Date: Tue, 15 Jul 2003 10:52:22 +0200 From: "Peut Kotze" <PK@nanoteq.com> To: <freebsd-questions@freebsd.org> Subject: RE: firewall Message-ID: <5AC9A01A8B1175418B4DF7F45DD94D5F1E97F1@srvexch1.nanoteq.co.za>
next in thread | raw e-mail | index | archive | help
Yes, you can use just and normal file with the ipfw rules in it.
E.g: /etc/myipfw.rules
>>>>>>>>>
a a a f a t a via lo0
a deny a f a t 127.0.0.1/8
a deny a f 127.0.0.1/8 t a
....
>>>>>>>>>
And in your /etc/rc.conf file you have:
firewall_type=3D"/etc/myipfw.rules"
You can add and delete rules on the command line untill you'r happy.
Then change your rules by editing the file, and when your done and happy
with your new rules you can reload them into the firewall over a remote
link with the following command:
#> ipfw -f flush; ipfw /etc/myipfw.rules &
The '&' starts it as a background process to prevent it from being
killed when your shell closes because of the connection being terminated
by the 'ipfw -f flush' command. The firewall will reload the new rules
and you can connect to the box again, having the same effect as
rebooting the box and loading the new firewall rules from the config
file.
Hope it helps
Peut
-----Original Message-----
From: Ryan Thompson [mailto:ryan@sasknow.com]
Sent: 15 July 2003 10:20
To: K Anderson
Cc: RYAN vAN GINNEKEN; freebsd-questions@freebsd.org
Subject: Re: firewall
K Anderson wrote to RYAN vAN GINNEKEN:
> ipfw isn't some sort of daemon to be stopped and started. If you want
> to add rules, delete rules or what ever then you just do it.
Yes, unless you're doing this over a network, in which case you want to
make sure you don't break connectivity with an intermediate rule.
> Take a look at the script in /etc/rc.firewalls and you'll see that's
all
> they are doing.
>
> so your firewall file should be a shell script. Even if you do man
> ipfw you'll see that in no way does ipfw accept a file name as an
> arguemnt. Pretty simple eh?
While you can write a shell script to call firewall rules (in the style
of /etc/rc.firewall), you're wrong in your subsequent assertion; ipfw
*does* accept a pathname to a file which, according to ipfw(8):
To ease configuration, rules can be put into a file which is
processed
using ipfw as shown in the first synopsis line. An absolute
pathname
must be used. The file will be read line by line and applied as
argu-
ments to the ipfw utility.
And, actually, this is pretty darn convenient, especially in conjunction
with firewall_type=3D"/path/to/ruleset" in rc.conf, once you have tested
the ruleset, of course. :-)
- Ryan
--=20
Ryan Thompson <ryan@sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5AC9A01A8B1175418B4DF7F45DD94D5F1E97F1>