From owner-freebsd-questions Fri Jun 21 11: 3:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from exchmx2.lsuhsc.edu (exchmx2.lsuhsc.edu [155.58.212.90]) by hub.freebsd.org (Postfix) with ESMTP id DC98C37B40C for ; Fri, 21 Jun 2002 11:03:03 -0700 (PDT) Received: by exchmx2.lsuhsc.edu with Internet Mail Service (5.5.2653.19) id ; Fri, 21 Jun 2002 13:03:49 -0500 Message-ID: From: "Mire, John" To: FBSDQ , Anshuman Kanwar Subject: RE: comments in firewall rules Date: Fri, 21 Jun 2002 12:59:16 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG -----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Anshuman Kanwar >Sent: Friday, June 14, 2002 4:20 PM >To: freebsd-questions@freebsd.org >Subject: comments in firewall rules > >Hi all, > >I have a lot of frequently changing rules in a rc.firewall.my file. After >every update I run /etc/rc.firewall to flush out the old rules and apply >the new ruleset through ipfw. (This works because >firewall_type=rc.firewall.my in /etc/rc.conf). > >My question is this: > >Can I somehow put comments in the firewall rules file rc.fiirewall.my (so >that I can keep track of the version and see what rule does what)? > >Thanks for any responses. >-ansh. > I use RCS with $HEADER$ and $LOG entries in my rules to keep track of the commit log messages for the changes I have made, check manual for co(1) and see below: # $Header: /etc/ipf.d/group.rules,v 1.5 2002/06/10 05:27:30 jmire Exp jmire $ # ============================================================ # $Log: group.rules,v $ # Revision 1.5 2002/06/10 05:27:30 jmire # allow access to hotmail and passport services by reworking groups 200-205 # under denied WEBSITES as started in v1.3 # added rules to allow PPTP and Terminal Services pass in # allow traffic out from the firewall machine itself in group 150 which # solved the problem of the localmachine not able to create connections # # Revision 1.4 2002/04/12 05:17:34 jmire # added rules that block incoming netbios udp traffic on # ports 137 and 138 in group 202 rules 1 & 2 # # Revision 1.3 2002/04/11 21:01:55 jmire # revised all incoming and outgoing interfaces to have more than # one group (subgroups) depending on protocol, i.e., tcp, udp, esp, etc. # the added specificity helps in granular control, i.e., udp 138 broadcasts # need to redo denied websites to better track which sites Microsoft is # using for windowsupdate, etc... # # Revision 1.2 2002/02/11 18:43:35 jmire # put ALL interfaces in groups including loopback (lo0) # all general rules are now in the incoming external inteface # group (group 100) # # Revision 1.1 2002/02/11 16:29:07 jmire # Initial revision # # ------------------------------------------------------------ # ============================================================ # Interfaces/Group Setup: # ============================================================ # interfaces: # lo0 - loopback # xl0 - external to internet # xl1 - internal to 192.168.4.0/24 # gif0 - tunnel to 192.168.1.0/24 # gif1 - tunnel to 192.168.2.0/24 # gif2 - tunnel to 192.168.3.0/24 # groups: # group 10 - incoming lo0 # group 15 - outgoing lo0 # group 100 - incoming xl0 # group 150 - outgoing xl0 # group 200 - incoming xl1 # group 250 - outgoing xl1 # group 500 - incoming gif0 # group 550 - outgoing gif0 # group 600 - incoming gif1 # group 650 - outgoing gif1 # group 700 - incoming gif2 # group 750 - outgoing gif2 # ============================================================ ... [snip] -- "There is a theory which states that if ever anybody discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another theory which states that this has already happened." John Mire: jmire@lsuhsc.edu Network Administration 318-675-5434 LSU Health Sciences Center - Shreveport The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message