Talk:Firewall, Configuring
| m (Reverted edits by 66.92.43.99 (Talk) to last revision by Jimbo) | |||
| (8 intermediate revisions by 5 users not shown) | |||
| Line 2: | Line 2: | ||
| --[[User:Dave|Dave]] 10:58, 6 Sep 2005 (EDT) | --[[User:Dave|Dave]] 10:58, 6 Sep 2005 (EDT) | ||
| + | |||
| + | == also, typo? == | ||
| + | |||
| + |  # let everything on your internal network talk to the firewall | ||
| + |          $cmd 01101 allow all from any to any via $iif keep-state  | ||
| + | |||
| + | shouldn't this be | ||
| + |  # let everything on your internal network talk to the firewall | ||
| + |          $cmd 01101 allow all from $inside to any via $iif keep-state | ||
| + | |||
| + | == $inside to any via $iif == | ||
| + | |||
| + | If you're concerned with preventing address spoofing FROM your internal network going OUT to the real world, yes. | ||
| + | |||
| + | I tend to prefer my firewalls to let me-the-user do pretty much anything I want to, as a general rule.  It shouldn't really make a whole lot of difference, in practice.  --[[User:Jimbo|Jimbo]] 00:13, 7 Sep 2005 (EDT) | ||
| + | |||
| + | == starting and stopping the firewall == | ||
| + | |||
| + | There isn't any real "omg this stops and starts it" sort of command - you just issue the rule commands you want, either directly from the command line or from a script. | ||
| + | |||
| + | For instance that ruleset in the article?  Notice that the first line is #!/bin/sh - you guessed it, it's a Bourne shell script, so to start a firewall with that ruleset you would just run that script.  You have to define what a "stopped" condition is before I can tell you how to "stop" the firewall.  By "stop the firewall" do you mean "drop all traffic" or "pass all traffic"?  --[[User:Jimbo|Jimbo]] 00:17, 7 Sep 2005 (EDT) | ||
| + | |||
| + | == Start/stop == | ||
| + | |||
| + | In this article, the IPFW is loaded via the kernel, if the firewall was loaded via kernel module, you could issue a "kldunload ipfw.ko". | ||
| + | |||
| + | == dunno about running it as a module == | ||
| + | |||
| + | Never tried.  Everything I read said that you *needed* to build an ipfw kernel, that many things just didn't work properly when you tried to kldload it as a module.  I'm not saying I know for a fact that it won't work, just that that's what I've read, and that I haven't tried anything otherwise.   | ||
| + | |||
| + | Also, with that said - if you DID build it into the kernel, there IS no such thing as "stopping the firewall" in the manner of kldunloading a module.  If it's built into the kernel, the firewall is ALWAYS running - "up" or "down" is a matter of what the ruleset is, not of actually "stopping" a service or daemon. --[[User:Jimbo|Jimbo]] 21:09, 7 Sep 2005 (EDT) | ||
Latest revision as of 14:10, 15 November 2010
ok, so how do you start and stop the firewall? In linux it's a simple "iptables stop" (or start) -- or the redhat dumbed down version is "service iptables stop"....curious how it's done in FreeBSD (haven't had a need to put a FW on one yet...)
--Dave 10:58, 6 Sep 2005 (EDT)
| Contents | 
[edit] also, typo?
# let everything on your internal network talk to the firewall
        $cmd 01101 allow all from any to any via $iif keep-state 
shouldn't this be
# let everything on your internal network talk to the firewall
        $cmd 01101 allow all from $inside to any via $iif keep-state
[edit] $inside to any via $iif
If you're concerned with preventing address spoofing FROM your internal network going OUT to the real world, yes.
I tend to prefer my firewalls to let me-the-user do pretty much anything I want to, as a general rule. It shouldn't really make a whole lot of difference, in practice. --Jimbo 00:13, 7 Sep 2005 (EDT)
[edit] starting and stopping the firewall
There isn't any real "omg this stops and starts it" sort of command - you just issue the rule commands you want, either directly from the command line or from a script.
For instance that ruleset in the article? Notice that the first line is #!/bin/sh - you guessed it, it's a Bourne shell script, so to start a firewall with that ruleset you would just run that script. You have to define what a "stopped" condition is before I can tell you how to "stop" the firewall. By "stop the firewall" do you mean "drop all traffic" or "pass all traffic"? --Jimbo 00:17, 7 Sep 2005 (EDT)
[edit] Start/stop
In this article, the IPFW is loaded via the kernel, if the firewall was loaded via kernel module, you could issue a "kldunload ipfw.ko".
[edit] dunno about running it as a module
Never tried. Everything I read said that you *needed* to build an ipfw kernel, that many things just didn't work properly when you tried to kldload it as a module. I'm not saying I know for a fact that it won't work, just that that's what I've read, and that I haven't tried anything otherwise.
Also, with that said - if you DID build it into the kernel, there IS no such thing as "stopping the firewall" in the manner of kldunloading a module. If it's built into the kernel, the firewall is ALWAYS running - "up" or "down" is a matter of what the ruleset is, not of actually "stopping" a service or daemon. --Jimbo 21:09, 7 Sep 2005 (EDT)
