NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Firewall OS choice

At 18:56:57.37 on 18-JUL-2010 in message
sporleder <> wrote:

>On Sat, Jul 17, 2010 at 7:19 PM, Michael T. Davis
><> wrote:
>>      We have an ancient firewall installed in one area running OpenBSD 2.8
>>and IPFilter v3.3.18.  It's hardware is configured as an "appliance," so
>>updating the software isn't all that straightforward (to put it nicely).  I
>>contemplating upgrading the hardware, and switching to a BSD flavor that
>>continues to provide built-in support for IPFilter.  Besides NetBSD, I'm also
>>considering FreeBSD.  I realize the responses here will be somewhat biased
>>(;-), but is NetBSD a good choice for this application, esp. compared to
>>FreeBSD (or vice versa)?
>>      On a related note, the support for IPFilter in NetBSD 5.0.2 doesn't
>>seem to provide a mechanism for specifying an alternate configuration file;
>>it's hardcoded to use /etc/ipf.conf and/or /etc/ipf6.conf.  With the ancient
>>IPFilter build in the aforementioned environment, there was native support
>>for specifying a different file.  I have modified /etc/rc.d/ipfilter and
>>/etc/rc.d/ipnat in NetBSD 5.0.2 to provide for specifying different
>>configuration files.  Where is the best place to post my diffs and allow
>>others to evaluate them?
>NetBSD is a great choice and I thought you'd be able to override your
>config file with rc.conf's ipfilter_flags but then I looked at
>rc.d/ipfilter and saw tons of [ -f /etc/ipf.conf ], so I guess you'd
>have to adjust that while you're bringing your rules up to date with
>the newer ipf if you wanted to take full advantage of the script.  :)
>In general you can submit a pr with your changes.

        I guess that before I submit a PR, I have a general question.  Is
there any reason not to leverage the sh mechanism known as "parameter
expansion" (see sh(1)).  For example, in /etc/rc.d/ipnat, we have...


I would like to provide for a user-specified file, so is there anything wrong
with this...?


If I'm understanding sh(1) correctly, this would allow for the specification
of a user-specified configuration file for ipnat by setting ipnat_conf (in
/etc/rc.conf, ideally); if this is not set, the default value of
"/etc/ipnat.conf" is used.

                                         | Manager for Networking, Admin.
         Michael T. Davis (Mike)         | & Research Computing: CBE/MSE |   The Ohio State University
                                         |   197 Watts, (614) 292-6928
              ** E-mail is the best way to contact me **

Home | Main Index | Thread Index | Old Index