Strange Failure Mode in FreeBSD 4.11

Giorgos Keramidas keramida at ceid.upatras.gr
Thu Jan 12 13:48:29 PST 2006 

On 2006-01-12 15:08, Greg Barniskis <nalists at scls.lib.wi.us> wrote:
>Martin McCormick wrote:
>> In rc.firewall, there is a place where one can include a table of
>> local rules and that's where I am doing something wrong.  The place
>> in rc.firewall reads:
>>
>>#   filename - will load the rules in the given filename (full path required)
>
> This section of rc.firewall refers to valid values you can place in
> rc.conf for firewall_type.

No, it refers that exactly what the comment says.  You can write your
rules (just the rules, without any ipfw(8) command invocations) in a
file and use:

        firewall_type="/etc/ipfw.rules"

in your `rc.conf' file.  The manpage of rc.conf explains this in detail
at the firewall_xxxx variables part:

     firewall_type
                 (str) Names the firewall type from the selection
                 in /etc/rc.firewall, or the file which contains
                 the local firewall ruleset.  Valid selections
                 from /etc/rc.firewall are:

                 open    unrestricted IP access
                 closed  all IP services disabled, except via ``lo0''
                 client  basic protection for a workstation
                 simple  basic protection for a LAN.

                 If a filename is specified, the full path must
                 be given.

> Well, OK, surely there is a way to do that, but that functionality
> is not the intent of this part of rc.firewall and rc.conf as I
> understand it.

It works, it's supported and it does exactly what it says it
should do.  Why not? :-)

> I'm sure that if you put your custom rules in a shell file that
> you can use rc or cron to load those rules at boot time; you'd
> just need to be careful with rule numbering, maybe use ipfw
> sets for rule ordering, etc.
>
> Maybe easier to just
>
> cp rc.firewall custom.ipfw, edit to your needs and use
> firewall_type="/etc/custom.ipfw"

This is probably more error-prone than writing just:

        add block ip from 10.0.0.0/8 to any

since shell scripts come with all sorts of quoting, meta-character
evaluation, etc.  I find it much much easier to use an `ipfw.rules'
file that contains only the rules.  No shell commands at all.

But then, this is clearly a matter of personal taste :)

More information about the freebsd-questions mailing list