Yes Virginia, you can enable firewalls from /etc/rc.conf.
PR: docs/10388 (Dima Sivachenko [3]dima@Chg.RU)
This commit is contained in:
Tim Vanderhoek
parent
d6f67f3455
commit
f81e290e56
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=4946
3 changed files with 39 additions and 60 deletions
|
|
@ -1,7 +1,7 @@
|
|||
<!--
|
||||
The FreeBSD Documentation Project
|
||||
|
||||
$Id: chapter.sgml,v 1.14 1999-05-16 13:26:28 nik Exp $
|
||||
$Id: chapter.sgml,v 1.15 1999-05-25 17:05:50 hoek Exp $
|
||||
-->
|
||||
|
||||
<chapter id="security">
|
||||
|
|
@ -1529,25 +1529,18 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
|
|||
is located on.</para>
|
||||
</note>
|
||||
|
||||
<para>As currently supplied, FreeBSD does not have the ability to load
|
||||
firewall rules at boot time. My suggestion is to put a call to a
|
||||
shell script in the <filename>/etc/netstart</filename> script. Put
|
||||
the call early enough in the netstart file so that the firewall is
|
||||
configured before any of the IP interfaces are configured. This means
|
||||
that there is no window during which time your network is open.</para>
|
||||
|
||||
<para>The actual script used to load the rules is entirely up to you.
|
||||
There is currently no support in the <command>ipfw</command> utility
|
||||
for loading multiple rules in the one command. The system I use is to
|
||||
use the command:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
|
||||
|
||||
<para>to write a list of the current rules out to a file, and then use a
|
||||
text editor to prepend <literal>ipfw </literal> before all the lines.
|
||||
This will allow the script to be fed into /bin/sh and reload the rules
|
||||
into the kernel. Perhaps not the most efficient way, but it
|
||||
works.</para>
|
||||
<para>You should enable your firewall from
|
||||
<filename>/etc/rc.conf.local</filename> or
|
||||
<filename>/etc/rc.conf</filename>. The associated manpage explains
|
||||
which knobs to fiddle and lists some preset firewall configurations.
|
||||
If you do not use a preset configuration, <command>ipfw list</command>
|
||||
will output the current ruleset into a file that you can
|
||||
pass to <filename>rc.conf</filename>. If you do not use
|
||||
<filename>/etc/rc.conf.local</filename> or
|
||||
<filename>/etc/rc.conf</filename> to enable your firewall,
|
||||
it is important to make sure your firewall is enabled before
|
||||
any IP interfaces are configured.
|
||||
</para>
|
||||
|
||||
<para>The next problem is what your firewall should actually
|
||||
<emphasis>do</emphasis>! This is largely dependent on what access to
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
<!--
|
||||
The FreeBSD Documentation Project
|
||||
|
||||
$Id: chapter.sgml,v 1.14 1999-05-16 13:26:28 nik Exp $
|
||||
$Id: chapter.sgml,v 1.15 1999-05-25 17:05:50 hoek Exp $
|
||||
-->
|
||||
|
||||
<chapter id="security">
|
||||
|
|
@ -1529,25 +1529,18 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
|
|||
is located on.</para>
|
||||
</note>
|
||||
|
||||
<para>As currently supplied, FreeBSD does not have the ability to load
|
||||
firewall rules at boot time. My suggestion is to put a call to a
|
||||
shell script in the <filename>/etc/netstart</filename> script. Put
|
||||
the call early enough in the netstart file so that the firewall is
|
||||
configured before any of the IP interfaces are configured. This means
|
||||
that there is no window during which time your network is open.</para>
|
||||
|
||||
<para>The actual script used to load the rules is entirely up to you.
|
||||
There is currently no support in the <command>ipfw</command> utility
|
||||
for loading multiple rules in the one command. The system I use is to
|
||||
use the command:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
|
||||
|
||||
<para>to write a list of the current rules out to a file, and then use a
|
||||
text editor to prepend <literal>ipfw </literal> before all the lines.
|
||||
This will allow the script to be fed into /bin/sh and reload the rules
|
||||
into the kernel. Perhaps not the most efficient way, but it
|
||||
works.</para>
|
||||
<para>You should enable your firewall from
|
||||
<filename>/etc/rc.conf.local</filename> or
|
||||
<filename>/etc/rc.conf</filename>. The associated manpage explains
|
||||
which knobs to fiddle and lists some preset firewall configurations.
|
||||
If you do not use a preset configuration, <command>ipfw list</command>
|
||||
will output the current ruleset into a file that you can
|
||||
pass to <filename>rc.conf</filename>. If you do not use
|
||||
<filename>/etc/rc.conf.local</filename> or
|
||||
<filename>/etc/rc.conf</filename> to enable your firewall,
|
||||
it is important to make sure your firewall is enabled before
|
||||
any IP interfaces are configured.
|
||||
</para>
|
||||
|
||||
<para>The next problem is what your firewall should actually
|
||||
<emphasis>do</emphasis>! This is largely dependent on what access to
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
<!--
|
||||
The FreeBSD Documentation Project
|
||||
|
||||
$Id: chapter.sgml,v 1.14 1999-05-16 13:26:28 nik Exp $
|
||||
$Id: chapter.sgml,v 1.15 1999-05-25 17:05:50 hoek Exp $
|
||||
-->
|
||||
|
||||
<chapter id="security">
|
||||
|
|
@ -1529,25 +1529,18 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
|
|||
is located on.</para>
|
||||
</note>
|
||||
|
||||
<para>As currently supplied, FreeBSD does not have the ability to load
|
||||
firewall rules at boot time. My suggestion is to put a call to a
|
||||
shell script in the <filename>/etc/netstart</filename> script. Put
|
||||
the call early enough in the netstart file so that the firewall is
|
||||
configured before any of the IP interfaces are configured. This means
|
||||
that there is no window during which time your network is open.</para>
|
||||
|
||||
<para>The actual script used to load the rules is entirely up to you.
|
||||
There is currently no support in the <command>ipfw</command> utility
|
||||
for loading multiple rules in the one command. The system I use is to
|
||||
use the command:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
|
||||
|
||||
<para>to write a list of the current rules out to a file, and then use a
|
||||
text editor to prepend <literal>ipfw </literal> before all the lines.
|
||||
This will allow the script to be fed into /bin/sh and reload the rules
|
||||
into the kernel. Perhaps not the most efficient way, but it
|
||||
works.</para>
|
||||
<para>You should enable your firewall from
|
||||
<filename>/etc/rc.conf.local</filename> or
|
||||
<filename>/etc/rc.conf</filename>. The associated manpage explains
|
||||
which knobs to fiddle and lists some preset firewall configurations.
|
||||
If you do not use a preset configuration, <command>ipfw list</command>
|
||||
will output the current ruleset into a file that you can
|
||||
pass to <filename>rc.conf</filename>. If you do not use
|
||||
<filename>/etc/rc.conf.local</filename> or
|
||||
<filename>/etc/rc.conf</filename> to enable your firewall,
|
||||
it is important to make sure your firewall is enabled before
|
||||
any IP interfaces are configured.
|
||||
</para>
|
||||
|
||||
<para>The next problem is what your firewall should actually
|
||||
<emphasis>do</emphasis>! This is largely dependent on what access to
|
||||
|
|
|
|||
Loading…
Reference in a new issue