From owner-freebsd-questions Fri Feb 16 4:20: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from relay4.inwind.it (relay4.inwind.it [212.141.53.75]) by hub.freebsd.org (Postfix) with ESMTP id D11FB37B401 for ; Fri, 16 Feb 2001 04:19:55 -0800 (PST) Received: from [62.98.58.210] (62.98.58.210) by relay4.inwind.it (5.1.056) id 3A88018C000B7DDE for freebsd-questions@freebsd.org; Fri, 16 Feb 2001 13:19:54 +0100 Received: (qmail 1365 invoked by uid 1001); 16 Feb 2001 12:15:32 -0000 Date: Fri, 16 Feb 2001 13:15:32 +0100 From: Francesco Casadei To: Wayne Pascoe Cc: freebsd-questions@freebsd.org Subject: Re: ipfw reading rules from a file Message-ID: <20010216131532.C1227@junior.kasby> Mail-Followup-To: Wayne Pascoe , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="YD3LsXFS42OYHhNZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wayne.pascoe@realtime.co.uk on Fri, Feb 16, 2001 at 10:13:42AM +0000 X-Operating-System: FreeBSD 3.5-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --YD3LsXFS42OYHhNZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 16, 2001 at 10:13:42AM +0000, Wayne Pascoe wrote: > Hi all, >=20 > I am trying to 'persuade' ipfw to read rules from a file. For the > moment, I am just using a very simple rule that will allow access from > the world. Once this works, I will translate the firewall rules that I > use under ipf to ipfw. >=20 > In /etc/rc.conf I have the following section >=20 > # > # Firewall options > # > firewall_enable=3D"YES" > firewall_type=3D"filename" > firewall_flags=3D"/etc/firewall/ipfw.soften" > firewall_logging=3D"YES" >=20 > I have tried the following for /etc/firewall/ipfw.soften : >=20 > -- try 1 -- > /sbin/ipfw allow all from any to any >=20 > -- try 2 -- > allow all from any to any >=20 > -- try 3 -- > 00100 allow ip from any to any >=20 > None of these worked. It doesn't even seem to be reading the file in > and using the rules. >=20 > I have tried running=20 > sh /etc/rc.firewall=20 >=20 > from the prompt, and I get the following output : >=20 > # sh /etc/rc.firewall > Flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/0 >=20 > I have tried this 3 times, each time with a different one of the above > 3 lines in /etc/firewall/ipfw.soften >=20 > I have checked that /etc/firewall/ipfw.soften is readable. >=20 > What am I doing wrong here? What does my rc.conf need to contain and > what does the file that I read from have to look like? >=20 > Lastly, does ipfw work on a first match wins basis (like iptables / > ipchains) or does it work on a last match wins basis (like ipf) ? >=20 > Thanks, >=20 > --=20 > - Wayne Pascoe=20 > E-mail: wayne.pascoe@realtime.co.uk > Phone : +44 (0) 20 7544 4668 > Mobile: +44 (0) 788 431 1675 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 > end of the original message Alternatively you may want to write your own script (e.g. /etc/fwrules) and then put the following definitions in /etc/rc.conf: firewall_enable=3D"YES" firewall_script=3D"/etc/fwrules" The script will be as simple as: #!/bin/sh IPFWCMD=3D/sbin/ipfw # Flush all rules $IPFWCMD -f flush # Firewall rules # Allow traffic on localhost and local network $IPFWCMD add allow ip from any to any via lo0 $IPFWCMD add allow ip from any to any via ed0 # Allow connections that I initiated $IPFWCMD add allow tcp from any to any out xmit ppp0 setup $IPFWCMD add allow tcp from any to any via ppp0 established # etc, etc... Francesco Casadei --=20 You can download my public key from http://digilander.iol.it/fcasadei/ or retrieve it from a keyserver (pgpkeys.mit.edu, wwwkeys.pgp.net, ...) Key fingerprint is: 1671 9A23 ACB4 520A E7EE 00B0 7EC3 375F 164E B17B --YD3LsXFS42OYHhNZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jRnjfsM3XxZOsXsRAgCVAKCabXs/RoAOGYaLtbiePyE0XBApBQCgj3+Q 94MsL1lhqi4fGIYO8oFUpNc= =Oi7U -----END PGP SIGNATURE----- --YD3LsXFS42OYHhNZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message