Re: Importing into rc.firewal rules

From: Matthew Seaman (m.seaman_at_infracaninophile.co.uk)
Date: 11/20/04

  • Next message: David Wolfskill: "Re: Importing into rc.firewal rules"
    Date: Sat, 20 Nov 2004 20:15:26 +0000
    To: Francisco Reyes <lists@natserv.com>
    
    
    

    On Sat, Nov 20, 2004 at 01:32:15PM -0500, Francisco Reyes wrote:
    > I have a grown list of IPs that I am "deny ip from ###.### to any".
    > Infected machines, hackers, etc..
    >
    > Is there a way to have this list outside of rc.firewall and just read it
    > in?

    Sure. If you set 'firewall_type' in /etc/rc.conf to the name of a
    file (eg. /etc/rules.ipfw), then record your firewall ruleset as a
    series of 'add rule' commands inside that file, it will be read
    straight into ipfw(8) -- eg:

        # /sbin/ipfw /etc/rules.ipfw

    where the initial contents of the rules file could be generated from
    the currently loaded ruleset by:

        # /sbin/ipfw list | sed -e 's,^,add ,'

    Additionally you can use the '-p preproc' flag to pass the rules file
    through a preprocessor, such as m4(1) which potentially allows you to
    insert blocks of rules by including other files. but that requires
    having quite a bit of m4-fu.

    Alternatively, if you want to manage your list of ad-hoc deny rules
    separately to your standard rule set, you can just run ipfw(8) against
    a set of 'add' rules whenever you need to make changes. If you make
    use of the ipfw set command, you will be easily able to manipulate
    your ad-hoc rules without trashing your regular ruleset. The ipfw set
    functionality is available by default in RELENG_5, but it is an
    extension that has to be explicitly turned on in RELENG_4 -- see the
    section "USING IPFW2 IN FreeBSD-STABLE" within the ipfw(8) man page.

            Cheers,

            Matthew

    -- 
    Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                          Savill Way
    PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
    Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
    
    



  • Next message: David Wolfskill: "Re: Importing into rc.firewal rules"