Date: Thu, 6 Mar 2003 08:55:13 -0800 (PST) From: Dave McCammon <davemac11@yahoo.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: firewall revisited Message-ID: <20030306165513.86475.qmail@web41404.mail.yahoo.com> In-Reply-To: <20030305223644.GA29314@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Giorgos Keramidas <keramida@ceid.upatras.gr>
wrote:
> On 2003-03-05 09:32, Brian Henning
> <b1henning@hotmail.com> wrote:
> > Hello-
> > currently my rc.conf is set up like this for my
> gateway router.
> > gateway_enable="YES"
> > firewall_enable="YES"
> > firewall_type="OPEN"
> > natd_enable="YES"
> > natd_interface="rl1" # natd -interface rl1,
> public interface
> > natd_flags="" # sysctl
> net.inet.ip.forwarding=1
> >
> > how can i have the script /etc/ipfw.rules run
> instead of
> > /etc/rc.firewall. can i change
> > firewall_type="OPEN" to firewall_type="" and
> create the entry
> > firewall_script="/etc/ipfw.rules"?
>
> Why are you confused?
>
> That depends on what you're trying to do and what
> the contents of
> /etc/ipfw.rules are. There are currently the
> following ways to set up
> a completely custom set of firewall rules:
>
> 1. Rewrite /etc/rc.firewall
>
> This can easily be done, if you replace
> /etc/rc.firewall with your
> custom script. This isn't recommended though
> since you'd have to
> carefully track all changes to the official
> version of the
> rc.firewall script and merge any interesting
> stuff back to your
> version of the script.
>
> 2. Add a new firewall "type" to rc.firewall
>
> Copying one of the existing firewall types you
> cann easily add a
> new one, and make sure that it loads all (and
> only) the ipfw(8)
> rules that you want. This can be difficult to
> keep up to date
> after changes to the rc.firewall script, but not
> as difficult to
> keep up to date as option #1.
>
> 3. Write your own version of a firewall script
>
> Copy `rc.firewall' to a new script (i.e.,
> `rc.firewall.local') and
> make your changes to the new script. Then set
> firewall_script to
> point to the new script in `/etc/rc.conf'. For
> example:
>
> % cat /etc/rc.firewall.local
> fwcmd="/sbin/ipfw"
> ${fwcmd} -q flush
> ${fwcmd} add 1 pass ip from any to any
>
> % grep firewall_script /etc/rc.conf
> firewall_script="/etc/rc.firewall.local"
>
> This is a fairly nic way of doing things, but it
> doesn't work
> correctly if you want to tweak the way ipfw(8) is
> called by
> settings things like firewall_quiet="YES" in your
> `rc.conf' file.
> Mostly because the logic for all those
> firewall_xxx options is
> implemented as part of the existing `rc.firewall'
> script.
>
> 4. Create a ruleset file, and point rc.firewall to
> it
>
> You can always write your own set of firewall
> rules, without a
> ${fwcmd} prefix, and save it to a file, i.e.
> `/etc/ipfw.rules'.
> This is a plain text file that contains *only*
> firewall rules.
> No shell commands. You can use `#' for comments
> (as shown in the
> sample file below):
>
> % cat /etc/ipfw.rules
> flush
> add allow ip from any to any
>
> Then you just need to make sure that your
> `rc.conf' contains the
> following two lines:
>
> firewall_enable="YES"
> firewall_type="/etc/ipfw.rules"
>
> The firewall_type value is the *FULL* path to the
> ruleset file. It
> is important to include the leading `/'
> character. This way,
> ipfw(8) will know that this is the path of a rule
> file and not the
> name of a command (like `add' in `ipfw add ...').
>
> This is the way I usually prefer setting ipfw(8)
> up. For various
> reasons. One of them is that my firewall rules
> are not lost in
> between the lines of some shell script that I
> don't remember I have
> edited. Another reason is that having made no
> changes to the
> original `rc.firewall' script, there is no need
> to take care for
> merging changes later with mergemaster(8).
>
> Phew. This was long.
>
GREAT Explanation. The difference in using
firewall_script and firewall_type ought to be outlined
in the Handbook.
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030306165513.86475.qmail>