From owner-freebsd-questions@FreeBSD.ORG  Tue Jul 15 01:19:59 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E84F537B401
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Jul 2003 01:19:59 -0700 (PDT)
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 255AF43F75
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Jul 2003 01:19:59 -0700 (PDT)
	(envelope-from ryan@sasknow.com)
Received: from ren (ren [207.195.92.131])
	by ren.sasknow.com (8.12.6p2/8.12.6) with ESMTP id h6F8JrOI025366;
	Tue, 15 Jul 2003 02:19:54 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Tue, 15 Jul 2003 02:19:53 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: K Anderson <freebsduser@comcast.net>
In-Reply-To: <3F13A357.4050205@comcast.net>
Message-ID: <20030715021132.V78991-100000@ren.sasknow.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: RYAN vAN GINNEKEN <rmvg@computerking.ca>
cc: freebsd-questions@freebsd.org
Subject: Re: firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2003 08:20:00 -0000

K Anderson wrote to RYAN vAN GINNEKEN:

> ipfw isn't some sort of daemon to be stopped and started. If you want
> to add rules, delete rules or what ever then  you just do it.

Yes, unless you're doing this over a network, in which case you want to
make sure you don't break connectivity with an intermediate rule.

> Take a look at the script in /etc/rc.firewalls and you'll see that's all
> they are doing.
>
> so  your firewall file should be  a shell script. Even if you do man
> ipfw you'll see that in no way does ipfw accept a file name as an
> arguemnt.  Pretty simple eh?

While you can write a shell script to call firewall rules (in the style
of /etc/rc.firewall), you're wrong in your subsequent assertion; ipfw
*does* accept a pathname to a file which, according to ipfw(8):

     To ease configuration, rules can be put into a file which is processed
     using ipfw as shown in the first synopsis line.  An absolute pathname
     must be used.  The file will be read line by line and applied as argu-
     ments to the ipfw utility.

And, actually, this is pretty darn convenient, especially in conjunction
with firewall_type="/path/to/ruleset" in rc.conf, once you have tested
the ruleset, of course. :-)

- Ryan

-- 
  Ryan Thompson <ryan@sasknow.com>

  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America