Date: Tue, 15 Jul 2003 02:48:54 -0700 From: K Anderson <freebsduser@comcast.net> To: Ryan Thompson <ryan@sasknow.com> Cc: freebsd-questions@freebsd.org Subject: Re: firewall Message-ID: <3F13CE06.6050607@comcast.net> In-Reply-To: <20030715021132.V78991-100000@ren.sasknow.com> References: <20030715021132.V78991-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ryan Thompson wrote: > K Anderson wrote to RYAN vAN GINNEKEN: > > >>ipfw isn't some sort of daemon to be stopped and started. If you want >>to add rules, delete rules or what ever then you just do it. > > > Yes, unless you're doing this over a network, in which case you want to > make sure you don't break connectivity with an intermediate rule. > > >>Take a look at the script in /etc/rc.firewalls and you'll see that's all >>they are doing. >> >>so your firewall file should be a shell script. Even if you do man >>ipfw you'll see that in no way does ipfw accept a file name as an >>arguemnt. Pretty simple eh? > > > While you can write a shell script to call firewall rules (in the style > of /etc/rc.firewall), you're wrong in your subsequent assertion; ipfw > *does* accept a pathname to a file which, according to ipfw(8): > > To ease configuration, rules can be put into a file which is processed > using ipfw as shown in the first synopsis line. An absolute pathname > must be used. The file will be read line by line and applied as argu- > ments to the ipfw utility. > > And, actually, this is pretty darn convenient, especially in conjunction > with firewall_type="/path/to/ruleset" in rc.conf, once you have tested > the ruleset, of course. :-) > > - Ryan > Hmmm, pretty neat. I re-read the man page for it and yep, it sure does take a file name (like you all said, and the man page said, an abolute path. Doh). Thanks for the response. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F13CE06.6050607>