Date: Wed, 26 Nov 2003 23:14:00 +0000 From: Jez Hancock <jez.hancock@munk.nu> To: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org> Subject: Re: IPFILTER rules with shell symbloic substitution Message-ID: <20031126231400.GD37786@users.munk.nu> In-Reply-To: <MIEPLLIBMLEEABPDBIEGMEIPEOAA.fbsd_user@a1poweruser.com> References: <008001c3b44c$cfaf6b40$f4f0a8c0@pcmedx.com> <MIEPLLIBMLEEABPDBIEGMEIPEOAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 26, 2003 at 02:59:00PM -0500, fbsd_user wrote:
> Ipf.test rules file
> #!/bin/sh
> nic="l0"
> /sbin/ipf -Fa -f - <<EOF
> pass in on $nic all
> pass out on $nic all
> pass in all
> pass out all
> EOF
<snip>
>
> Any ideas about what is wrong with my ipfilter_rules="/etc/ipf.test"
> statement.
The ipfilter_rules variable should contain the name of a file that
contains rules _only_ - shell variables don't get read because of the way
/etc/rc.network loads the rules:
if [ -r "${ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} \
-f "${ipfilter_rules}" \
${ipfilter_flags}
fi
ie essentially the command exected is:
/sbin/ipf -f $ipfilter_rules <ipfilter flags>
so something like:
pass in on 1.2.3.4 all
pass out on 1.2.3.4 all
pass in all
pass out all
is fine, but:
pass in on $nic all
pass out on $nic all
pass in all
pass out all
won't work unfortunately.
Given your shell script above though I'd be tempted to load the ruleset
before anything else in /usr/local/etc/rc.d (by giving it a filename of
.000.ipfilter.sh to ensure it's run before the other scripts in
/usr/local/etc/rc.d).
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031126231400.GD37786>