Date: Thu, 6 Mar 2003 00:36:44 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Brian Henning <b1henning@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: firewall revisited Message-ID: <20030305223644.GA29314@gothmog.gr> In-Reply-To: <OE14i67EKRuYDlrjbud000010a0@hotmail.com> References: <OE14i67EKRuYDlrjbud000010a0@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-03-05 09:32, Brian Henning <b1henning@hotmail.com> wrote:
> Hello-
> currently my rc.conf is set up like this for my gateway router.
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_type="OPEN"
> natd_enable="YES"
> natd_interface="rl1" # natd -interface rl1, public interface
> natd_flags="" # sysctl net.inet.ip.forwarding=1
>
> how can i have the script /etc/ipfw.rules run instead of
> /etc/rc.firewall. can i change
> firewall_type="OPEN" to firewall_type="" and create the entry
> firewall_script="/etc/ipfw.rules"?
Why are you confused?
That depends on what you're trying to do and what the contents of
/etc/ipfw.rules are. There are currently the following ways to set up
a completely custom set of firewall rules:
1. Rewrite /etc/rc.firewall
This can easily be done, if you replace /etc/rc.firewall with your
custom script. This isn't recommended though since you'd have to
carefully track all changes to the official version of the
rc.firewall script and merge any interesting stuff back to your
version of the script.
2. Add a new firewall "type" to rc.firewall
Copying one of the existing firewall types you cann easily add a
new one, and make sure that it loads all (and only) the ipfw(8)
rules that you want. This can be difficult to keep up to date
after changes to the rc.firewall script, but not as difficult to
keep up to date as option #1.
3. Write your own version of a firewall script
Copy `rc.firewall' to a new script (i.e., `rc.firewall.local') and
make your changes to the new script. Then set firewall_script to
point to the new script in `/etc/rc.conf'. For example:
% cat /etc/rc.firewall.local
fwcmd="/sbin/ipfw"
${fwcmd} -q flush
${fwcmd} add 1 pass ip from any to any
% grep firewall_script /etc/rc.conf
firewall_script="/etc/rc.firewall.local"
This is a fairly nic way of doing things, but it doesn't work
correctly if you want to tweak the way ipfw(8) is called by
settings things like firewall_quiet="YES" in your `rc.conf' file.
Mostly because the logic for all those firewall_xxx options is
implemented as part of the existing `rc.firewall' script.
4. Create a ruleset file, and point rc.firewall to it
You can always write your own set of firewall rules, without a
${fwcmd} prefix, and save it to a file, i.e. `/etc/ipfw.rules'.
This is a plain text file that contains *only* firewall rules.
No shell commands. You can use `#' for comments (as shown in the
sample file below):
% cat /etc/ipfw.rules
flush
add allow ip from any to any
Then you just need to make sure that your `rc.conf' contains the
following two lines:
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"
The firewall_type value is the *FULL* path to the ruleset file. It
is important to include the leading `/' character. This way,
ipfw(8) will know that this is the path of a rule file and not the
name of a command (like `add' in `ipfw add ...').
This is the way I usually prefer setting ipfw(8) up. For various
reasons. One of them is that my firewall rules are not lost in
between the lines of some shell script that I don't remember I have
edited. Another reason is that having made no changes to the
original `rc.firewall' script, there is no need to take care for
merging changes later with mergemaster(8).
Phew. This was long.
- Giorgos
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030305223644.GA29314>