Date: Thu, 11 Jun 1998 14:25:16 -0700 From: Jeff Kletsky <Jeff@Wagsky.com> To: durkin <durkin@matter.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: rc.firewall and ipfw commands Message-ID: <l03110702b1a5fa6dc4fb@[192.168.6.3]> In-Reply-To: <Pine.BSF.3.96.980611163509.16460A-100000@gigantor.matter.net> References: <199806101505.IAA05083@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>On Wed, 10 Jun 1998, Cy Schubert - ITSD Open Systems Group wrote:
>
>> In my firewall configurations I modify rc.firewall to recognize a
>> "user" firewall type (for user defined) and specify
>> firewall_type="user" in my rc.conf. The "user" firewall type executes
>> /usr/local/etc/rc.firewall.local instead of one of the predefined
>> firewall types in rc.firewall. This may be a handy feature in the
>> stock FreeBSD rc.firewall. If anyone wishes I can submit a PR to have
>> this included in the FreeBSD distribution.
>>
>
>Actually, FreeBSD's rc.firewall already has the ability to load ipfw
>commands contained within a file. Just specify the firewall type as the
>filename which contains the commands.
Unfortunately, ipfw does not appear to allow a file of the form:
-f flush
add 1 count log tcp from any to any setup recv tun0 in
.
.
.
to permit reliable removal of the rules introduced by rc.firewall *before*
the call for the "unknown" firewall is made:
elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi
Mr. Schubert's approach allows greater flexibility and reliability for this
critical function -- independent of changes in the distribution version of
rc.firewall.
Jeff
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?l03110702b1a5fa6dc4fb>