Date: Fri, 16 Feb 2001 13:15:32 +0100 From: Francesco Casadei <fcasadei@inwind.it> To: Wayne Pascoe <wayne.pascoe@realtime.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw reading rules from a file Message-ID: <20010216131532.C1227@junior.kasby> In-Reply-To: <m3u25v3pgp.fsf@zaphod.realtime.co.uk>; from wayne.pascoe@realtime.co.uk on Fri, Feb 16, 2001 at 10:13:42AM %2B0000 References: <m3u25v3pgp.fsf@zaphod.realtime.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--YD3LsXFS42OYHhNZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 16, 2001 at 10:13:42AM +0000, Wayne Pascoe wrote: > Hi all, >=20 > I am trying to 'persuade' ipfw to read rules from a file. For the > moment, I am just using a very simple rule that will allow access from > the world. Once this works, I will translate the firewall rules that I > use under ipf to ipfw. >=20 > In /etc/rc.conf I have the following section >=20 > # > # Firewall options > # > firewall_enable=3D"YES" > firewall_type=3D"filename" > firewall_flags=3D"/etc/firewall/ipfw.soften" > firewall_logging=3D"YES" >=20 > I have tried the following for /etc/firewall/ipfw.soften : >=20 > -- try 1 -- > /sbin/ipfw allow all from any to any >=20 > -- try 2 -- > allow all from any to any >=20 > -- try 3 -- > 00100 allow ip from any to any >=20 > None of these worked. It doesn't even seem to be reading the file in > and using the rules. >=20 > I have tried running=20 > sh /etc/rc.firewall=20 >=20 > from the prompt, and I get the following output : >=20 > # sh /etc/rc.firewall > Flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/0 >=20 > I have tried this 3 times, each time with a different one of the above > 3 lines in /etc/firewall/ipfw.soften >=20 > I have checked that /etc/firewall/ipfw.soften is readable. >=20 > What am I doing wrong here? What does my rc.conf need to contain and > what does the file that I read from have to look like? >=20 > Lastly, does ipfw work on a first match wins basis (like iptables / > ipchains) or does it work on a last match wins basis (like ipf) ? >=20 > Thanks, >=20 > --=20 > - Wayne Pascoe=20 > E-mail: wayne.pascoe@realtime.co.uk > Phone : +44 (0) 20 7544 4668 > Mobile: +44 (0) 788 431 1675 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 > end of the original message Alternatively you may want to write your own script (e.g. /etc/fwrules) and then put the following definitions in /etc/rc.conf: firewall_enable=3D"YES" firewall_script=3D"/etc/fwrules" The script will be as simple as: #!/bin/sh IPFWCMD=3D/sbin/ipfw # Flush all rules $IPFWCMD -f flush # Firewall rules # Allow traffic on localhost and local network $IPFWCMD add allow ip from any to any via lo0 $IPFWCMD add allow ip from any to any via ed0 # Allow connections that I initiated $IPFWCMD add allow tcp from any to any out xmit ppp0 setup $IPFWCMD add allow tcp from any to any via ppp0 established # etc, etc... Francesco Casadei --=20 You can download my public key from http://digilander.iol.it/fcasadei/ or retrieve it from a keyserver (pgpkeys.mit.edu, wwwkeys.pgp.net, ...) Key fingerprint is: 1671 9A23 ACB4 520A E7EE 00B0 7EC3 375F 164E B17B --YD3LsXFS42OYHhNZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jRnjfsM3XxZOsXsRAgCVAKCabXs/RoAOGYaLtbiePyE0XBApBQCgj3+Q 94MsL1lhqi4fGIYO8oFUpNc= =Oi7U -----END PGP SIGNATURE----- --YD3LsXFS42OYHhNZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216131532.C1227>