From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 26 15:14:01 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 90F9016A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Nov 2003 15:14:01 -0800 (PST)
Received: from munk.nu (mail.munk.nu [213.152.51.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2B9C243FE9
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Nov 2003 15:14:00 -0800 (PST)	(envelope-from munk@munk.nu)
Received: from munk by munk.nu with local (Exim 4.24; FreeBSD)
	id 1AP8rA-000Abh-7Y
	for freebsd-questions@freebsd.org; Wed, 26 Nov 2003 23:14:00 +0000
Date: Wed, 26 Nov 2003 23:14:00 +0000
From: Jez Hancock <jez.hancock@munk.nu>
To: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Message-ID: <20031126231400.GD37786@users.munk.nu>
Mail-Followup-To: "freebsd-questions@FreeBSD. ORG"
	<freebsd-questions@freebsd.org>
References: <008001c3b44c$cfaf6b40$f4f0a8c0@pcmedx.com>
	<MIEPLLIBMLEEABPDBIEGMEIPEOAA.fbsd_user@a1poweruser.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MIEPLLIBMLEEABPDBIEGMEIPEOAA.fbsd_user@a1poweruser.com>
User-Agent: Mutt/1.4.1i
Sender: User Munk <munk@munk.nu>
Subject: Re: IPFILTER rules with shell symbloic substitution
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2003 23:14:01 -0000

On Wed, Nov 26, 2003 at 02:59:00PM -0500, fbsd_user wrote:
> Ipf.test  rules file
> #!/bin/sh
> nic="l0"
> /sbin/ipf -Fa -f - <<EOF
> pass in on $nic all
> pass out on $nic all
> pass in all
> pass out all
> EOF
<snip>
> 
> Any ideas about what is wrong with my ipfilter_rules="/etc/ipf.test"
> statement.
The ipfilter_rules variable should contain the name of a file that
contains rules _only_ - shell variables don't get read because of the way
/etc/rc.network loads the rules:

				if [ -r "${ipfilter_rules}" ]; then
					${ipfilter_program:-/sbin/ipf} \
					    -f "${ipfilter_rules}" \
					    ${ipfilter_flags}
				fi

ie essentially the command exected is:

/sbin/ipf -f $ipfilter_rules <ipfilter flags>

so something like:

pass in on 1.2.3.4 all
pass out on 1.2.3.4 all
pass in all
pass out all

is fine, but:

pass in on $nic all
pass out on $nic all
pass in all
pass out all

won't work unfortunately.

Given your shell script above though I'd be tempted to load the ruleset
before anything else in /usr/local/etc/rc.d (by giving it a filename of
.000.ipfilter.sh to ensure it's run before the other scripts in
/usr/local/etc/rc.d).

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/