Re: Firewall OS choice

To: netbsd-users%netbsd.org@localhost
Subject: Re: Firewall OS choice
From: "Michael T. Davis" <DAVISM%ecr6.ohio-state.edu@localhost>
Date: Wed, 21 Jul 2010 11:07:00 -0400 (EDT)

At 18:56:57.37 on 18-JUL-2010 in message
<AANLkTim40pWjgWxZ8vMbKxpncchImSIEpvnGGl6EG5--%mail.gmail.com@localhost>, 
matthew
sporleder <msporleder%gmail.com@localhost> wrote:

>On Sat, Jul 17, 2010 at 7:19 PM, Michael T. Davis
><DAVISM%ecr6.ohio-state.edu@localhost> wrote:
>>      We have an ancient firewall installed in one area running OpenBSD 2.8
>>and IPFilter v3.3.18.  It's hardware is configured as an "appliance," so
>>updating the software isn't all that straightforward (to put it nicely).  I
 am
>>contemplating upgrading the hardware, and switching to a BSD flavor that
>>continues to provide built-in support for IPFilter.  Besides NetBSD, I'm also
>>considering FreeBSD.  I realize the responses here will be somewhat biased
>>(;-), but is NetBSD a good choice for this application, esp. compared to
>>FreeBSD (or vice versa)?
>>
>>      On a related note, the support for IPFilter in NetBSD 5.0.2 doesn't
>>seem to provide a mechanism for specifying an alternate configuration file;
>>it's hardcoded to use /etc/ipf.conf and/or /etc/ipf6.conf.  With the ancient
>>IPFilter build in the aforementioned environment, there was native support
>>for specifying a different file.  I have modified /etc/rc.d/ipfilter and
>>/etc/rc.d/ipnat in NetBSD 5.0.2 to provide for specifying different
>>configuration files.  Where is the best place to post my diffs and allow
>>others to evaluate them?
>>
>
>NetBSD is a great choice and I thought you'd be able to override your
>config file with rc.conf's ipfilter_flags but then I looked at
>rc.d/ipfilter and saw tons of [ -f /etc/ipf.conf ], so I guess you'd
>have to adjust that while you're bringing your rules up to date with
>the newer ipf if you wanted to take full advantage of the script.  :)
>
>In general you can submit a pr with your changes.
>http://www.NetBSD.org/cgi-bin/sendpr.cgi?gndb=netbsd

        I guess that before I submit a PR, I have a general question.  Is
there any reason not to leverage the sh mechanism known as "parameter
expansion" (see sh(1)).  For example, in /etc/rc.d/ipnat, we have...

config="/etc/ipnat.conf"

I would like to provide for a user-specified file, so is there anything wrong
with this...?

config="${ipnat_conf:-/etc/ipnat.conf}"

If I'm understanding sh(1) correctly, this would allow for the specification
of a user-specified configuration file for ipnat by setting ipnat_conf (in
/etc/rc.conf, ideally); if this is not set, the default value of
"/etc/ipnat.conf" is used.

Thanks,
Mike
-- 
                                         | Manager for Networking, Admin.
         Michael T. Davis (Mike)         | & Research Computing: CBE/MSE
 http://www.ecr6.ohio-state.edu/~davism/ |   The Ohio State University
                                         |   197 Watts, (614) 292-6928
              ** E-mail is the best way to contact me **

Follow-Ups:
- Re: Firewall OS choice
  - From: Martin Husemann

Prev by Date: Re: i386: Issues with flash in firefox
Next by Date: Re: Firewall OS choice
Previous by Thread: Re: Firewall OS choice
Next by Thread: Re: Firewall OS choice
Indexes:

Home | Main Index | Thread Index | Old Index