEN,SIMPLE,CLOSED,CLIENT,CUSTOM} Then for kernel compiled versions - defaults to kernel setting - loads rules as (and if) specified. While un-kerneled versions would only load module it rule is loaded? It just does not need to be as complicated as it is - not that the current way is hard - rather it is nonsensical. If you could redesign the system from scratch how would you do it? It would be easy to mantain backwards compatibility so why not pretend it is from scratch? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message