IPFILTER rules with shell symbloic substitution
fbsd_user
fbsd_user at a1poweruser.com
Wed Nov 26 12:18:00 PST 2003
Ipf.test rules file
#!/bin/sh
nic="l0"
/sbin/ipf -Fa -f - <<EOF
pass in on $nic all
pass out on $nic all
pass in all
pass out all
EOF
After booting system this file will load ok by doing
Sh ipf.test from command line.
Or I can run ipf.loadrules from command line and rules load ok.
ipf.loadrules file
#! /bin/sh
sh /etc/ipf.test
But in rc.conf to load the rules
#ipfilter_rules="sh /root/bin/ipf.loadrules"
#ipfilter_rules="/etc/ipf.test"
does not work, get msg no rules loaded after IPFILTER started msg in
boot log.
This works
ipfilter_rules="/etc/ipf.rules"
ipf.rules files
pass in all
pass out all
Looks to me like internal problem with the rc.conf
ipfilter_rules= statement and the way it reads what is pointed at.
Any ideas about what is wrong with my ipfilter_rules="/etc/ipf.test"
statement.
-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mike
Maltese
Sent: Wednesday, November 26, 2003 1:41 PM
To: freebsd-questions at FreeBSD. ORG
Cc: Dan Nelson
Subject: Re: IPFILTER rules with shell symbloic substitution
> /etc/rc.firewall has lots of examples using ipfw; the concepts
should
> work just as well with ipf.
I'm not sure that's true. /etc/rc.firewall is a shell script, an IP
Filter
ruleset isn't. From the documentation and my own use of it, IP
Filter
doesn't support variable substitution. If you're running 5.x, you
can run
the pf port, which does support variables and some other neat
expansion
capabilities that can really condense and simplify your ruleset.
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list