From owner-freebsd-questions Fri Feb 16 8:29:28 2001 Delivered-To: freebsd-questions@freebsd.org Received: from tiger.ciberlynx.net (ns2.ciberlynx.net [216.242.0.3]) by hub.freebsd.org (Postfix) with ESMTP id A0BA637B65D for ; Fri, 16 Feb 2001 08:29:20 -0800 (PST) Received: from localhost (wjm@localhost) by tiger.ciberlynx.net (8.9.3/8.9.3) with ESMTP id LAA10725; Fri, 16 Feb 2001 11:29:15 -0500 Date: Fri, 16 Feb 2001 11:29:15 -0500 (EST) From: "wjm@ciberlynx.net" To: Francesco Casadei Cc: Wayne Pascoe , freebsd-questions@FreeBSD.ORG Subject: Re: ipfw reading rules from a file In-Reply-To: <20010216131532.C1227@junior.kasby> Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; MICALG=pgp-md5; PROTOCOL="application/pgp-signature"; BOUNDARY=YD3LsXFS42OYHhNZ Content-ID: Content-Disposition: INLINE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --YD3LsXFS42OYHhNZ Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Content-Disposition: INLINE He's right... You've put in your firewall rules yet you are not calling upon ipfw prior to each rule. #!/bin/sh IPFWCMD=/sbin/ipfw # Firewall rules $IPFWCMD add allow ip from etc, etc, etc... $IPFWCMD add allow ip from any to etc, etc, etc... ./Bill On Fri, 16 Feb 2001, Francesco Casadei wrote: > On Fri, Feb 16, 2001 at 10:13:42AM +0000, Wayne Pascoe wrote: > > Hi all, > > > > I am trying to 'persuade' ipfw to read rules from a file. For the > > moment, I am just using a very simple rule that will allow access from > > the world. Once this works, I will translate the firewall rules that I > > use under ipf to ipfw. > > > > In /etc/rc.conf I have the following section > > > > # > > # Firewall options > > # > > firewall_enable="YES" > > firewall_type="filename" > > firewall_flags="/etc/firewall/ipfw.soften" > > firewall_logging="YES" > > > > I have tried the following for /etc/firewall/ipfw.soften : > > > > -- try 1 -- > > /sbin/ipfw allow all from any to any > > > > -- try 2 -- > > allow all from any to any > > > > -- try 3 -- > > 00100 allow ip from any to any > > > > None of these worked. It doesn't even seem to be reading the file in > > and using the rules. > > > > I have tried running > > sh /etc/rc.firewall > > > > from the prompt, and I get the following output : > > > > # sh /etc/rc.firewall > > Flushed all rules. > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/0 > > > > I have tried this 3 times, each time with a different one of the above > > 3 lines in /etc/firewall/ipfw.soften > > > > I have checked that /etc/firewall/ipfw.soften is readable. > > > > What am I doing wrong here? What does my rc.conf need to contain and > > what does the file that I read from have to look like? > > > > Lastly, does ipfw work on a first match wins basis (like iptables / > > ipchains) or does it work on a last match wins basis (like ipf) ? > > > > Thanks, > > > > -- > > - Wayne Pascoe > > E-mail: wayne.pascoe@realtime.co.uk > > Phone : +44 (0) 20 7544 4668 > > Mobile: +44 (0) 788 431 1675 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > end of the original message > > Alternatively you may want to write your own script (e.g. /etc/fwrules) > and then put the following definitions in /etc/rc.conf: > > firewall_enable="YES" > firewall_script="/etc/fwrules" > > The script will be as simple as: > > #!/bin/sh > IPFWCMD=/sbin/ipfw > > # Flush all rules > $IPFWCMD -f flush > > # Firewall rules > > # Allow traffic on localhost and local network > $IPFWCMD add allow ip from any to any via lo0 > $IPFWCMD add allow ip from any to any via ed0 > > # Allow connections that I initiated > $IPFWCMD add allow tcp from any to any out xmit ppp0 setup > $IPFWCMD add allow tcp from any to any via ppp0 established > > # etc, etc... > > Francesco Casadei > -- -------------------------------------------------------- William Melanson - CiberLynx Technical Support Manager -------------------------------------------------------- --YD3LsXFS42OYHhNZ Content-Type: APPLICATION/PGP-SIGNATURE; CHARSET=US-ASCII Content-ID: Content-Description: Content-Disposition: INLINE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6jRnjfsM3XxZOsXsRAgCVAKCabXs/RoAOGYaLtbiePyE0XBApBQCgj3+Q 94MsL1lhqi4fGIYO8oFUpNc= =Oi7U -----END PGP SIGNATURE----- --YD3LsXFS42OYHhNZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message