Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ipf.rules empty after sh /etc/ipf.rules.script

6 views
Skip to first unread message

mystery...@gmail.com

unread,
Feb 24, 2006, 7:29:09 PM2/24/06
to
I'm going through the FreeBSD handbook about IPFilter.
So far it's all enabling like it should. The thing I don't understand
is this:

The handbook says to add this with your own IP details to a file
ipf.rules.script:

oif="dc0" # name of the outbound interface
odns="192.0.2.11" # ISP's DNS server IP address
myip="192.0.2.7" # my static IP address from ISP
ks="keep state"
fks="flags S keep state"

I did that nothing weird yet.

Then it gives an option:

# You can choose between building /etc/ipf.rules file
# from this script or running this script "as is".
#
# Uncomment only one line and comment out another.
#
# 1) This can be used for building /etc/ipf.rules:
#cat > /etc/ipf.rules << EOF
#
# 2) This can be used to run script "as is":
/sbin/ipf -Fa -f - << EOF

# Allow out access to my ISP's Domain name server.
pass out quick on $oif proto tcp from any to $odns port = 53 $fks
pass out quick on $oif proto udp from any to $odns port = 53 $ks

# Allow out non-secure standard www function
pass out quick on $oif proto tcp from $myip to any port = 80 $fks

# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from $myip to any port = 443 $fks
EOF

So I decided to go for option 1 and commented out the line:

cat > /etc/ipf.rules <<EOF

Then I took the ruleset from option 2 to put into ipf.rules (not
ipf.rules.script).
So my ipf.rules looks like:

#### START RULESET
# Allow out access to my ISP's Domain name server.
pass out quick on $oif proto tcp from any to $odns port = 53 $fks
pass out quick on $oif proto udp from any to $odns port = 53 $ks

# Allow out non-secure standard www function
pass out quick on $oif proto tcp from $myip to any port = 80 $fks

# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from $myip to any port = 443 $fks
EOF
#### END RULESET

Now what happens is that the handbook says to use the command:
sh /etc/ipf.rules.script

To load/reload the script each time after editing the ipf.rules file.

So I reloaded the script and then my ipf.rules file goes empty!
I request the rules from ipfstat -in and ipfstat -on and find that
there are no rules.

What am I not doing right?

Best regards,
MD

0 new messages