Date: Tue, 08 Feb 2005 17:33:41 +0300 From: Denis Peplin <den@FreeBSD.org> To: freebsd-doc@FreeBSD.org Subject: [PATCH] firewalls - IPFILTER and symbolic substitution Message-ID: <4208CDC5.7050207@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------050304080906030007020705
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hello!
Small patch to explain two ways of loading
rules - system and local startup.
Comments, suggestions?
--------------050304080906030007020705
Content-Type: text/plain;
name="firewalls.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="firewalls.diff"
Index: firewalls/chapter.sgml
===================================================================
RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml,v
retrieving revision 1.26
diff -u -r1.26 chapter.sgml
--- firewalls/chapter.sgml 8 Feb 2005 07:47:55 -0000 1.26
+++ firewalls/chapter.sgml 8 Feb 2005 14:24:37 -0000
@@ -836,12 +836,15 @@
ks="keep state"
fks="flags S keep state"
-# You can use this same to build the /etc/ipf.rules file
-#cat >> /etc/ipf.rules << EOF
-
-# exec ipf command and read inline data, stop reading
-# when word EOF is found. There has to be one line
-# after the EOF line to work correctly.
+# You can chose between building /etc/ipf.rules file
+# from this script or running this script "as is".
+#
+# Uncomment only one line and comment out another.
+#
+# 1) This can be used for building /etc/ipf.rules:
+#cat > /etc/ipf.rules << EOF
+#
+# 2) This can be used to run script "as is":
/sbin/ipf -Fa -f - << EOF
# Allow out access to my ISP's Domain name server.
@@ -866,32 +869,46 @@
</programlisting>
<para>There is one problem with using a rules file with embedded
- symbolics. IPF has no problem with it, but the rc startup
- scripts that read <filename>rc.conf</filename> will have
- problems.</para>
+ symbolics. IPF do not understand symbolic substitution, and
+ can not read such scripts directly.</para>
- <para>To get around this limitation with a rc script, remove
- the following line from <filename>/etc/rc.conf</filename>:</para>
+ <para>This script can be used in one of two ways:</para>
- <programlisting><command>ipfilter_rules=</command>
- </programlisting>
-
- <para>Add a script like the following to your <filename>
- /usr/local/etc/rc.d/</filename> startup directory. The script
- should have an obvious name like <filename>loadipfrules.sh</filename>.
- The <filename>.sh</filename> extension is mandatory.</para>
+ <itemizedlist>
+ <listitem>
+ <para>Uncomment line that begins from <command>cat</command>
+ and comment out line that begins from
+ <filename>/sbin/ipf</filename>. Place
+ <literal>ipfilter_enable="YES"</literal> into
+ <filename>/etc/rc.conf</filename> as usual, and run
+ script once after each modification to create or update
+ <filename>/etc/ipf.rules</filename>.</para>
+ </listitem>
+
+ <listitem>
+ <para>Disable IPFILTER in system startup scripts by
+ adding <literal>ipfilter_enable="NO"</literal> (this is
+ default value) into
+ <filename>/etc/rc.conf</filename> file.</para>
+
+ <para>Add a script like the following to your
+ <filename>/usr/local/etc/rc.d/</filename> startup
+ directory. The script should have an obvious name like
+ <filename>ipf.loadrules.sh</filename>.
+ The <filename>.sh</filename> extension is mandatory.</para>
- <programlisting>#!/bin/sh
+ <programlisting>#!/bin/sh
sh /etc/ipf.rules.script</programlisting>
- <para>The permissions on this script file must be read, write,
- execute for owner <username>root</username>.</para>
-
- <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting>
+ <para>The permissions on this script file must be read, write,
+ execute for owner <username>root</username>.</para>
- <para>Now, when your system boots your IPF rules will be loaded
- using the script.</para>
+ <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting>
+ </listitem>
+ </itemizedlist>
+ <para>Now, when your system boots your IPF rules will be
+ loaded.</para>
</sect2>
<sect2>
--------------050304080906030007020705--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4208CDC5.7050207>