Re: IPFILTER rules with shell symbloic substitution

2003-11-27 Thread Roman Neuhauser 
# [EMAIL PROTECTED] / 2003-11-26 12:13:53 -0600:
 In the last episode (Nov 26), fbsd_user said:
  Looking for way to code IPFILTER rules with shell symbolic
  substitution. I know how to do it in the rules, but how to get ipf
  pgm to exec in shell? Any body have example of how to setup this?
 
 /etc/rc.firewall has lots of examples using ipfw; the concepts should
 work just as well with ipf.

that won't work with ipf, but: you can have the rules passed through
/bin/sh (which would do the substitutions), and piped into ipf.

-- 
If you cc me or remove the list(s) completely I'll most likely ignore
your message.see http://www.eyrie.org./~eagle/faqs/questions.html
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rules with shell symbloic substitution

2003-11-26 Thread Dan Nelson 
In the last episode (Nov 26), fbsd_user said:
 Looking for way to code IPFILTER rules with shell symbolic
 substitution. I know how to do it in the rules, but how to get ipf
 pgm to exec in shell? Any body have example of how to setup this?

/etc/rc.firewall has lots of examples using ipfw; the concepts should
work just as well with ipf.

-- 
Dan Nelson
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rules with shell symbloic substitution

2003-11-26 Thread Mike Maltese 
 /etc/rc.firewall has lots of examples using ipfw; the concepts should
 work just as well with ipf.

I'm not sure that's true. /etc/rc.firewall is a shell script, an IP Filter
ruleset isn't. From the documentation and my own use of it, IP Filter
doesn't support variable substitution. If you're running 5.x, you can run
the pf port, which does support variables and some other neat expansion
capabilities that can really condense and simplify your ruleset.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFILTER rules with shell symbloic substitution

2003-11-26 Thread fbsd_user 
Ipf.test  rules file
#!/bin/sh
nic=l0
/sbin/ipf -Fa -f - EOF
pass in on $nic all
pass out on $nic all
pass in all
pass out all
EOF

After booting system this file will load ok by doing
Sh ipf.test from command line.

Or I can run ipf.loadrules from command line and rules load ok.

ipf.loadrules file
#! /bin/sh
sh /etc/ipf.test

But in rc.conf to load the rules
#ipfilter_rules=sh /root/bin/ipf.loadrules
#ipfilter_rules=/etc/ipf.test
does not work, get msg no rules loaded after IPFILTER started msg in
boot log.

This works
ipfilter_rules=/etc/ipf.rules

ipf.rules files
pass in all
pass out all

Looks to me like internal problem with the rc.conf
ipfilter_rules= statement and the way it reads what is pointed at.

Any ideas about what is wrong with my ipfilter_rules=/etc/ipf.test
statement.







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mike
Maltese
Sent: Wednesday, November 26, 2003 1:41 PM
To: [EMAIL PROTECTED] ORG
Cc: Dan Nelson
Subject: Re: IPFILTER rules with shell symbloic substitution

 /etc/rc.firewall has lots of examples using ipfw; the concepts
should
 work just as well with ipf.

I'm not sure that's true. /etc/rc.firewall is a shell script, an IP
Filter
ruleset isn't. From the documentation and my own use of it, IP
Filter
doesn't support variable substitution. If you're running 5.x, you
can run
the pf port, which does support variables and some other neat
expansion
capabilities that can really condense and simplify your ruleset.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFILTER rules with shell symbloic substitution

2003-11-26 Thread Jez Hancock 
On Wed, Nov 26, 2003 at 02:59:00PM -0500, fbsd_user wrote:
 Ipf.test  rules file
 #!/bin/sh
 nic=l0
 /sbin/ipf -Fa -f - EOF
 pass in on $nic all
 pass out on $nic all
 pass in all
 pass out all
 EOF
snip
 
 Any ideas about what is wrong with my ipfilter_rules=/etc/ipf.test
 statement.
The ipfilter_rules variable should contain the name of a file that
contains rules _only_ - shell variables don't get read because of the way
/etc/rc.network loads the rules:

if [ -r ${ipfilter_rules} ]; then
${ipfilter_program:-/sbin/ipf} \
-f ${ipfilter_rules} \
${ipfilter_flags}
fi

ie essentially the command exected is:

/sbin/ipf -f $ipfilter_rules ipfilter flags

so something like:

pass in on 1.2.3.4 all
pass out on 1.2.3.4 all
pass in all
pass out all

is fine, but:

pass in on $nic all
pass out on $nic all
pass in all
pass out all

won't work unfortunately.

Given your shell script above though I'd be tempted to load the ruleset
before anything else in /usr/local/etc/rc.d (by giving it a filename of
.000.ipfilter.sh to ensure it's run before the other scripts in
/usr/local/etc/rc.d).

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]