Add some bits about firewall_script and firewall_type rc.conf
variables to ipfw section. Reviewed by: trhodes Approved by: keramida (mentor) PR: docs/93764
This commit is contained in:
Daniel Gerzo
parent
0adaa94e40
commit
da68e1b2ca
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=28550
1 changed files with 60 additions and 3 deletions
|
|
@ -2241,10 +2241,67 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
|
|||
|
||||
<programlisting>firewall_type="open"</programlisting>
|
||||
|
||||
<para>Or load custom rules by setting the following variable to the
|
||||
file containing them:</para>
|
||||
<para>Available values for this setting are:</para>
|
||||
|
||||
<programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><literal>open</literal> — pass all traffic.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>client</literal> — will protect only this
|
||||
machine.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>simple</literal> — protect the whole
|
||||
network.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>closed</literal> — entirely disables IP
|
||||
traffic except for the loopback interface.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>UNKNOWN</literal> — disables the loading
|
||||
of firewall rules.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><filename>filename</filename> — absolute path of
|
||||
file containing firewall rules.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>It is possible to use two different ways to load custom
|
||||
rules for <application>ipfw</application> firewall. One is
|
||||
by setting <literal>firewall_type</literal> variable to absolute
|
||||
path of file, which contains <emphasis>firewall rules</emphasis>
|
||||
without any command-line options for &man.ipfw.8; itself. A
|
||||
simple examble of ruleset file can be following:</para>
|
||||
|
||||
<programlisting>add block in all
|
||||
add block out all</programlisting>
|
||||
|
||||
<para>On the other hand, it is possible to set
|
||||
<literal>firewall_script</literal> variable to absolute path of
|
||||
executable script that includes <command>ipfw</command> commands
|
||||
being executed at system boot time. A valid ruleset script that
|
||||
would be equivalent to the ruleset file shown above would
|
||||
be following:</para>
|
||||
|
||||
<programlisting>#!/bin/sh
|
||||
|
||||
ipfw -q flush
|
||||
|
||||
ipfw add block in all
|
||||
ipfw add block out all</programlisting>
|
||||
|
||||
<note>
|
||||
<para>If <literal>firewall_type</literal> is set to either
|
||||
<literal>client</literal> or <literal>simple</literal>, the
|
||||
default rules found in <filename>/etc/rc.firewall</filename>
|
||||
should be reviewed to fit to the configuration of the given
|
||||
machine. Also note that the examples used in this chapter
|
||||
expect that the <literal>firewall_script</literal> is set to
|
||||
<filename>/etc/ipfw.rules</filename>.</para>
|
||||
</note>
|
||||
|
||||
<para>Enable logging:</para>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue