IPFILTER rules with shell symbloic substitution
Jez Hancock
jez.hancock at munk.nu
Wed Nov 26 15:14:01 PST 2003
On Wed, Nov 26, 2003 at 02:59:00PM -0500, fbsd_user wrote:
> Ipf.test rules file
> #!/bin/sh
> nic="l0"
> /sbin/ipf -Fa -f - <<EOF
> pass in on $nic all
> pass out on $nic all
> pass in all
> pass out all
> EOF
<snip>
>
> Any ideas about what is wrong with my ipfilter_rules="/etc/ipf.test"
> statement.
The ipfilter_rules variable should contain the name of a file that
contains rules _only_ - shell variables don't get read because of the way
/etc/rc.network loads the rules:
if [ -r "${ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} \
-f "${ipfilter_rules}" \
${ipfilter_flags}
fi
ie essentially the command exected is:
/sbin/ipf -f $ipfilter_rules <ipfilter flags>
so something like:
pass in on 1.2.3.4 all
pass out on 1.2.3.4 all
pass in all
pass out all
is fine, but:
pass in on $nic all
pass out on $nic all
pass in all
pass out all
won't work unfortunately.
Given your shell script above though I'd be tempted to load the ruleset
before anything else in /usr/local/etc/rc.d (by giving it a filename of
.000.ipfilter.sh to ensure it's run before the other scripts in
/usr/local/etc/rc.d).
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
More information about the freebsd-questions
mailing list