Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Jun 1998 17:59:34 -0700
From:      Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        durkin <durkin@matter.net>
Cc:        Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>, freebsd-stable@FreeBSD.ORG
Subject:   Re: rc.firewall and ipfw commands 
Message-ID:  <199806120100.SAA19961@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Thu, 11 Jun 1998 16:39:39 EDT." <Pine.BSF.3.96.980611163509.16460A-100000@gigantor.matter.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> 
> On Wed, 10 Jun 1998, Cy Schubert - ITSD Open Systems Group wrote:
> 
> > In my firewall configurations I modify rc.firewall to recognize a 
> > "user" firewall type (for user defined) and specify 
> > firewall_type="user" in my rc.conf.  The "user" firewall type executes 
> > /usr/local/etc/rc.firewall.local instead of one of the predefined 
> > firewall types in rc.firewall.  This may be a handy feature in the 
> > stock FreeBSD rc.firewall.  If anyone wishes I can submit a PR to have 
> > this included in the FreeBSD distribution.
> > 
> 
> Actually, FreeBSD's rc.firewall already has the ability to load ipfw
> commands contained within a file. Just specify the firewall type as the
> filename which contains the commands.

That is true, however one may wish to use a shell script to dynamically 
build a firewall based on various dynamic conditions.  rc.firewall gets 
executed early enough in the boot that it may make my point moot, in 
which case rc.firewall would block everything, except DNS and NIS, then 
rc.local would open the firewall a bit, once applications are up using 
a more dynamic firewall setup script which would scan the system 
looking for ports to open up, and make the system useful again, e.g. 
open up ypserver port (which is dynamically assigned) only to NIS 
clients.

You're probably right that no change to the existing rc scripts is 
required.  I'll have to think about this a little more...


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  cschuber@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Government of BC            
                                       




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806120100.SAA19961>