Date: Tue, 08 Feb 2005 17:33:41 +0300 From: Denis Peplin <den@FreeBSD.org> To: freebsd-doc@FreeBSD.org Subject: [PATCH] firewalls - IPFILTER and symbolic substitution Message-ID: <4208CDC5.7050207@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------050304080906030007020705 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hello! Small patch to explain two ways of loading rules - system and local startup. Comments, suggestions? --------------050304080906030007020705 Content-Type: text/plain; name="firewalls.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="firewalls.diff" Index: firewalls/chapter.sgml =================================================================== RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml,v retrieving revision 1.26 diff -u -r1.26 chapter.sgml --- firewalls/chapter.sgml 8 Feb 2005 07:47:55 -0000 1.26 +++ firewalls/chapter.sgml 8 Feb 2005 14:24:37 -0000 @@ -836,12 +836,15 @@ ks="keep state" fks="flags S keep state" -# You can use this same to build the /etc/ipf.rules file -#cat >> /etc/ipf.rules << EOF - -# exec ipf command and read inline data, stop reading -# when word EOF is found. There has to be one line -# after the EOF line to work correctly. +# You can chose between building /etc/ipf.rules file +# from this script or running this script "as is". +# +# Uncomment only one line and comment out another. +# +# 1) This can be used for building /etc/ipf.rules: +#cat > /etc/ipf.rules << EOF +# +# 2) This can be used to run script "as is": /sbin/ipf -Fa -f - << EOF # Allow out access to my ISP's Domain name server. @@ -866,32 +869,46 @@ </programlisting> <para>There is one problem with using a rules file with embedded - symbolics. IPF has no problem with it, but the rc startup - scripts that read <filename>rc.conf</filename> will have - problems.</para> + symbolics. IPF do not understand symbolic substitution, and + can not read such scripts directly.</para> - <para>To get around this limitation with a rc script, remove - the following line from <filename>/etc/rc.conf</filename>:</para> + <para>This script can be used in one of two ways:</para> - <programlisting><command>ipfilter_rules=</command> - </programlisting> - - <para>Add a script like the following to your <filename> - /usr/local/etc/rc.d/</filename> startup directory. The script - should have an obvious name like <filename>loadipfrules.sh</filename>. - The <filename>.sh</filename> extension is mandatory.</para> + <itemizedlist> + <listitem> + <para>Uncomment line that begins from <command>cat</command> + and comment out line that begins from + <filename>/sbin/ipf</filename>. Place + <literal>ipfilter_enable="YES"</literal> into + <filename>/etc/rc.conf</filename> as usual, and run + script once after each modification to create or update + <filename>/etc/ipf.rules</filename>.</para> + </listitem> + + <listitem> + <para>Disable IPFILTER in system startup scripts by + adding <literal>ipfilter_enable="NO"</literal> (this is + default value) into + <filename>/etc/rc.conf</filename> file.</para> + + <para>Add a script like the following to your + <filename>/usr/local/etc/rc.d/</filename> startup + directory. The script should have an obvious name like + <filename>ipf.loadrules.sh</filename>. + The <filename>.sh</filename> extension is mandatory.</para> - <programlisting>#!/bin/sh + <programlisting>#!/bin/sh sh /etc/ipf.rules.script</programlisting> - <para>The permissions on this script file must be read, write, - execute for owner <username>root</username>.</para> - - <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting> + <para>The permissions on this script file must be read, write, + execute for owner <username>root</username>.</para> - <para>Now, when your system boots your IPF rules will be loaded - using the script.</para> + <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting> + </listitem> + </itemizedlist> + <para>Now, when your system boots your IPF rules will be + loaded.</para> </sect2> <sect2> --------------050304080906030007020705--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4208CDC5.7050207>