Date: Sun, 25 Feb 2001 15:47:36 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <20010225154736.O20830@speedy.gsinet> In-Reply-To: <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk>; from marcr@closed-networks.com on Sun, Feb 25, 2001 at 12:13:18PM %2B0000 References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <3A982224.893F76AF@gorean.org> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 25, 2001 at 12:13 +0000, Marc Rogers wrote:
>
> I would like to see configuration code for ipfw AND ipfilter
> placed into rc.conf (and thus ipnat as well as natd). Anyway I
> wont hold my breath for a commit.
Excuse me. What exactly do you mean by these words? What's
missing? ipfw has been enabled there / gotten parameters from
for quite some time, ipf got its hooks before 4.2-RELEASE. Plus
this all only moved to an early stage in the boot process what
you could accomplish by means of /usr/local/etc/rc.d/ipf.sh
before.
----- from cvs log etc/rc.network -------------------------------
revision 1.74.2.10
date: 2000/11/11 20:33:39; author: jkh; state: Exp; lines: +32 -1
MFC: This brings support for IP Filter into rc.network and rc.conf with
the appropriate documentation added to rc.conf(5). This has been tested
in -current since Oct 6th.
-----------------------------------------------------------------
If you need some more fine grained control than "enable it, there
are the ruleset files" you might want to look at the preprocessor
hook I added to ipf (PR bin/21989). When searching for it,
consider its state -- it's closed. Darren strongly feels that
it's not a task his userland interface to the kernel rules table
(ipf(8)) has to care about and that these results can always be
gained by changing the program's invocation. So this patch will
never make it into ipfilter itself.
Although you've been free since 4.2 to specify a different
$ipfilter_program, which could be a script sourcing rc.conf
again. This enables you to do some rc.firewall like things
piping half a thousand echo commands with variable sustitutions
into "ipf -f -".
What is it that you cannot achieve with all the knobs you are
provided with?
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010225154736.O20830>