Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Nov 2003 14:59:00 -0500
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "Mike Maltese" <mike@pcmedx.com>, "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Cc:        Dan Nelson <dnelson@allantgroup.com>
Subject:   RE: IPFILTER rules with shell symbloic substitution
Message-ID:  <MIEPLLIBMLEEABPDBIEGMEIPEOAA.fbsd_user@a1poweruser.com>
In-Reply-To: <008001c3b44c$cfaf6b40$f4f0a8c0@pcmedx.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ipf.test  rules file
#!/bin/sh
nic="l0"
/sbin/ipf -Fa -f - <<EOF
pass in on $nic all
pass out on $nic all
pass in all
pass out all
EOF

After booting system this file will load ok by doing
Sh ipf.test from command line.

Or I can run ipf.loadrules from command line and rules load ok.

ipf.loadrules file
#! /bin/sh
sh /etc/ipf.test

But in rc.conf to load the rules
#ipfilter_rules="sh /root/bin/ipf.loadrules"
#ipfilter_rules="/etc/ipf.test"
does not work, get msg no rules loaded after IPFILTER started msg in
boot log.

This works
ipfilter_rules="/etc/ipf.rules"

ipf.rules files
pass in all
pass out all

Looks to me like internal problem with the rc.conf
ipfilter_rules= statement and the way it reads what is pointed at.

Any ideas about what is wrong with my ipfilter_rules="/etc/ipf.test"
statement.







-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mike
Maltese
Sent: Wednesday, November 26, 2003 1:41 PM
To: freebsd-questions@FreeBSD. ORG
Cc: Dan Nelson
Subject: Re: IPFILTER rules with shell symbloic substitution

> /etc/rc.firewall has lots of examples using ipfw; the concepts
should
> work just as well with ipf.

I'm not sure that's true. /etc/rc.firewall is a shell script, an IP
Filter
ruleset isn't. From the documentation and my own use of it, IP
Filter
doesn't support variable substitution. If you're running 5.x, you
can run
the pf port, which does support variables and some other neat
expansion
capabilities that can really condense and simplify your ruleset.

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGMEIPEOAA.fbsd_user>