conf/93815 Adding save and reload ability to ipfw
Hiroki Sato
hrs at FreeBSD.org
Sat Nov 17 23:31:27 UTC 2012
Chris Rees <utisoft at gmail.com> wrote
in <201210291630.q9TGU1t6059484 at freefall.freebsd.org>:
ut> The following reply was made to PR conf/93815; it has been noted by GNATS.
ut>
ut> From: Chris Rees <utisoft at gmail.com>
ut> To: bug-followup at freebsd.org
ut> Cc:
ut> Subject: Re: conf/93815 Adding save and reload ability to ipfw
ut> Date: Mon, 29 Oct 2012 16:21:46 +0000
ut>
ut> Nowadays we have much simpler firewall scripts.
ut>
ut> http://www.bayofrum.net/~crees/patches/firewall-saved-rulesets.diff
ut>
ut> What does everyone think about this?
I took a look at this feature but dumping all of the ipfw rules is
not so easy (definitions of nat, pipe, queue, sched, table will not
be listed by "ipfw -q", for example). We need a way to dump them
first to realize this functionality. The directives "add" and
"delete" in ipfw_load() and ipfw_unload() do not always work.
For the script, the current rc.d/ipfw and rc.firewall are able to
load a rule file when firewall_script=/path/to/file, so ipfw_load
should use it simply. Generally speaking, writing the rules as a
shell script to /foo and then ". /foo" is dangerous in the rc.d
scripts because it can break the script if /foo is broken in some
way. Just to let ipfw(8) load a rule file as another set and swap
the current set with it is much safer.
-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20121118/f424bab7/attachment.sig>
More information about the freebsd-rc
mailing list