Date: Thu, 19 Apr 2001 20:02:17 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-stable@FreeBSD.ORG Subject: Re: default ipfilter rules Message-ID: <20010419200217.U20830@speedy.gsinet> In-Reply-To: <n19dmsny.fsf@gits.dyndns.org>; from clefevre-lists@noos.fr on Thu, Apr 19, 2001 at 06:15:29AM %2B0200 References: <005701c0c61e$728aa020$0200000a@satan> <n19dmsny.fsf@gits.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 19, 2001 at 06:15 +0200, Cyrille Lefevre wrote:
> "Daryl Chance" <dchance@midsouth.rr.com> writes:
>
> > In light of the recent ipfilter problems, i was looking around
> > in /etc and noticed that theres no default ipf.rules or
> > ipfilter.rules. Is there a reason for this? ipfw has rc.firewall
> [snip]
>
> maybe the following files be installed in /usr/share/examples/ipf ?
>
> /usr/src/contrib/ipfilter/rules
That's exactly what is referenced next to where the rules file is
specified (see the below search commands). What comes to mind is
the fact that not everybody has sources available while
/usr/share/examples is more probable to be installed (but yet
cannot be taken as a given). So the current situation might not
really be satisfactory for most binary only installations.
But I feel setting up packet filter rules always should done by
the admin himself, knowingly and driven by own requirements. It
might be fine to have something to glimpse at for copying, but
choosing a given suggested(!) configuration without understanding
the ruleset will cause trouble. Either functionality is missing
(too restrictive) or unexpected holes are open (too widely
opened). Preinstalled configuration can never be more than a
template since everybody has different requirements. Although I
guess rc.firewall "translation" into ipf(5) syntax will be
appreciated and accepted if provided and not only requested. :>
$ grep -C ipfilter /etc/defaults/rc.conf
[ ... 19 lines snipped, this would be the intuitive way while the
really interesting part comes from the next command which is some
kind of "optimized" ... ]
$ grep -A 1 ipfilter_rules /etc/defaults/rc.conf
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
$ man rc.conf
[ ... search for "ipfilter" (second hit) or "ipfilter_enable" (first) ... ]
ipfilter_enable
(bool) Set to NO by default. Setting this to YES enables
ipf(8) packet filtering. [ ... ]
[ ... ]
Typical usage will require putting
[ ... settings ... ]
into /etc/rc.conf and editing /etc/ipf.rules and
/etc/ipnat.rules appropriately. [ ... ]
But I really wouldn't know where to point to from within this
manpage paragraph. One simply cannot assume any /usr/share or
/usr/src/contrib to be available on every machine. And not
everybody reading manpages will have network access at setup /
configuration time to see the IPF HowTo.
Maybe the most helpful path would be to "translate" rc.firewall
skeletons (case branches) into separate /usr/share/examples/ipf
files each containing ipf.rules and ipnat.rules sections. I
suggest that none of these skeletons can be used by merely doing
cp(1) but they all should force the admin to choose one and edit
it to the shape local requirements demand for.
> UNIX is user-friendly; it's just particular
> about who it chooses to be friends with.
Your .sig suits really fine into the thread. :)
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010419200217.U20830>