my lame attempt at a shell script...

Eric F Crist ecrist at secure-computing.net
Mon Jan 3 14:04:38 PST 2005 

On Jan 3, 2005, at 3:34 PM, Erik Norgaard wrote:

> Eric F Crist wrote:
>
>> elif [ "$grog_firewall_enable" <> "YES" or "NO" ]
>> then
>>         echo "Syntax error in /etc/rc.conf file. grog_firewall_enable 
>> must be YES or NO"
>> fi
>
> I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or 
> pf - I wrote a replacement for ipfilter as I got dizzy trying to 
> maintain a  too long ruleset so I wanted to split it into multiple 
> files.
>
> On 5.x things get a lot simpler. In /etc/rc.d there are plenty of 
> scripts to look at - don't look at rc.firewall.
>
> The scripts in /etc/rc.d are executed as ordered by rcorder(8).
>
> Create your script and load rc.subr:
>
> . /etc/rc.subr
>
> which gives you a lot of predefined handy functions. Set the "name" 
> variable in the script, eg:
>
> name="grog" # Name of my firewall script
>
> it is customary to call the script the same. Follow by
>
> load_rc_config=$name
>
> most scripts then just includes the line
>
> run_rc_command "$1"
>
> - everything is defined by the functions in rc.subr. Now, you can set 
> the commands to be run and define them in your script, see eg. 
> ipfilter.
>
> rc.subr also contains a "checkyesno" function answering your question 
> above - however, it is normal to check "[Yy][Ee][Ss]" and treat 
> everything else as a no. After all, what are you gonna do if you only 
> accept "yes" or "no" but some one typed "yeah right"? You must have a 
> default action.
>

Sorry for the double reply, but I forgot to respond to the top half of 
this email.  By including /etc/rc.subr, what exactly do I gain?  There 
are already built-in means to execute a custom firewall script:

      firewall_enable
                  (bool) Set to ``YES'' to load firewall rules at 
startup.  If
                  the kernel was not built with options IPFIREWALL, the 
ipfw.ko
                  kernel module will be loaded.  See also 
ipfilter_enable.

      ipv6_firewall_enable
                  (bool) The IPv6 equivalent of firewall_enable.  Set to
                  ``YES'' to load IPv6 firewall rules at startup.  If 
the ker-
                  nel was not built with options IPV6FIREWALL, the 
ip6fw.ko
                  kernel module will be loaded.

      firewall_script
                  (str) This variable specifies the full path to the 
firewall
                  script to run.  The default is /etc/rc.firewall.

I would assume that the system would institute my firewall rules at the 
correct stage of startup, and thus, don't really want to mess with 
that.  Please enlighten me as to rc.subr and it's benefits.  I'm new to 
shell scripting, and I need all the knowledge I can gain.

Thanks.
_______________________________________________________
Eric F Crist                  "I am so smart, S.M.R.T!"
Secure Computing Networks              -Homer J Simpson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050103/73d382df/PGP.bin

More information about the freebsd-questions mailing list