From owner-freebsd-questions Thu Mar 29 8:23:26 2001 Delivered-To: freebsd-questions@freebsd.org Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128]) by hub.freebsd.org (Postfix) with ESMTP id 30BD337B71D for ; Thu, 29 Mar 2001 08:23:22 -0800 (PST) (envelope-from lowell@be-well.ilk.org) Received: (from lowell@localhost) by be-well.ilk.org (8.11.3/8.11.3) id f2TGNJb13856; Thu, 29 Mar 2001 11:23:19 -0500 (EST) (envelope-from lowell) To: freebsd-questions@freebsd.org, bojar@intersys.com Subject: Re: rc.firewall vs. ipfw References: <01Mar29.110404est.115354@gateway.intersys.com> From: Lowell Gilbert Date: 29 Mar 2001 11:23:19 -0500 In-Reply-To: bojar@intersys.com's message of "29 Mar 2001 18:00:16 +0200" Message-ID: <443dbwh7d4.fsf@lowellg.ne.mediaone.net> Lines: 33 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG bojar@intersys.com (E. Jordan Bojar) writes: > OK, last stupid question of the week, I hope. I'm setting up a single box > on a hosting rack I don't own, and I want to lock it down best I can. I > just want to let SSH, HTTP, and SMTP in for now. > > I understand how to do it with ipfw, but I assume those settings are lost in > the case of accidental reboot, right?. If so, is the syntax for editing > rc.firewall any different than ipfw? No. rc.firewall is just a script to collect the commands for setting up the firewall. All of the commands it issues, regardless of how you configure it, are invocations of ipfw(8) anyway. > The "client" vs "simple" distinction also confuses me a tad, as I'm neither > protecting a netowrk behind me nor do I have a network I trust in front, so > neither of these prebuilts really work for me. Can I just have rc.firewall > reference another file with ipfw rules, or replace it altogether with this? There are several ways to do this. I recommend that you leave rc.firewall unchanged, and replace it altogether. On my system, I do this by putting my own firewall script (an edited version of rc.firewall) in rc.firewall.local, and I specify mine to be loaded and executed by the following section in rc.conf: # Firewall firewall_enable="YES" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall.local" # Which script to run to set up the firewall firewall_type="local" # Firewall type (see /etc/rc.firewall) #firewall_type="new" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display Good luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message