Chris Rees <[email protected]> wrote in <[email protected]>:
ut> The following reply was made to PR conf/93815; it has been noted by GNATS. ut> ut> From: Chris Rees <[email protected]> ut> To: [email protected] ut> Cc: ut> Subject: Re: conf/93815 Adding save and reload ability to ipfw ut> Date: Mon, 29 Oct 2012 16:21:46 +0000 ut> ut> Nowadays we have much simpler firewall scripts. ut> ut> http://www.bayofrum.net/~crees/patches/firewall-saved-rulesets.diff ut> ut> What does everyone think about this? I took a look at this feature but dumping all of the ipfw rules is not so easy (definitions of nat, pipe, queue, sched, table will not be listed by "ipfw -q", for example). We need a way to dump them first to realize this functionality. The directives "add" and "delete" in ipfw_load() and ipfw_unload() do not always work. For the script, the current rc.d/ipfw and rc.firewall are able to load a rule file when firewall_script=/path/to/file, so ipfw_load should use it simply. Generally speaking, writing the rules as a shell script to /foo and then ". /foo" is dangerous in the rc.d scripts because it can break the script if /foo is broken in some way. Just to let ipfw(8) load a rule file as another set and swap the current set with it is much safer. -- Hiroki
pgps7AhfFiqgu.pgp
Description: PGP signature
