firewall & restart of /etc/rc.conf

Matthew Seaman m.seaman at
Fri Mar 7 13:43:54 GMT 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 07, 2003 at 02:25:39PM +0100, Frans Diergaarde wrote:
> Hi all,
> I've got this firewallscript from a friend of my and have it modified
> for my needs.
> I have renamed it in myhost.firewall.
> Is it enough to just place in /etc/rc.conf
> firewall_script=3D"/path_to_script/myhost.firewall"
> or must i do more than that
> Can i restart /etc/rc.conf without rebooting the whole machine?

rc.conf is just a list of variable definitions -- very roughly an
equivalent to the Windows registry stuff.  In order to start up your
firewall, what you do depends on exactly what your 'myhost.firewall'
contains.  You've referred to it in rc.conf as 'firewall_script' which
implies that it's a completely stand-alone script to start up your
firewall program.  In which case, just run the script.  Preferably
while logged into the console so you can cope with having to debug a
ruleset that denies all network traffic.

However, if you're using ipfw(8), it's common to use the standard
rc.firewall script (ie. delete the 'firewall_script' line in
/etc/rc.conf), and instead set the 'firewall_type' variable to the
name of a file containing just a list of firewall rules.  In this case
you can just run the /etc/rc.firewall script to start up the firewall.

If ipfw(8) is already running, you need to flush out all the existing
rules first, by running:

    ipfw flush

and then run your firewall startup script.

Be aware that this will result in all network traffic being
blocked on your system unless you've specially recompiled the kernel
with specific options to prevent that. =20



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP:         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (FreeBSD)



More information about the Ukfreebsd mailing list