Skip site navigation (1)Skip section navigation (2) 
Date:      29 Mar 2001 11:23:19 -0500
From:      Lowell Gilbert <lowell@world.std.com>
To:        freebsd-questions@freebsd.org, bojar@intersys.com
Subject:   Re: rc.firewall vs. ipfw
Message-ID:  <443dbwh7d4.fsf@lowellg.ne.mediaone.net>
In-Reply-To: bojar@intersys.com's message of "29 Mar 2001 18:00:16 %2B0200"
References:  <01Mar29.110404est.115354@gateway.intersys.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
bojar@intersys.com (E. Jordan Bojar) writes:

> OK, last stupid question of the week, I hope.  I'm setting up a single box
> on a hosting rack I don't own, and I want to lock it down best I can.  I
> just want to let SSH, HTTP, and SMTP in for now.
> 
> I understand how to do it with ipfw, but I assume those settings are lost in
> the case of accidental reboot, right?.  If so, is the syntax for editing
> rc.firewall any different than ipfw?

No.  rc.firewall is just a script to collect the commands for setting
up the firewall.  All of the commands it issues, regardless of how you
configure it, are invocations of ipfw(8) anyway.

> The "client" vs "simple" distinction also confuses me a tad, as I'm neither
> protecting a netowrk behind me nor do I have a network I trust in front, so
> neither of these prebuilts really work for me.  Can I just have rc.firewall
> reference another file with ipfw rules, or replace it altogether with this?

There are several ways to do this.  I recommend that you leave
rc.firewall unchanged, and replace it altogether.  On my system, I do
this by putting my own firewall script (an edited version of
rc.firewall) in rc.firewall.local, and I specify  mine to be loaded
and executed by the following section in rc.conf:
 # Firewall
 firewall_enable="YES"		# Set to YES to enable firewall functionality
 firewall_script="/etc/rc.firewall.local" # Which script to run to set up the firewall
 firewall_type="local"		# Firewall type (see /etc/rc.firewall)
 #firewall_type="new"		# Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO"		# Set to YES to suppress rule display


Good luck.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443dbwh7d4.fsf>