Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Apr 2000 00:21:52 -0400 (EDT)
From:      Brian Dean <brdean@unx.sas.com>
To:        freebsd-ipfw@freebsd.org
Subject:   local firewall rules
Message-ID:  <200004130421.AAA77112@dean.pc.sas.com>
next in thread | raw e-mail | index | archive | help 
Hi,

I just got my cable modem and decided to tighten things up a bit with
a firewall.  My firewall/gateway also runs NAT so that my several
internal hosts can share this wonderful little pipe.

Well, "firewall_type=simple" is not sufficent for this to work
(because of NAT), so I started with the 'simple' rules and modified
them so that my internal LAN works the way it should.

The only problem is that my outside interface gets its address via
DHCP, so I can't hardcode it into the firewall rules.  Thus, I put my
rules into a shell script called 'rc.firewall.local' where I can
determine what the interface IP address is at boot time, then set
firewall_type=/etc/rc.firewall.local.  Then I made the following
modification to /etc/rc.firewall:

--- /etc/rc.firewall    Fri Feb 11 20:14:43 2000
+++ ./rc.firewall       Mon Apr 10 20:59:06 2000
@@ -228,7 +228,9 @@
 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
        ;;
 *)
-       if [ -r "${firewall_type}" ]; then
+       if [ -x "${firewall_type}" ]; then
+               ${firewall_type}
+       elif [ -r "${firewall_type}" ]; then
                ${fwcmd} ${firewall_flags} ${firewall_type}
        fi
        ;;

This checks to see if the rule file is executable first, and if so,
executes it, otherwise it works like before, and feeds it into the
'ipfw' program.

This change allows you to run a program that sets up your firewall
rules, instead of forcing it be an 'ipfw' rule file, with hardcoded
values.

If nobody minds, I'd like to commit this change.  However, if there's
another "proper" way that I should have done this, please let me know.
I don't think putting these in /usr/local/etc/rc.d is sufficient,
since that's the very last thing to run, and thus there is a window
where traffic that you would normally block would be free to pass
through the firewall.

Thanks,
-Brian
-- 
Brian Dean
bsd@FreeBSD.ORG


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004130421.AAA77112>