From owner-freebsd-questions@FreeBSD.ORG Mon Jan 3 22:04:38 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5756D16A4CE for ; Mon, 3 Jan 2005 22:04:38 +0000 (GMT) Received: from grog.secure-computing.net (grog.secure-computing.net [63.228.14.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id A562943D31 for ; Mon, 3 Jan 2005 22:04:36 +0000 (GMT) (envelope-from ecrist@secure-computing.net) Received: from [192.168.1.102] (c-66-41-157-209.mn.client2.attbi.com [66.41.157.209]) (authenticated bits=0)j03M4MPx029806; Mon, 3 Jan 2005 16:04:23 -0600 (CST) (envelope-from ecrist@secure-computing.net) In-Reply-To: <41D9BA53.4060105@locolomo.org> References: <06DDB71C-5DB4-11D9-B56F-000D9333E43C@secure-computing.net> <15416223037.20050103193803@hexren.net> <6074EB8D-5DC6-11D9-89A5-000D93AD26C8@tntluoma.com> <41D9BA53.4060105@locolomo.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-11--218878439" Message-Id: <691E6E58-5DD3-11D9-B56F-000D9333E43C@secure-computing.net> Content-Transfer-Encoding: 7bit From: Eric F Crist Date: Mon, 3 Jan 2005 16:04:16 -0600 To: Erik Norgaard X-Pgp-Agent: GPGMail 1.0.2 X-Mailer: Apple Mail (2.619) X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on grog.secure-computing.net cc: Timothy Luoma cc: FreeBSD-Questions Questions Subject: Re: my lame attempt at a shell script... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2005 22:04:38 -0000 --Apple-Mail-11--218878439 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On Jan 3, 2005, at 3:34 PM, Erik Norgaard wrote: > Eric F Crist wrote: > >> elif [ "$grog_firewall_enable" <> "YES" or "NO" ] >> then >> echo "Syntax error in /etc/rc.conf file. grog_firewall_enable >> must be YES or NO" >> fi > > I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or > pf - I wrote a replacement for ipfilter as I got dizzy trying to > maintain a too long ruleset so I wanted to split it into multiple > files. > > On 5.x things get a lot simpler. In /etc/rc.d there are plenty of > scripts to look at - don't look at rc.firewall. > > The scripts in /etc/rc.d are executed as ordered by rcorder(8). > > Create your script and load rc.subr: > > . /etc/rc.subr > > which gives you a lot of predefined handy functions. Set the "name" > variable in the script, eg: > > name="grog" # Name of my firewall script > > it is customary to call the script the same. Follow by > > load_rc_config=$name > > most scripts then just includes the line > > run_rc_command "$1" > > - everything is defined by the functions in rc.subr. Now, you can set > the commands to be run and define them in your script, see eg. > ipfilter. > > rc.subr also contains a "checkyesno" function answering your question > above - however, it is normal to check "[Yy][Ee][Ss]" and treat > everything else as a no. After all, what are you gonna do if you only > accept "yes" or "no" but some one typed "yeah right"? You must have a > default action. > Sorry for the double reply, but I forgot to respond to the top half of this email. By including /etc/rc.subr, what exactly do I gain? There are already built-in means to execute a custom firewall script: firewall_enable (bool) Set to ``YES'' to load firewall rules at startup. If the kernel was not built with options IPFIREWALL, the ipfw.ko kernel module will be loaded. See also ipfilter_enable. ipv6_firewall_enable (bool) The IPv6 equivalent of firewall_enable. Set to ``YES'' to load IPv6 firewall rules at startup. If the ker- nel was not built with options IPV6FIREWALL, the ip6fw.ko kernel module will be loaded. firewall_script (str) This variable specifies the full path to the firewall script to run. The default is /etc/rc.firewall. I would assume that the system would institute my firewall rules at the correct stage of startup, and thus, don't really want to mess with that. Please enlighten me as to rc.subr and it's benefits. I'm new to shell scripting, and I need all the knowledge I can gain. Thanks. _______________________________________________________ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson --Apple-Mail-11--218878439 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iEYEARECAAYFAkHZwWAACgkQRAAY9knOW+rKUACgjwzGYnhrwvppuOSWWwhaG8t3 xnsAn2owlAVPHwat+uxV0Piw71dJhsZx =OLCn -----END PGP SIGNATURE----- --Apple-Mail-11--218878439--