Date: Fri, 13 Sep 2002 08:47:06 -0300 From: "Daniel C. Sobral" <dcs@tcoip.com.br> To: ipfw@FreeBSD.ORG Subject: ipfw2 and rc.firewall Message-ID: <3D81D03A.8050009@tcoip.com.br>
next in thread | raw e-mail | index | archive | help
rc.firewall, atm, has the following:
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
What *I* am using, post-ipfw2, is the following:
if [ -z ${IPFWSET} ]
then
# Clear and disable
ipfw delete set 30
IPFWSET="set 30"
ipfw set disable 30
fi
then ${IPFWSET} in each rule, and then:
ipfw set swap 0 `echo ${IPFWSET} | cut -d ' ' -f 2`
at the end.
This insert all rules on set 30, disabled, and then swap all of them at
once, _if_ rc.firewall is succesfully executed to the end. It also makes
it easy to roll back if you need.
Switching between the two forms depending on whether you have ipfw2 or
not relatively simple. The rules themselves, if IPFWSET is unset, will
work fine under ipfw1. All we would need is someway to tell ipfw2 and
ipfw1 appart so that we can select between flush and the disabled set at
the beginning/end of rc.firewall.
What do you people think?
--
Daniel C. Sobral (8-DCS)
Gerencia de Operacoes
Divisao de Comunicacao de Dados
Coordenacao de Seguranca
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail: Daniel.Capo@tco.net.br
Daniel.Sobral@tcoip.com.br
dcs@tcoip.com.br
Outros:
dcs@newsguy.com
dcs@freebsd.org
capo@notorious.bsdconspiracy.net
It's not enough to be Hungarian; you must have talent too.
-- Alexander Korda
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D81D03A.8050009>