Strange Failure Mode in FreeBSD 4.11
Giorgos Keramidas
keramida at ceid.upatras.gr
Thu Jan 12 13:48:29 PST 2006
On 2006-01-12 15:08, Greg Barniskis <nalists at scls.lib.wi.us> wrote:
>Martin McCormick wrote:
>> In rc.firewall, there is a place where one can include a table of
>> local rules and that's where I am doing something wrong. The place
>> in rc.firewall reads:
>>
>># filename - will load the rules in the given filename (full path required)
>
> This section of rc.firewall refers to valid values you can place in
> rc.conf for firewall_type.
No, it refers that exactly what the comment says. You can write your
rules (just the rules, without any ipfw(8) command invocations) in a
file and use:
firewall_type="/etc/ipfw.rules"
in your `rc.conf' file. The manpage of rc.conf explains this in detail
at the firewall_xxxx variables part:
firewall_type
(str) Names the firewall type from the selection
in /etc/rc.firewall, or the file which contains
the local firewall ruleset. Valid selections
from /etc/rc.firewall are:
open unrestricted IP access
closed all IP services disabled, except via ``lo0''
client basic protection for a workstation
simple basic protection for a LAN.
If a filename is specified, the full path must
be given.
> Well, OK, surely there is a way to do that, but that functionality
> is not the intent of this part of rc.firewall and rc.conf as I
> understand it.
It works, it's supported and it does exactly what it says it
should do. Why not? :-)
> I'm sure that if you put your custom rules in a shell file that
> you can use rc or cron to load those rules at boot time; you'd
> just need to be careful with rule numbering, maybe use ipfw
> sets for rule ordering, etc.
>
> Maybe easier to just
>
> cp rc.firewall custom.ipfw, edit to your needs and use
> firewall_type="/etc/custom.ipfw"
This is probably more error-prone than writing just:
add block ip from 10.0.0.0/8 to any
since shell scripts come with all sorts of quoting, meta-character
evaluation, etc. I find it much much easier to use an `ipfw.rules'
file that contains only the rules. No shell commands at all.
But then, this is clearly a matter of personal taste :)
More information about the freebsd-questions
mailing list