NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Firewall OS choice



At 18:56:57.37 on 18-JUL-2010 in message
<AANLkTim40pWjgWxZ8vMbKxpncchImSIEpvnGGl6EG5--%mail.gmail.com@localhost>, 
matthew
sporleder <msporleder%gmail.com@localhost> wrote:

>On Sat, Jul 17, 2010 at 7:19 PM, Michael T. Davis
><DAVISM%ecr6.ohio-state.edu@localhost> wrote:
>>      We have an ancient firewall installed in one area running OpenBSD 2.8
>>and IPFilter v3.3.18.  It's hardware is configured as an "appliance," so
>>updating the software isn't all that straightforward (to put it nicely).  I
 am
>>contemplating upgrading the hardware, and switching to a BSD flavor that
>>continues to provide built-in support for IPFilter.  Besides NetBSD, I'm also
>>considering FreeBSD.  I realize the responses here will be somewhat biased
>>(;-), but is NetBSD a good choice for this application, esp. compared to
>>FreeBSD (or vice versa)?
>>
>>      On a related note, the support for IPFilter in NetBSD 5.0.2 doesn't
>>seem to provide a mechanism for specifying an alternate configuration file;
>>it's hardcoded to use /etc/ipf.conf and/or /etc/ipf6.conf.  With the ancient
>>IPFilter build in the aforementioned environment, there was native support
>>for specifying a different file.  I have modified /etc/rc.d/ipfilter and
>>/etc/rc.d/ipnat in NetBSD 5.0.2 to provide for specifying different
>>configuration files.  Where is the best place to post my diffs and allow
>>others to evaluate them?
>>
>
>NetBSD is a great choice and I thought you'd be able to override your
>config file with rc.conf's ipfilter_flags but then I looked at
>rc.d/ipfilter and saw tons of [ -f /etc/ipf.conf ], so I guess you'd
>have to adjust that while you're bringing your rules up to date with
>the newer ipf if you wanted to take full advantage of the script.  :)
>
>In general you can submit a pr with your changes.
>http://www.NetBSD.org/cgi-bin/sendpr.cgi?gndb=netbsd

        I guess that before I submit a PR, I have a general question.  Is
there any reason not to leverage the sh mechanism known as "parameter
expansion" (see sh(1)).  For example, in /etc/rc.d/ipnat, we have...

config="/etc/ipnat.conf"

I would like to provide for a user-specified file, so is there anything wrong
with this...?

config="${ipnat_conf:-/etc/ipnat.conf}"

If I'm understanding sh(1) correctly, this would allow for the specification
of a user-specified configuration file for ipnat by setting ipnat_conf (in
/etc/rc.conf, ideally); if this is not set, the default value of
"/etc/ipnat.conf" is used.

Thanks,
Mike
-- 
                                         | Manager for Networking, Admin.
         Michael T. Davis (Mike)         | & Research Computing: CBE/MSE
 http://www.ecr6.ohio-state.edu/~davism/ |   The Ohio State University
                                         |   197 Watts, (614) 292-6928
              ** E-mail is the best way to contact me **


Home | Main Index | Thread Index | Old Index