Re: IPFILTER rules with shell symbloic substitution
# [EMAIL PROTECTED] / 2003-11-26 12:13:53 -0600: > In the last episode (Nov 26), fbsd_user said: > > Looking for way to code IPFILTER rules with shell symbolic > > substitution. I know how to do it in the rules, but how to get ipf > > pgm to exec in shell? Any body have example of how to setup this? > > /etc/rc.firewall has lots of examples using ipfw; the concepts should > work just as well with ipf. that won't work with ipf, but: you can have the rules passed through /bin/sh (which would do the substitutions), and piped into ipf. -- If you cc me or remove the list(s) completely I'll most likely ignore your message.see http://www.eyrie.org./~eagle/faqs/questions.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFILTER rules with shell symbloic substitution
On Wed, Nov 26, 2003 at 02:59:00PM -0500, fbsd_user wrote:
> Ipf.test rules file
> #!/bin/sh
> nic="l0"
> /sbin/ipf -Fa -f - < pass in on $nic all
> pass out on $nic all
> pass in all
> pass out all
> EOF
>
> Any ideas about what is wrong with my ipfilter_rules="/etc/ipf.test"
> statement.
The ipfilter_rules variable should contain the name of a file that
contains rules _only_ - shell variables don't get read because of the way
/etc/rc.network loads the rules:
if [ -r "${ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} \
-f "${ipfilter_rules}" \
${ipfilter_flags}
fi
ie essentially the command exected is:
/sbin/ipf -f $ipfilter_rules
so something like:
pass in on 1.2.3.4 all
pass out on 1.2.3.4 all
pass in all
pass out all
is fine, but:
pass in on $nic all
pass out on $nic all
pass in all
pass out all
won't work unfortunately.
Given your shell script above though I'd be tempted to load the ruleset
before anything else in /usr/local/etc/rc.d (by giving it a filename of
.000.ipfilter.sh to ensure it's run before the other scripts in
/usr/local/etc/rc.d).
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFILTER rules with shell symbloic substitution
Ipf.test rules file #!/bin/sh nic="l0" /sbin/ipf -Fa -f - <mailto:[EMAIL PROTECTED] Behalf Of Mike Maltese Sent: Wednesday, November 26, 2003 1:41 PM To: [EMAIL PROTECTED] ORG Cc: Dan Nelson Subject: Re: IPFILTER rules with shell symbloic substitution > /etc/rc.firewall has lots of examples using ipfw; the concepts should > work just as well with ipf. I'm not sure that's true. /etc/rc.firewall is a shell script, an IP Filter ruleset isn't. From the documentation and my own use of it, IP Filter doesn't support variable substitution. If you're running 5.x, you can run the pf port, which does support variables and some other neat expansion capabilities that can really condense and simplify your ruleset. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFILTER rules with shell symbloic substitution
> /etc/rc.firewall has lots of examples using ipfw; the concepts should > work just as well with ipf. I'm not sure that's true. /etc/rc.firewall is a shell script, an IP Filter ruleset isn't. From the documentation and my own use of it, IP Filter doesn't support variable substitution. If you're running 5.x, you can run the pf port, which does support variables and some other neat expansion capabilities that can really condense and simplify your ruleset. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFILTER rules with shell symbloic substitution
In the last episode (Nov 26), fbsd_user said: > Looking for way to code IPFILTER rules with shell symbolic > substitution. I know how to do it in the rules, but how to get ipf > pgm to exec in shell? Any body have example of how to setup this? /etc/rc.firewall has lots of examples using ipfw; the concepts should work just as well with ipf. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
