Date: Thu, 13 Apr 2000 00:21:52 -0400 (EDT) From: Brian Dean <brdean@unx.sas.com> To: freebsd-ipfw@freebsd.org Subject: local firewall rules Message-ID: <200004130421.AAA77112@dean.pc.sas.com>
next in thread | raw e-mail | index | archive | help
Hi, I just got my cable modem and decided to tighten things up a bit with a firewall. My firewall/gateway also runs NAT so that my several internal hosts can share this wonderful little pipe. Well, "firewall_type=simple" is not sufficent for this to work (because of NAT), so I started with the 'simple' rules and modified them so that my internal LAN works the way it should. The only problem is that my outside interface gets its address via DHCP, so I can't hardcode it into the firewall rules. Thus, I put my rules into a shell script called 'rc.firewall.local' where I can determine what the interface IP address is at boot time, then set firewall_type=/etc/rc.firewall.local. Then I made the following modification to /etc/rc.firewall: --- /etc/rc.firewall Fri Feb 11 20:14:43 2000 +++ ./rc.firewall Mon Apr 10 20:59:06 2000 @@ -228,7 +228,9 @@ [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) - if [ -r "${firewall_type}" ]; then + if [ -x "${firewall_type}" ]; then + ${firewall_type} + elif [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; This checks to see if the rule file is executable first, and if so, executes it, otherwise it works like before, and feeds it into the 'ipfw' program. This change allows you to run a program that sets up your firewall rules, instead of forcing it be an 'ipfw' rule file, with hardcoded values. If nobody minds, I'd like to commit this change. However, if there's another "proper" way that I should have done this, please let me know. I don't think putting these in /usr/local/etc/rc.d is sufficient, since that's the very last thing to run, and thus there is a window where traffic that you would normally block would be free to pass through the firewall. Thanks, -Brian -- Brian Dean bsd@FreeBSD.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004130421.AAA77112>