From owner-freebsd-questions@FreeBSD.ORG Tue Jul 15 02:49:00 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 419A637B404 for ; Tue, 15 Jul 2003 02:49:00 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5790543FDF for ; Tue, 15 Jul 2003 02:48:58 -0700 (PDT) (envelope-from freebsduser@comcast.net) Received: from comcast.net (12-225-141-88.client.attbi.com[12.225.141.88](untrusted sender)) by comcast.net (sccrmhc12) with SMTP id <20030715094856012007jp9de> (Authid: animotions); Tue, 15 Jul 2003 09:48:57 +0000 Message-ID: <3F13CE06.6050607@comcast.net> Date: Tue, 15 Jul 2003 02:48:54 -0700 From: K Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ryan Thompson References: <20030715021132.V78991-100000@ren.sasknow.com> In-Reply-To: <20030715021132.V78991-100000@ren.sasknow.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: RYAN vAN GINNEKEN cc: freebsd-questions@freebsd.org Subject: Re: firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 09:49:00 -0000 Ryan Thompson wrote: > K Anderson wrote to RYAN vAN GINNEKEN: > > >>ipfw isn't some sort of daemon to be stopped and started. If you want >>to add rules, delete rules or what ever then you just do it. > > > Yes, unless you're doing this over a network, in which case you want to > make sure you don't break connectivity with an intermediate rule. > > >>Take a look at the script in /etc/rc.firewalls and you'll see that's all >>they are doing. >> >>so your firewall file should be a shell script. Even if you do man >>ipfw you'll see that in no way does ipfw accept a file name as an >>arguemnt. Pretty simple eh? > > > While you can write a shell script to call firewall rules (in the style > of /etc/rc.firewall), you're wrong in your subsequent assertion; ipfw > *does* accept a pathname to a file which, according to ipfw(8): > > To ease configuration, rules can be put into a file which is processed > using ipfw as shown in the first synopsis line. An absolute pathname > must be used. The file will be read line by line and applied as argu- > ments to the ipfw utility. > > And, actually, this is pretty darn convenient, especially in conjunction > with firewall_type="/path/to/ruleset" in rc.conf, once you have tested > the ruleset, of course. :-) > > - Ryan > Hmmm, pretty neat. I re-read the man page for it and yep, it sure does take a file name (like you all said, and the man page said, an abolute path. Doh). Thanks for the response. :)