ipfw rules in bash script

Is it a good idea to put all rules in one single .sh file?So when I want to make some changes, I will edit this file, and start/restart it. File will begin with something like:

Code:
#!/bin/sh
/sbin/ipfw -q -f flush
/sbin/ipfw -q -f resetlog
/sbin/ipfw -q -f zero

And one more question: my ipfw restricts all connections by default. I have added 200-300 rules. What will happen if role 300 is
Code:
allow all from any to 192.168.1.20
and I start/restart this .sh file? Will be packets lost (.sh file start with flush) or this delete/add is fast and all will be fine?
Thanks
 
Don't do it like that. There is a startup script in /etc/rc.d/ipfw which you can use to (re)start the firewall. It will disable the firewall, reload it, and enable it again.

In /etc/rc.conf, put:

Code:
firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_script="/usr/local/etc/rc.firewall" # Which script to run to set up the firewall
firewall_logging="YES"          # Set to YES to enable events logging

And then /usr/local/etc/rc.firewall contains:

Code:
#!/bin/sh

fwcmd="/sbin/ipfw -q"

${fwcmd} -f flush
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} add pass tcp from any to any established

# SERVICES: SMTP, HTTP, POP, IMAP, HTTPS, SMTPS, IMAPS, POP3S
${fwcmd} add pass tcp from any to me 25,110,143,465,993,995 setup

# VPN
${fwcmd} add pass udp from any to me 1194 keep-state
${fwcmd} add pass log ip from any to any via tun0

.. and so on.
 
frijsdijk said:
Don't do it like that. There is a startup script in /etc/rc.d/ipfw which you can use to (re)start the firewall. It will disable the firewall, reload it, and enable it again.

Actually, doing it like that works perfectly fine, so long as you know what you are doing, and have a nice, coherent ruleset. In fact, it's what we do a $JOB.

It's especially handy on firewalls that handle NAT for several dozen IPs:
  • a central firewall.conf file that holds all common variable, interface names, subnets, ports, etc
  • a central firewall.sh that pulls in the .conf file, clears ipfw rules, tables, dummynet configs, etc, handles the rules for the firewall box itself, and then calls out to other files
  • separate files for each public IP address, to keep the rules neatly organised

Once you actually start doing interesting things with IPFW (multiple NAT instances, dummynet pipes/queues, tables, etc), the included firewall scripts don't cut it anymore. They're too simplistic, and geared more toward a host-based ruleset and not a network gateway ruleset.
 
Sure. But when NAT becomes a big part of the setup, I'd prefer to use pf over ipfw.

And running a script that flushes the firewall can lock you out if it's properly configured (deny all from any to any).
 
Back
Top