From owner-freebsd-questions@FreeBSD.ORG Mon Jan 3 21:52:50 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1390916A4CE for ; Mon, 3 Jan 2005 21:52:50 +0000 (GMT) Received: from grog.secure-computing.net (grog.secure-computing.net [63.228.14.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87D3643D1D for ; Mon, 3 Jan 2005 21:52:49 +0000 (GMT) (envelope-from ecrist@secure-computing.net) Received: from [192.168.1.102] (c-66-41-157-209.mn.client2.attbi.com [66.41.157.209]) (authenticated bits=0)j03LqgZn029577; Mon, 3 Jan 2005 15:52:43 -0600 (CST) (envelope-from ecrist@secure-computing.net) In-Reply-To: <41D9BA53.4060105@locolomo.org> References: <06DDB71C-5DB4-11D9-B56F-000D9333E43C@secure-computing.net> <15416223037.20050103193803@hexren.net> <6074EB8D-5DC6-11D9-89A5-000D93AD26C8@tntluoma.com> <41D9BA53.4060105@locolomo.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-10--219575741" Message-Id: Content-Transfer-Encoding: 7bit From: Eric F Crist Date: Mon, 3 Jan 2005 15:52:39 -0600 To: Erik Norgaard X-Pgp-Agent: GPGMail 1.0.2 X-Mailer: Apple Mail (2.619) X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on grog.secure-computing.net cc: Timothy Luoma cc: FreeBSD-Questions Questions Subject: Re: my lame attempt at a shell script... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2005 21:52:50 -0000 --Apple-Mail-10--219575741 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On Jan 3, 2005, at 3:34 PM, Erik Norgaard wrote: > Eric F Crist wrote: > >> elif [ "$grog_firewall_enable" <> "YES" or "NO" ] >> then >> echo "Syntax error in /etc/rc.conf file. grog_firewall_enable >> must be YES or NO" >> fi > > I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or > pf - I wrote a replacement for ipfilter as I got dizzy trying to > maintain a too long ruleset so I wanted to split it into multiple > files. > > On 5.x things get a lot simpler. In /etc/rc.d there are plenty of > scripts to look at - don't look at rc.firewall. > > The scripts in /etc/rc.d are executed as ordered by rcorder(8). > > Create your script and load rc.subr: > > . /etc/rc.subr > > which gives you a lot of predefined handy functions. Set the "name" > variable in the script, eg: > > name="grog" # Name of my firewall script > > it is customary to call the script the same. Follow by > > load_rc_config=$name > > most scripts then just includes the line > > run_rc_command "$1" > > - everything is defined by the functions in rc.subr. Now, you can set > the commands to be run and define them in your script, see eg. > ipfilter. > > rc.subr also contains a "checkyesno" function answering your question > above - however, it is normal to check "[Yy][Ee][Ss]" and treat > everything else as a no. After all, what are you gonna do if you only > accept "yes" or "no" but some one typed "yeah right"? You must have a > default action. > > Since your script isn't default, maybe don't add default settings to > /etc/defaults/rc.conf. Instead variables can have defaults eg: > ${ipfilter_program:-/sbin/ipf} will use /sbin/ipf unless the > ipfilter_program variable is set. > > Finally, don't use bash, use /bin/sh and nothing else, you don't know > if bash is available when your script run. > > Regarding your script, which I got deleted from this mail (sorry), I > think there is an error: > > > if [ "$grog_firewall_enable" = "YES" ] > > this "=" is assignment and will always evaulate to true. You want > > if [ "$grog_firewall_enable" -eq "YES" ] > > I'm not sure if "==" works, but always be careful you're not using > asignment in if-statements. > > Cheers, Erik Thanks for the reply. I'm actually using ipfw, and this script is going to require this. Also, this script isn't really for public use, anyone's welcome to it, if they want, and only internal use. In regards to placing variables in /etc/rc.conf, these aren't really true variables (no pun intended), but rather system-specific device information. My overall setup is such that each server could have a different brand/chipset network card, and different purposes on the network. My goal is that I can set an internal interface, and external interface, hostname, ipaddresses, and protocols independently of the actual script. Then, the script will plug those variables into the correct places. I could put this information in another place, like a /etc/firewall.setup file, but it'll make my life easier if I just put it into rc.conf. In regards to the = or -eq, I can't discern a difference in output when I use them. Can you explain further their differences? What would NOT EQUAL be? Thanks. _______________________________________________________ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson --Apple-Mail-10--219575741 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iEYEARECAAYFAkHZvqcACgkQRAAY9knOW+rKTwCdHECw6hvweWglhwQvIZIaOIK3 occAn1njp/U9lYElbKKSDHr9rILU4XZw =cysj -----END PGP SIGNATURE----- --Apple-Mail-10--219575741--