[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] (CacheRaq2) IPFWADM Script Assistance Req'd - Linux Newbie Alert
- Subject: Re: [cobalt-users] (CacheRaq2) IPFWADM Script Assistance Req'd - Linux Newbie Alert
- From: flash22@xxxxxxx
- Date: Fri Nov 23 00:44:00 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Fri, 23 Nov 2001, Accounts wrote:
> Hi Folks,
>
> (All groans re being a newbie accepted - gotta start somewhere!)
>
> I want to put some packet filters on our CacheRaq2 to block certain
> IPs - it's running kernal 2.0.x and therefore is using ipfw as opposed
> to ipchains.
>
> Searching through the archives I have found a script which I can edit to
> do what I want I believe.
>
> Found how to construct rules with ipfwadm at this site (in case anyone
> else might find it useful):
> http://www.xos.nl/linux/ipfwadm/paper/linuxfw2.html
>
> The script from the archives just ends at the end of a particular rule.
> This is the script posted to the list a year ago:
> http://list.cobalt.com/pipermail/cobalt-users/2000-November/025781.html
>
> I will be adding lines such as this to the script:
> #Refuse specific IPs - logging on (-o)
> /sbin/ipfwadm -I -a deny -S xxx.xxx.xxx.xxx -o
> /sbin/ipfwadm -I -a deny -S xxx.xxx.xxx.xxx -o
>
> Question 1: Is there meant to be something at the end of the script to
> tell it to stop/exit? If there is please tell me what it/they are!
> (looking at the script that is already on the CacheRaq at
> /etc/rc.d/init.d/ there are things like 'exit 1' and 'esac' at the
> end)
no, esac closes case, if all you have is what's above, it's done, scripts
just stop when they run out of things to do ;)
>
> Question 2: The above mentioned script (the one I am going to add) will
> go in /etc/rc.d/init.d/, does this mean it will be run automatically
> when the CacheRaq is rebooted?
no, see below
>
> If the answer to 2 is no, what do I need to put, and where, to make this
> happen. IE How to make the ipfw rules permanent even when the machine is
> rebooted.
>
> Question 3: There is a script already on the CacheRaq
> (etc/rc.d/init.d/cacheqube-ipfwadm.init), however when I do a ps ax |
> grep ipfw (or ipfwadm) it doesn't appear to be running (just shows the
> grep command) - am I trying to check it the correct way?
ipfw doesn't 'run' like a program, it just tells the kernel to 'set things
this way', so after it sets the rules, it leaves, there is no process to
see..
Ideally,you should look at the rules in that file, figure out what they
do, and if appropriate, add to them in there, The middle part is
important, adding rules without taking in to account the other rules can
cause strange things to happen...
Also, be awaye that ipfwadm has a nasty bug in it, if you add a rule,
and then remove it, and it's the last rule, it will completly stop working
untill you reboot (it won't clear the rule), so don't fiddle too much when
testing...
pps: -o is probably a bad idea ;)
>
> I don't have an old/extra machine I can test this on and want to make
> sure (as much as possible) that what I'm doing is right before I make
> any changes to the CacheRaq. (Yes I will be changing the names of the
> exising files and keeping them so that I can, hopefully, just switch
> back if the changes don't work).
Not if you lock yourself out by blocking the machines own address, be
carefull ;)
gsh