From owner-freebsd-security Sun Feb 25 12:18:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 44C3B37B503 for ; Sun, 25 Feb 2001 12:18:56 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 26065 invoked by uid 0); 25 Feb 2001 20:18:54 -0000 Received: from pd9508844.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.68) by mail.gmx.net (mail06) with SMTP; 25 Feb 2001 20:18:54 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id PAA09309 for freebsd-security@FreeBSD.ORG; Sun, 25 Feb 2001 15:47:36 +0100 Date: Sun, 25 Feb 2001 15:47:36 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <20010225154736.O20830@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <3A982224.893F76AF@gorean.org> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk>; from marcr@closed-networks.com on Sun, Feb 25, 2001 at 12:13:18PM +0000 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 25, 2001 at 12:13 +0000, Marc Rogers wrote: > > I would like to see configuration code for ipfw AND ipfilter > placed into rc.conf (and thus ipnat as well as natd). Anyway I > wont hold my breath for a commit. Excuse me. What exactly do you mean by these words? What's missing? ipfw has been enabled there / gotten parameters from for quite some time, ipf got its hooks before 4.2-RELEASE. Plus this all only moved to an early stage in the boot process what you could accomplish by means of /usr/local/etc/rc.d/ipf.sh before. ----- from cvs log etc/rc.network ------------------------------- revision 1.74.2.10 date: 2000/11/11 20:33:39; author: jkh; state: Exp; lines: +32 -1 MFC: This brings support for IP Filter into rc.network and rc.conf with the appropriate documentation added to rc.conf(5). This has been tested in -current since Oct 6th. ----------------------------------------------------------------- If you need some more fine grained control than "enable it, there are the ruleset files" you might want to look at the preprocessor hook I added to ipf (PR bin/21989). When searching for it, consider its state -- it's closed. Darren strongly feels that it's not a task his userland interface to the kernel rules table (ipf(8)) has to care about and that these results can always be gained by changing the program's invocation. So this patch will never make it into ipfilter itself. Although you've been free since 4.2 to specify a different $ipfilter_program, which could be a script sourcing rc.conf again. This enables you to do some rc.firewall like things piping half a thousand echo commands with variable sustitutions into "ipf -f -". What is it that you cannot achieve with all the knobs you are provided with? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message