[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Firewall OS choice
At 18:56:57.37 on 18-JUL-2010 in message
sporleder <msporleder%gmail.com@localhost> wrote:
>On Sat, Jul 17, 2010 at 7:19 PM, Michael T. Davis
>> We have an ancient firewall installed in one area running OpenBSD 2.8
>>and IPFilter v3.3.18. It's hardware is configured as an "appliance," so
>>updating the software isn't all that straightforward (to put it nicely). I
>>contemplating upgrading the hardware, and switching to a BSD flavor that
>>continues to provide built-in support for IPFilter. Besides NetBSD, I'm also
>>considering FreeBSD. I realize the responses here will be somewhat biased
>>(;-), but is NetBSD a good choice for this application, esp. compared to
>>FreeBSD (or vice versa)?
>> On a related note, the support for IPFilter in NetBSD 5.0.2 doesn't
>>seem to provide a mechanism for specifying an alternate configuration file;
>>it's hardcoded to use /etc/ipf.conf and/or /etc/ipf6.conf. With the ancient
>>IPFilter build in the aforementioned environment, there was native support
>>for specifying a different file. I have modified /etc/rc.d/ipfilter and
>>/etc/rc.d/ipnat in NetBSD 5.0.2 to provide for specifying different
>>configuration files. Where is the best place to post my diffs and allow
>>others to evaluate them?
>NetBSD is a great choice and I thought you'd be able to override your
>config file with rc.conf's ipfilter_flags but then I looked at
>rc.d/ipfilter and saw tons of [ -f /etc/ipf.conf ], so I guess you'd
>have to adjust that while you're bringing your rules up to date with
>the newer ipf if you wanted to take full advantage of the script. :)
>In general you can submit a pr with your changes.
I guess that before I submit a PR, I have a general question. Is
there any reason not to leverage the sh mechanism known as "parameter
expansion" (see sh(1)). For example, in /etc/rc.d/ipnat, we have...
I would like to provide for a user-specified file, so is there anything wrong
If I'm understanding sh(1) correctly, this would allow for the specification
of a user-specified configuration file for ipnat by setting ipnat_conf (in
/etc/rc.conf, ideally); if this is not set, the default value of
"/etc/ipnat.conf" is used.
| Manager for Networking, Admin.
Michael T. Davis (Mike) | & Research Computing: CBE/MSE
http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
| 197 Watts, (614) 292-6928
** E-mail is the best way to contact me **
Main Index |
Thread Index |