From owner-freebsd-stable  Thu Jun 11 14:31:23 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA04832
          for freebsd-stable-outgoing; Thu, 11 Jun 1998 14:31:23 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from pn.wagsky.com (root@wagsky.vip.best.com [206.86.71.127])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04724
          for <freebsd-stable@freebsd.org>; Thu, 11 Jun 1998 14:30:50 -0700 (PDT)
          (envelope-from Jeff@Wagsky.com)
Received: from [192.168.6.3] (mac.pn.wagsky.com [192.168.6.3])
	by pn.wagsky.com (8.8.8/8.8.8) with ESMTP id OAA00680;
	Thu, 11 Jun 1998 14:29:58 -0700 (PDT)
	(envelope-from Jeff@Wagsky.com)
X-Sender: mailman@mail.pn.wagsky.com
Message-Id: <l03110702b1a5fa6dc4fb@[192.168.6.3]>
In-Reply-To: <Pine.BSF.3.96.980611163509.16460A-100000@gigantor.matter.net>
References: <199806101505.IAA05083@cwsys.cwsent.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 11 Jun 1998 14:25:16 -0700
To: durkin <durkin@matter.net>
From: Jeff Kletsky <Jeff@Wagsky.com>
Subject: Re: rc.firewall and ipfw commands
Cc: freebsd-stable@FreeBSD.ORG
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>On Wed, 10 Jun 1998, Cy Schubert - ITSD Open Systems Group wrote:
>
>> In my firewall configurations I modify rc.firewall to recognize a
>> "user" firewall type (for user defined) and specify
>> firewall_type="user" in my rc.conf.  The "user" firewall type executes
>> /usr/local/etc/rc.firewall.local instead of one of the predefined
>> firewall types in rc.firewall.  This may be a handy feature in the
>> stock FreeBSD rc.firewall.  If anyone wishes I can submit a PR to have
>> this included in the FreeBSD distribution.
>>
>
>Actually, FreeBSD's rc.firewall already has the ability to load ipfw
>commands contained within a file. Just specify the firewall type as the
>filename which contains the commands.


Unfortunately, ipfw does not appear to allow a file of the form:

-f flush
add    1 count log tcp  from any to any setup recv tun0 in
.
.
.

to permit reliable removal of the rules introduced by rc.firewall *before*
the call for the "unknown" firewall is made:

elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
        $fwcmd ${firewall_type}
fi


Mr. Schubert's approach allows greater flexibility and reliability for this
critical function -- independent of changes in the distribution version of
rc.firewall.

Jeff



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message