IPFW and separate data files.

Steve Bertrand steve at ibctech.ca
Tue Apr 13 13:00:30 UTC 2010 

On 2010.04.12 14:15, Jerry wrote:
> On Mon, 12 Apr 2010 10:04:48 -0400, Steve Bertrand <steve at ibctech.ca>
> articulated:
> 
>> On 2010.04.11 11:57, Jerry wrote:
>>> I am using IPFW on a FreeBSD-7.3 machine. Presently, I am loading
>>> several tables for IPFW. So far, I have just keep the data for the
>>> tables in the actual "ipfw-rules" referenced in the 'rc.conf' file
>>> itself. What I would like to do is keep the data for these tables in
>>> separate files and just have them imported when the firewall is
>>> loaded. I have constructed a simple script that is called from the
>>> 'ipfw-rules' file.
>>>
>>> My question is if there is a better way of accomplishing this? Is
>>> there a downside to doing this way? The data for these tables tends
>>> to be dynamic and I would rather work with the separate files than
>>> edit the master one and risk messing it up.
>>
>> I have a setup that is very similar to this. I 'include' the other
>> files from the one referenced in /etc/rc.conf by adding lines like
>> this:
>>
>> . /etc/ipfw.include
> 
> OK, I think I know where you are going with this; however, I want to
> make sure I have it correct. I am assuming that you are adding the
> ". /etc/ipfw.include" file in the file referenced in the rc.conf file.
> Is that correct?

It is correct:

# grep ipfw.rules /etc/rc.conf
firewall_script="/etc/ipfw.rules"

# grep ipfw.include /etc/ipfw.rules
. /etc/ipfw.include


> I know that it is a little over the top, which is why I was looking for
> an easier way. The reason I was doing it this way was because I only had
> to add the IPs that I wanted to block without having to add the directives also.

That is all I do too. All of my table definitions are in the initial fw
script, ipfw.rules (poorly named, I know ):

#!/bin/sh

flush="/sbin/ipfw -q flush"
cmd="/sbin/ipfw add"
table="/sbin/ipfw table"

$flush

# Tables

# Client/infrastructure IPs for allowing access
$table 1 add 208.70.104.0/21

.....

# SMTP ALLOWED OUTBOUND TABLE
$table 2 add 208.70.104.92/32
$table 2 add 208.70.104.93/32

....

. /etc/ipfw.include

etc.

The included file contains the rule definitions themselves, as well as
any sweeping rules that aren't for any specific protocol or IP address.

To add a new IP to a rule that is using tables:

# ipfw table 2 add x.x.x.x

Because this doesn't save anything, a reboot will erase those new
entries. To take care of that, I use this (note that this may not catch
edge cases):

ipfw list | \
perl -nle 's/table\((\d+)\)/\"table($1)"/g; print "\$cmd $_";' \
> /etc/ipfw.include \
&& chown root:wheel /etc/ipfw.include && chmod 400 /etc/ipfw.include

Steve

More information about the freebsd-questions mailing list