From owner-freebsd-doc@FreeBSD.ORG  Tue Feb  8 14:33:56 2005
Return-Path: <owner-freebsd-doc@FreeBSD.ORG>
Delivered-To: freebsd-doc@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F2D5B16A4CF
	for <freebsd-doc@FreeBSD.org>; Tue,  8 Feb 2005 14:33:55 +0000 (GMT)
Received: from volginfo.ru (ns.volginfo.ru [217.23.84.100])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9D29D43D41
	for <freebsd-doc@FreeBSD.org>; Tue,  8 Feb 2005 14:33:53 +0000 (GMT)
	(envelope-from den@FreeBSD.org)
Received: from [192.168.1.32] (llp-13.vistcom.ru [217.23.84.68])
	by volginfo.ru (Postfix) with ESMTP id 4E88F2010
	for <freebsd-doc@FreeBSD.org>; Tue,  8 Feb 2005 17:33:50 +0300 (MSK)
Message-ID: <4208CDC5.7050207@FreeBSD.org>
Date: Tue, 08 Feb 2005 17:33:41 +0300
From: Denis Peplin <den@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041008
X-Accept-Language: ru, en-us, en
MIME-Version: 1.0
To: freebsd-doc@FreeBSD.org
Content-Type: multipart/mixed;
 boundary="------------050304080906030007020705"
Subject: [PATCH] firewalls - IPFILTER and symbolic substitution
X-BeenThere: freebsd-doc@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Documentation project <freebsd-doc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-doc>
List-Post: <mailto:freebsd-doc@freebsd.org>
List-Help: <mailto:freebsd-doc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2005 14:33:56 -0000

This is a multi-part message in MIME format.
--------------050304080906030007020705
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hello!

Small patch to explain two ways of loading
rules - system and local startup.

Comments, suggestions?

--------------050304080906030007020705
Content-Type: text/plain;
 name="firewalls.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="firewalls.diff"

Index: firewalls/chapter.sgml
===================================================================
RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml,v
retrieving revision 1.26
diff -u -r1.26 chapter.sgml
--- firewalls/chapter.sgml	8 Feb 2005 07:47:55 -0000	1.26
+++ firewalls/chapter.sgml	8 Feb 2005 14:24:37 -0000
@@ -836,12 +836,15 @@
 ks="keep state"
 fks="flags S keep state"
 
-# You can use this same to build the /etc/ipf.rules file
-#cat &gt;&gt; /etc/ipf.rules &lt;&lt; EOF
-
-# exec ipf command and read inline data, stop reading
-# when word EOF is found. There has to be one line
-# after the EOF line to work correctly.
+# You can chose between building /etc/ipf.rules file
+# from this script or running this script "as is".
+#
+# Uncomment only one line and comment out another.
+#
+# 1) This can be used for building /etc/ipf.rules:
+#cat &gt; /etc/ipf.rules &lt;&lt; EOF
+#
+# 2) This can be used to run script "as is":
 /sbin/ipf -Fa -f - &lt;&lt; EOF
 
 # Allow out access to my ISP's Domain name server.
@@ -866,32 +869,46 @@
          </programlisting>
 
        <para>There is one problem with using a rules file with embedded
-         symbolics. IPF has no problem with it, but the rc startup
-         scripts that read <filename>rc.conf</filename> will have
-         problems.</para>
+	 symbolics.  IPF do not understand symbolic substitution, and
+	 can not read such scripts directly.</para>
 
-       <para>To get around this limitation with a rc script, remove
-         the following line from <filename>/etc/rc.conf</filename>:</para>
+      <para>This script can be used in one of two ways:</para>
 
-       <programlisting><command>ipfilter_rules=</command>
-         </programlisting>
-
-       <para>Add a script like the following to your <filename>
-         /usr/local/etc/rc.d/</filename> startup directory. The script
-         should have an obvious name like <filename>loadipfrules.sh</filename>.
-         The <filename>.sh</filename> extension is mandatory.</para>
+      <itemizedlist>
+        <listitem>
+	  <para>Uncomment line that begins from <command>cat</command>
+	    and comment out line that begins from
+	    <filename>/sbin/ipf</filename>.  Place
+	    <literal>ipfilter_enable="YES"</literal> into
+	    <filename>/etc/rc.conf</filename> as usual, and run
+	    script once after each modification to create or update
+	    <filename>/etc/ipf.rules</filename>.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Disable IPFILTER in system startup scripts by
+	    adding <literal>ipfilter_enable="NO"</literal> (this is
+	    default value) into
+	    <filename>/etc/rc.conf</filename> file.</para>
+
+	  <para>Add a script like the following to your
+	    <filename>/usr/local/etc/rc.d/</filename> startup
+	    directory.  The script should have an obvious name like
+	    <filename>ipf.loadrules.sh</filename>.
+	    The <filename>.sh</filename> extension is mandatory.</para>
 
-       <programlisting>#!/bin/sh
+	  <programlisting>#!/bin/sh
 sh /etc/ipf.rules.script</programlisting>
 
-       <para>The permissions on this script file must be read, write,
-         execute for owner <username>root</username>.</para>
-
-       <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting>
+	  <para>The permissions on this script file must be read, write,
+	    execute for owner <username>root</username>.</para>
 
-       <para>Now, when your system boots your IPF rules will be loaded
-         using the script.</para>
+	  <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting>
+	</listitem>
+      </itemizedlist>
 
+	<para>Now, when your system boots your IPF rules will be
+	  loaded.</para>
      </sect2>
 
      <sect2>

--------------050304080906030007020705--