Re: my lame attempt at a shell script...
On 2005-01-07 09:36, Tom Vilot <[EMAIL PROTECTED]> wrote: >Eric F Crist wrote: >> What is the point of the { } around some variables? > > It's not strictly necessary, except in some cases. i.e: > > m=34 > echo $m > > You don't need it there. > But you would want it here: > > f=/var/filename > fname=${f//name/name2} Or when characters adjacent to the variable name may be difficult to separate from the name itself: disk="ad0" slice="${disk}s1" partition="${slice}a" # echo "${disk} ${partition} ${slice}" - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
Eric F Crist wrote: What is the point of the { } around some variables? It's not strictly necessary, except in some cases. i.e: m=34 echo $m You don't need it there. But you would want it here: f=/var/filename fname=${f//name/name2} It's when you need to differentiate the variable name from operations around it ... for want of a better explanation ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 6, 2005, at 11:00 PM, Tom Vilot wrote: Eric F Crist wrote: What is the point of the { } around some variables? It's not strictly necessary, except in some cases. i.e: m=34 echo $m You don't need it there. But you would want it here: f=/var/filename fname=${f//name/name2} It's when you need to differentiate the variable name from operations around it ... for want of a better explanation a good explanation. When I'm being particularly fussy about a script, I'll use echo "${m}" just in case $m has some unexpected characters in it such as a space ! $ * etc which can really screw things up. TjL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
Eric F Crist wrote: What is the point of the { } around some variables? It's not strictly necessary, except in some cases. i.e: m=34 echo $m You don't need it there. But you would want it here: f=/var/filename fname=${f//name/name2} It's when you need to differentiate the variable name from operations around it ... for want of a better explanation ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 6, 2005, at 7:28 PM, Tom Vilot wrote: Eric F Crist wrote: First off, thanks again for all the help you've offered thus far. That being said, I'm having a problem with variables in a function. The code I'm having a problem with is: setup_loopback () { ${fwcmd} add ${rulenum1} pass all from any to any via lo0; ${rulenum1}=`expr $rulenum1 + 50` ${fwcmd} add ${rulenum1} deny all from any to 127.0.0.0/8; ${rulenum1}=`expr $rulenum1 + 50` ${fwcmd} add ${rulenum1} deny ip from 127.0.0.0/8 to any; ${rulenum1}=`expr $rulenum1 + 50` } The output of this, when run, is: 00050 allow ip from any to any via lo0 50=100: not found 00050 deny ip from any to 127.0.0.0/8 50=100: not found 00050 deny ip from 127.0.0.0/8 to any 50=100: not found This tells me that it's doing the math correctly, but it's not reassigning the calculated value back to the variable. Any pointers? this is a very common mistake and is one of those things about sh and bash that drives me batty, too. You're thinking like perl. :c) Stripping it down to a test script, I have this: - rulenum=50 rulenum=`$rulenum + 50` echo $rulenum What is the point of the { } around some variables? ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
Eric F Crist wrote: First off, thanks again for all the help you've offered thus far. That being said, I'm having a problem with variables in a function. The code I'm having a problem with is: setup_loopback () { ${fwcmd} add ${rulenum1} pass all from any to any via lo0; ${rulenum1}=`expr $rulenum1 + 50` ${fwcmd} add ${rulenum1} deny all from any to 127.0.0.0/8; ${rulenum1}=`expr $rulenum1 + 50` ${fwcmd} add ${rulenum1} deny ip from 127.0.0.0/8 to any; ${rulenum1}=`expr $rulenum1 + 50` } The output of this, when run, is: 00050 allow ip from any to any via lo0 50=100: not found 00050 deny ip from any to 127.0.0.0/8 50=100: not found 00050 deny ip from 127.0.0.0/8 to any 50=100: not found This tells me that it's doing the math correctly, but it's not reassigning the calculated value back to the variable. Any pointers? this is a very common mistake and is one of those things about sh and bash that drives me batty, too. You're thinking like perl. :c) Stripping it down to a test script, I have this: - rulenum=50 rulenum=`$rulenum + 50` echo $rulenum I believe that is what you are after. When you *assign* you don't use $ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
Ok all. First off, thanks again for all the help you've offered thus far. That being said, I'm having a problem with variables in a function. The code I'm having a problem with is: setup_loopback () { ${fwcmd} add ${rulenum1} pass all from any to any via lo0; ${rulenum1}=`expr $rulenum1 + 50` ${fwcmd} add ${rulenum1} deny all from any to 127.0.0.0/8; ${rulenum1}=`expr $rulenum1 + 50` ${fwcmd} add ${rulenum1} deny ip from 127.0.0.0/8 to any; ${rulenum1}=`expr $rulenum1 + 50` } The output of this, when run, is: 00050 allow ip from any to any via lo0 50=100: not found 00050 deny ip from any to 127.0.0.0/8 50=100: not found 00050 deny ip from 127.0.0.0/8 to any 50=100: not found This tells me that it's doing the math correctly, but it's not reassigning the calculated value back to the variable. Any pointers? ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
On Mon, Jan 03, 2005 at 05:28:56PM -0600, Eric F Crist wrote: > A couple more questions, then I'm done. Promise. > > I need to verify whether or not there is an entry for grog_firewall_oif > and grog_firewall_iif in /etc/rc.conf. If not, I want to exit with an > error. Read /etc/rc.conf into your script's namespace using the syntax already discussed in this thread (`. /etc/defaults/rc.conf'), and you can then test for the existence of any variable it defines (or doesn't define): if [ -n "${grog_firewall_iif}" ] then # Do stuff if ${grog_firewall_iif} is set else # Do stuff if ${grog_firewall_iif} is NOT set fi Or, to reverse the logic, use [ -z "{grog_firewall_iif}" ] if [ -z "${grog_firewall_iif}" ] then # Do stuff if ${grog_firewall_iif} is NOT set else # Do stuff if ${grog_firewall_iif} is set fi > Also, a little more advanced, I need to pull information from an > ifconfig output. I need to pull network numbers for both the internal > interface, as well as external interface. For example, > > vr0: flags=8843 mtu 1500 > inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3 > ether 00:0e:a6:b9:2d:3d > media: Ethernet autoselect (100baseTX ) > status: active > > I don't actually need my own address, I need to be able to figure out > that the system, based on the above output, is on the 192.168.1.0/24 > network. This will be input into my firewall rulesets. > > I imagine that there's a util or command around that can do this, or I > can code out the math, but there's got to be an easier way. ipfw(8) can understand the netmask in hex format, so you can simply say: ii_nw=$(ifconfig "${grog_firewall_iif}" | awk '/inet/ {print $2":"$4}') ${ii_nw} will now contain something like "192.168.37.23:0xff00", which you can safely pass to ipfw(8): (2)[EMAIL PROTECTED]:~] ---># ipfw add 900 allow ip from any to 192.168.37.23:0xff00 00900 allow ip from any to 192.168.0.0/24 HTH Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpzX8L4mvvFg.pgp Description: PGP signature
Re: my lame attempt at a shell script...
On Jan 3 at 13:44, Timothy Luoma launched this into the bitstream: On Jan 3, 2005, at 1:19 PM, Eric F Crist wrote: I'm trying to create a shell script for firewalling. What I'm hoping to do is create a generic script that looks for variables in /etc/rc.conf. I've tried looking at other scripts that use variables placed there, but don't understand how to pull the information from the file. Ah, now I may be a FreeBSD newbie, but I've been doing shell scripts for a long time. Take note, he is *really* not exaggerating!! What specifically are you trying to pull out of /etc/rc.conf? ps - that said, why aren't you setting firewall configuration once and leaving it alone? Yeah, I wondered about that too, unless there's something particular to that local configuration it sort of seems like reinventing the wheel. BTW, welcome to FreeBSD Tim! You have been assimilated etc. :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
Eric F Crist wrote: Sorry for the double reply, but I forgot to respond to the top half of this email. By including /etc/rc.subr, what exactly do I gain? There are already built-in means to execute a custom firewall script: > I would assume that the system would institute my firewall rules at the correct stage of startup, and thus, don't really want to mess with that. Please enlighten me as to rc.subr and it's benefits. I'm new to shell scripting, and I need all the knowledge I can gain. Including rc.subr has become the standard way of creating scripts for startup of services, rc.diskless has been replaced by initdiskless in rc.d, there are scripts ipfw, ip6fw, ipfilter, and pf for the various firewall options, Currently, ipfw/ip6fw calls rc.firewall/rc.firewall6 respectively. I wouldn't count on rc.firewall to be available in future versions, it would make sense that these are merged into ipfw/ip6fw. rc.subr contains some neat functions, use warn, and your warning is also logged using logger, rc.subr automatically pulls defaults/rc.conf and rc.conf for you, contains the control switch statement you'd otherwise have to write your self, and lots of other goodies, see rc.subr(8). Of course, if you are just writing one script, you might find it too much trouble, but since this is the standard recommended way of doing what you want to do, you win in the long run on maintainablility. Really, what you gain is that you can focus on writing the stuff that makes your script different, rather than writing all the trivialities all scripts need. Cheers, Erik PS: Sorry about that wildshot, " = " for assignment/comparison - too much Perl, C etc. here... :-) -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 11:22 PM, Eric F Crist wrote: On Jan 3, 2005, at 8:21 PM, Timothy Luoma wrote: On Jan 3, 2005, at 6:28 PM, Eric F Crist wrote: A couple more questions, then I'm done. Promise. I need to verify whether or not there is an entry for grog_firewall_oif and grog_firewall_iif in /etc/rc.conf. If not, I want to exit with an error. You want to check for either "grog_firewall_oif" or "grog_firewall_iif" in /etc/rc.conf egrep -v "^#" /etc/rc.conf |\ egrep -q "grog_firewall_oif | grog_firewall_iif" || (echo "$0" ; exit 1) The first line says "skips the comment lines" (the ones that begin with #) What does the second line do? I tried, apparently, to accomplish the same thing with some different syntax, yet unsuccessfully. OOps, sorry. The 2nd line was the more important. I must have gotten distracted while writing the explanation. egrep -q says "run egrep, but don't tell me anything except an exit code" egrep is 'extended grep' which can match patterns. See 'man grep' for the difference between grep, egrep, and fgrep, all of which have specific uses. egrep "a|b" means "look for either 'a' or 'b' egrep -q "grog_firewall_oif | grog_firewall_iif" means "look for either of those grog_firewall_oif or grog_firewall_iif NOTE: I made a mistake in that there should be NO WHITESPACE around the "|" when doing that match. The corrected version would be egrep -v "^#" /etc/rc.conf |\ egrep -q "grog_firewall_oif|grog_firewall_iif" || (echo "$0" ; exit 1) the "||" means "If what happened on the left hand side didn't exit = 0, then do the stuff on the right hand side ARGH. Another mistake, but at least a minor one. No error message given there. It should look more like: (echo "$0 did not find grog_firewall settings"; exit 1) I can assume everything, since grog_firewall_oif *should* be a value such as above. On my system, grog_firewall_oif will be ath0. This isn't assumed, but rather defined for me. I would write the above line as follows (please verify syntax): ifconfig $grog_firewall_oif |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##' oif_ip=`ifconfig $grog_firewall_oif |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##'` yes, that looks good. Do verify that you get the results you expect when you run the commands at the commandline before putting them in a script. This is a lot of help, however, if you read: I don't actually need my own address, I need to be able to figure out that the system, based on the above output, is on the 192.168.1.0/24 network. I need my NETWORK address, in this case 192.168.1.0 (with netmask), which would be 192.168.1.0/24 Ah, ok, so you need the 192.168.1. part and the netmask. Ok, here's where someone who is better at pattern matching could come up with something elegant, where I end up getting really hacky (NOTE: i'm using 'en1' here because that's what it is on my system here, adjust for your own setting) IFCONFIG=`ifconfig en1|tr '\012' ' ' |sed 's#.*inet ##; s#broadcast .*##; s# netmask # #' |tr '.' ' '` which says, get all the ifconfig information, and trim it down to just the IP and the netmask. Oh, and change any periods for spaces (the reason why will become evident in a moment). At this point, $IFCONFIG on my system would look like this: 192 168 2 102 0xff00 then I'd put the netmask in its own variable like this NETMASK=`echo $IPCONFIG | awk '{print $NF}'` which says "take the $IPCONFIG information and give me the last field. Since we know there will be 5 fields, we could also use this: NETMASK=`echo $IPCONFIG | awk '{print $5}'` SUBNET=`echo $IPCONFIG | awk '{print $1"."$2"."$3}'` that will make $SUBNET = 192.168.2 (the awk statement says "take the $IPCONFIG information and give me the 1st, 2nd, and 3rd fields and put periods in between them when you print them) ASIDE: It would be easy to get several different levels of specificity here (i.e. do you want 192.168.2 or just 192.168 or just 192) Then I would make use of a case statement like this: case $SUBNET in 192.168.2) echo "I'm on the office network" ;; 10.0.1) echo "I'm on my home network" ;; esac The same would be true for whatever you want to do with $NETMASK Does that get at it? TjL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 8:21 PM, Timothy Luoma wrote: On Jan 3, 2005, at 6:28 PM, Eric F Crist wrote: A couple more questions, then I'm done. Promise. I need to verify whether or not there is an entry for grog_firewall_oif and grog_firewall_iif in /etc/rc.conf. If not, I want to exit with an error. You want to check for either "grog_firewall_oif" or "grog_firewall_iif" in /etc/rc.conf egrep -v "^#" /etc/rc.conf |\ egrep -q "grog_firewall_oif | grog_firewall_iif" || (echo "$0" ; exit 1) The first line says "skips the comment lines" (the ones that begin with #) What does the second line do? I tried, apparently, to accomplish the same thing with some different syntax, yet unsuccessfully. Also, a little more advanced, I need to pull information from an ifconfig output. I need to pull network numbers for both the internal interface, as well as external interface. For example, vr0: flags=8843 mtu 1500 inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3 ether 00:0e:a6:b9:2d:3d media: Ethernet autoselect (100baseTX ) status: active I don't actually need my own address, I need to be able to figure out that the system, based on the above output, is on the 192.168.1.0/24 network. This will be input into my firewall rulesets. I imagine that there's a util or command around that can do this, or I can code out the math, but there's got to be an easier way. How much can you assume? Will you know the interface? If so it's fairly easy ifconfig vr0 |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##' roughly translated: line 1: give me the information for vr0 only line 2: replace the end of line (\012) and replace them with a space line 3: delete everything from the beginning of the line up to "inet " and then delete everything from " netmask" to the end of the line Put it into a variable MY_IP=`ifconfig vr0 |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##'` TjL I can assume everything, since grog_firewall_oif *should* be a value such as above. On my system, grog_firewall_oif will be ath0. This isn't assumed, but rather defined for me. I would write the above line as follows (please verify syntax): ifconfig $grog_firewall_oif |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##' oif_ip=`ifconfig $grog_firewall_oif |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##'` This is a lot of help, however, if you read: I don't actually need my own address, I need to be able to figure out that the system, based on the above output, is on the 192.168.1.0/24 network. I need my NETWORK address, in this case 192.168.1.0 (with netmask), which would be 192.168.1.0/24 Thanks. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
On Mon, 3 Jan 2005 20:41:21 -0600 (CST) I wrote: > On Mon, 3 Jan 2005 16:22:45 -0500 Timothy Luoma <[EMAIL PROTECTED]> >wrote: > >>On Jan 3, 2005, at 3:49 PM, Eric F Crist wrote: >> >>> First off, let me thank you very much for the massive amount of >>> information you've given me thus far. >> >>I am a commandline geek from way back, so you're welcome. >> >>My brother actually had a Dilbert from years ago that he gave me where >>Dilbert runs into a guy with a long beard and suspenders and says "Hey, >>you're one of those Unix geeks, aren't you?" >> >>I wish I could get that on a T-Shirt! >> >>Anyway, the sourcing idea is definitely a good one. I'm not usually >>working with such easy source material (I do a lot of stuff where I'm >>pulling information off a website, etc) >> >>> Do me a favor and tell me if >>> this syntax is correct: >>> >>> #!/bin/sh >>> >>> . /etc/rc.conf >>> >>> if [ "$grog_firewall_enable" = "YES" ] >>> then >>> echo "Firewall enabled." >>> elif [ "$grog_firewall_enable" = "NO" ] >>> then >>> echo "Firewall disabled." >>> fi >>> >>> exit 0 >> >>yes, that's right >> > [remainder deleted --SB] > It has been many years, but it seems to me that, under 4.3BSD, the echo >commands shown above would have been verboten in /etc/rc or any scripts run >by it because none of those processes had a /dev/tty associated with them. Ah, how memory comes flooding back after the message has been sent! Sigh. /etc/rc did have a tty associated with its process and therefore could inform the operator that various daemons and subsystems had been started. It was only the subprocesses that were backgrounded that had to write any messages to a file or to /dev/null (or, possibly, to /dev/console). Mes excuses... Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Mon, 3 Jan 2005 16:22:45 -0500 Timothy Luoma <[EMAIL PROTECTED]> wrote: >On Jan 3, 2005, at 3:49 PM, Eric F Crist wrote: > >> First off, let me thank you very much for the massive amount of >> information you've given me thus far. > >I am a commandline geek from way back, so you're welcome. > >My brother actually had a Dilbert from years ago that he gave me where >Dilbert runs into a guy with a long beard and suspenders and says "Hey, >you're one of those Unix geeks, aren't you?" > >I wish I could get that on a T-Shirt! > >Anyway, the sourcing idea is definitely a good one. I'm not usually >working with such easy source material (I do a lot of stuff where I'm >pulling information off a website, etc) > >> Do me a favor and tell me if >> this syntax is correct: >> >> #!/bin/sh >> >> . /etc/rc.conf >> >> if [ "$grog_firewall_enable" = "YES" ] >> then >> echo "Firewall enabled." >> elif [ "$grog_firewall_enable" = "NO" ] >> then >> echo "Firewall disabled." >> fi >> >> exit 0 > >yes, that's right > [remainder deleted --SB] It has been many years, but it seems to me that, under 4.3BSD, the echo commands shown above would have been verboten in /etc/rc or any scripts run by it because none of those processes had a /dev/tty associated with them. Has this limitation been bypassed in FreeBSD somehow? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 6:28 PM, Eric F Crist wrote: A couple more questions, then I'm done. Promise. I need to verify whether or not there is an entry for grog_firewall_oif and grog_firewall_iif in /etc/rc.conf. If not, I want to exit with an error. You want to check for either "grog_firewall_oif" or "grog_firewall_iif" in /etc/rc.conf egrep -v "^#" /etc/rc.conf |\ egrep -q "grog_firewall_oif | grog_firewall_iif" || (echo "$0" ; exit 1) The first line says "skips the comment lines" (the ones that begin with #) Also, a little more advanced, I need to pull information from an ifconfig output. I need to pull network numbers for both the internal interface, as well as external interface. For example, vr0: flags=8843 mtu 1500 inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3 ether 00:0e:a6:b9:2d:3d media: Ethernet autoselect (100baseTX ) status: active I don't actually need my own address, I need to be able to figure out that the system, based on the above output, is on the 192.168.1.0/24 network. This will be input into my firewall rulesets. I imagine that there's a util or command around that can do this, or I can code out the math, but there's got to be an easier way. How much can you assume? Will you know the interface? If so it's fairly easy ifconfig vr0 |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##' roughly translated: line 1: give me the information for vr0 only line 2: replace the end of line (\012) and replace them with a space line 3: delete everything from the beginning of the line up to "inet " and then delete everything from " netmask" to the end of the line Put it into a variable MY_IP=`ifconfig vr0 |\ tr '\012' ' ' |\ sed 's#.*inet ##; s# netmask.*##'` TjL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
A couple more questions, then I'm done. Promise. I need to verify whether or not there is an entry for grog_firewall_oif and grog_firewall_iif in /etc/rc.conf. If not, I want to exit with an error. Also, a little more advanced, I need to pull information from an ifconfig output. I need to pull network numbers for both the internal interface, as well as external interface. For example, vr0: flags=8843 mtu 1500 inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::20e:a6ff:feb9:2d3d%vr0 prefixlen 64 scopeid 0x3 ether 00:0e:a6:b9:2d:3d media: Ethernet autoselect (100baseTX ) status: active I don't actually need my own address, I need to be able to figure out that the system, based on the above output, is on the 192.168.1.0/24 network. This will be input into my firewall rulesets. I imagine that there's a util or command around that can do this, or I can code out the math, but there's got to be an easier way. Thanks again. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
--On Monday, January 03, 2005 04:49:04 PM -0600 Eric F Crist <[EMAIL PROTECTED]> wrote: By on-the-fly, I meant by manually typing in a new rule on the command line. From there, I'd take the output of ipfw show and figure out where I want that rule placed. So, for the purposes of this script, I just want it to add new rules at an interval of 50. Within the script, different sets of rules will be grouped by the 1, but I'll worry about that vailidation on my own. The syntax is where my limitations lie. In that case write to a ruleset. Keep in mind that you want to not only add the rule on the fly, but you also want it implemented should the server be rebooted or the firewall be restarted. All you have to do is write the rule to the next line of the ruleset and disable and enable the ruleset and you're done. Much easier than trying to figure out what number to add and you've killed both birds with the same stone. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 4:40 PM, Paul Schmehl wrote: --On Monday, January 03, 2005 04:21:41 PM -0600 Eric F Crist <[EMAIL PROTECTED]> wrote: I believe this is my last question. I need to do some math. Anyone familiar with ipfw knows that you can add a rule with: ipfw add [num] my firewall rule What I'm trying to do is have that number auto-computed. So, my command *should* look something like: $ipfwcmd add [rulenum1 + 50] my firewall rule $other $variables Make sense? I just want to add a new rule, let it figure out the rule number. That way, I can leave a space of 48 rules (for minor, on-the-fly tweaking, etc. First answer a question. Are you wanting to write these rules on the fly? Or have them available for the next restart of the firewall? Or both? You have a problem, because you want to use one, generic script to set up multiple, varied firewalls. In order for the script to work, you'll have to be able to calculate what number to use next based on what number was *last used* on *that* server. There's several ways to solve that problem. You could write a placemarker to a file. (Silly, but easy.) You could use rulesets, and just write a new line to a ruleset and let ipfw figure it out. (Much better I think.) If you also want to add the rule on the fly, you can just reload that ruleset. That way you use a fixed name and number (e.g. on-the-fly_rules, set 2) and just add rules to the ruleset, unload and reload the ruleset (ipfw set 2 disable; write the new rule to the ruleset; ipfw set 2 enable) Paul, By on-the-fly, I meant by manually typing in a new rule on the command line. From there, I'd take the output of ipfw show and figure out where I want that rule placed. So, for the purposes of this script, I just want it to add new rules at an interval of 50. Within the script, different sets of rules will be grouped by the 1, but I'll worry about that vailidation on my own. The syntax is where my limitations lie. Thanks. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
--On Monday, January 03, 2005 04:21:41 PM -0600 Eric F Crist <[EMAIL PROTECTED]> wrote: I believe this is my last question. I need to do some math. Anyone familiar with ipfw knows that you can add a rule with: ipfw add [num] my firewall rule What I'm trying to do is have that number auto-computed. So, my command *should* look something like: $ipfwcmd add [rulenum1 + 50] my firewall rule $other $variables Make sense? I just want to add a new rule, let it figure out the rule number. That way, I can leave a space of 48 rules (for minor, on-the-fly tweaking, etc. First answer a question. Are you wanting to write these rules on the fly? Or have them available for the next restart of the firewall? Or both? You have a problem, because you want to use one, generic script to set up multiple, varied firewalls. In order for the script to work, you'll have to be able to calculate what number to use next based on what number was *last used* on *that* server. There's several ways to solve that problem. You could write a placemarker to a file. (Silly, but easy.) You could use rulesets, and just write a new line to a ruleset and let ipfw figure it out. (Much better I think.) If you also want to add the rule on the fly, you can just reload that ruleset. That way you use a fixed name and number (e.g. on-the-fly_rules, set 2) and just add rules to the ruleset, unload and reload the ruleset (ipfw set 2 disable; write the new rule to the ruleset; ipfw set 2 enable) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 4:16 PM, Timothy Luoma wrote: On Jan 3, 2005, at 4:52 PM, Eric F Crist wrote: In regards to the = or -eq, I can't discern a difference in output when I use them. Can you explain further their differences? I think they are different ways of saying the same thing. Personal preference only as to which is better. What would NOT EQUAL be? != -ne only works for integars (see 'man test'). TjL Figured that out, thanks to your reference to man test. Thanks. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
I believe this is my last question. I need to do some math. Anyone familiar with ipfw knows that you can add a rule with: ipfw add [num] my firewall rule What I'm trying to do is have that number auto-computed. So, my command *should* look something like: $ipfwcmd add [rulenum1 + 50] my firewall rule $other $variables Make sense? I just want to add a new rule, let it figure out the rule number. That way, I can leave a space of 48 rules (for minor, on-the-fly tweaking, etc. Thanks. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 4:52 PM, Eric F Crist wrote: In regards to the = or -eq, I can't discern a difference in output when I use them. Can you explain further their differences? I think they are different ways of saying the same thing. Personal preference only as to which is better. What would NOT EQUAL be? != -ne only works for integars (see 'man test'). TjL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 3:34 PM, Erik Norgaard wrote: Eric F Crist wrote: elif [ "$grog_firewall_enable" <> "YES" or "NO" ] then echo "Syntax error in /etc/rc.conf file. grog_firewall_enable must be YES or NO" fi I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or pf - I wrote a replacement for ipfilter as I got dizzy trying to maintain a too long ruleset so I wanted to split it into multiple files. On 5.x things get a lot simpler. In /etc/rc.d there are plenty of scripts to look at - don't look at rc.firewall. The scripts in /etc/rc.d are executed as ordered by rcorder(8). Create your script and load rc.subr: . /etc/rc.subr which gives you a lot of predefined handy functions. Set the "name" variable in the script, eg: name="grog" # Name of my firewall script it is customary to call the script the same. Follow by load_rc_config=$name most scripts then just includes the line run_rc_command "$1" - everything is defined by the functions in rc.subr. Now, you can set the commands to be run and define them in your script, see eg. ipfilter. rc.subr also contains a "checkyesno" function answering your question above - however, it is normal to check "[Yy][Ee][Ss]" and treat everything else as a no. After all, what are you gonna do if you only accept "yes" or "no" but some one typed "yeah right"? You must have a default action. Sorry for the double reply, but I forgot to respond to the top half of this email. By including /etc/rc.subr, what exactly do I gain? There are already built-in means to execute a custom firewall script: firewall_enable (bool) Set to ``YES'' to load firewall rules at startup. If the kernel was not built with options IPFIREWALL, the ipfw.ko kernel module will be loaded. See also ipfilter_enable. ipv6_firewall_enable (bool) The IPv6 equivalent of firewall_enable. Set to ``YES'' to load IPv6 firewall rules at startup. If the ker- nel was not built with options IPV6FIREWALL, the ip6fw.ko kernel module will be loaded. firewall_script (str) This variable specifies the full path to the firewall script to run. The default is /etc/rc.firewall. I would assume that the system would institute my firewall rules at the correct stage of startup, and thus, don't really want to mess with that. Please enlighten me as to rc.subr and it's benefits. I'm new to shell scripting, and I need all the knowledge I can gain. Thanks. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 4:34 PM, Erik Norgaard wrote: Eric F Crist wrote: elif [ "$grog_firewall_enable" <> "YES" or "NO" ] then echo "Syntax error in /etc/rc.conf file. grog_firewall_enable must be YES or NO" fi I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or pf - I wrote a replacement for ipfilter as I got dizzy trying to maintain a too long ruleset so I wanted to split it into multiple files. On 5.x things get a lot simpler. In /etc/rc.d there are plenty of scripts to look at - don't look at rc.firewall. [lots of good info snipped] Finally, don't use bash, use /bin/sh and nothing else, you don't know if bash is available when your script run. Regarding your script, which I got deleted from this mail (sorry), I think there is an error: > if [ "$grog_firewall_enable" = "YES" ] this "=" is assignment and will always evaulate to true. You want if [ "$grog_firewall_enable" -eq "YES" ] I'm not sure if "==" works, but always be careful you're not using asignment in if-statements. either "-eq" or "=" will work in /bin/sh scripts. Assignment is done like this foo=bar so you have to be careful about quotes and spacing. (Learning PHP was hard because there you DO have to use == and not = Eric - see 'man test' for the proper ways to do greater-than, less-than, greater-or-equal, etc in sh TjL ps - re: this quote: On Jan 3, 2005, at 4:34 PM, Erik Norgaard wrote: rc.subr also contains a "checkyesno" function answering your question above - however, it is normal to check "[Yy][Ee][Ss]" and treat everything else as a no. After all, what are you gonna do if you only accept "yes" or "no" but some one typed "yeah right"? You must have a default action. Yeah, I had a Comp. Sci professor who always typed his name in whenever we wrote a program that asked for user input, so if you were expecting a Y|y|n|N and got "cupper" he wanted to know what you planned to do with that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 3:34 PM, Erik Norgaard wrote: Eric F Crist wrote: elif [ "$grog_firewall_enable" <> "YES" or "NO" ] then echo "Syntax error in /etc/rc.conf file. grog_firewall_enable must be YES or NO" fi I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or pf - I wrote a replacement for ipfilter as I got dizzy trying to maintain a too long ruleset so I wanted to split it into multiple files. On 5.x things get a lot simpler. In /etc/rc.d there are plenty of scripts to look at - don't look at rc.firewall. The scripts in /etc/rc.d are executed as ordered by rcorder(8). Create your script and load rc.subr: . /etc/rc.subr which gives you a lot of predefined handy functions. Set the "name" variable in the script, eg: name="grog" # Name of my firewall script it is customary to call the script the same. Follow by load_rc_config=$name most scripts then just includes the line run_rc_command "$1" - everything is defined by the functions in rc.subr. Now, you can set the commands to be run and define them in your script, see eg. ipfilter. rc.subr also contains a "checkyesno" function answering your question above - however, it is normal to check "[Yy][Ee][Ss]" and treat everything else as a no. After all, what are you gonna do if you only accept "yes" or "no" but some one typed "yeah right"? You must have a default action. Since your script isn't default, maybe don't add default settings to /etc/defaults/rc.conf. Instead variables can have defaults eg: ${ipfilter_program:-/sbin/ipf} will use /sbin/ipf unless the ipfilter_program variable is set. Finally, don't use bash, use /bin/sh and nothing else, you don't know if bash is available when your script run. Regarding your script, which I got deleted from this mail (sorry), I think there is an error: > if [ "$grog_firewall_enable" = "YES" ] this "=" is assignment and will always evaulate to true. You want if [ "$grog_firewall_enable" -eq "YES" ] I'm not sure if "==" works, but always be careful you're not using asignment in if-statements. Cheers, Erik Thanks for the reply. I'm actually using ipfw, and this script is going to require this. Also, this script isn't really for public use, anyone's welcome to it, if they want, and only internal use. In regards to placing variables in /etc/rc.conf, these aren't really true variables (no pun intended), but rather system-specific device information. My overall setup is such that each server could have a different brand/chipset network card, and different purposes on the network. My goal is that I can set an internal interface, and external interface, hostname, ipaddresses, and protocols independently of the actual script. Then, the script will plug those variables into the correct places. I could put this information in another place, like a /etc/firewall.setup file, but it'll make my life easier if I just put it into rc.conf. In regards to the = or -eq, I can't discern a difference in output when I use them. Can you explain further their differences? What would NOT EQUAL be? Thanks. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 4:27 PM, Eric F Crist wrote: Good to know. If I want to validate, like my first example, against some variables, how would I do that best. Say, for example, I have 4 possible entries for grog_firewall_enable but I want to single out three of them: if [ "$grog_firewall_enable" <> "YES" OR "NO" OR "OPEN" ] is this the correct syntax? Can't seem to figure this one out. Instead of <> you want to use != when working in (ba)sh. I no of no way to test A != (B or C or D) on one line like that in bash. I think the closest you can come is using 'case': case $grog_firewall_enable in YES|NO|OPEN) : ;; *) echo Illegal value for grog_firewall_enable ;; esac the ":" in that case is just a placeholder. You could replace it with some commands, even your previous IF/ELIF statements if you wanted to. TjL ps - in case it wasn't obvious, and it wasn't to me when I first started, "fi" is "if" spelled backwards and "esac" is "case" spelled backwards. Makes it easier to remember how to spell them correctly ;-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
Eric F Crist wrote: elif [ "$grog_firewall_enable" <> "YES" or "NO" ] then echo "Syntax error in /etc/rc.conf file. grog_firewall_enable must be YES or NO" fi I don't know if you're on 5.x, nor whether you use ipfw, ipfilter or pf - I wrote a replacement for ipfilter as I got dizzy trying to maintain a too long ruleset so I wanted to split it into multiple files. On 5.x things get a lot simpler. In /etc/rc.d there are plenty of scripts to look at - don't look at rc.firewall. The scripts in /etc/rc.d are executed as ordered by rcorder(8). Create your script and load rc.subr: . /etc/rc.subr which gives you a lot of predefined handy functions. Set the "name" variable in the script, eg: name="grog" # Name of my firewall script it is customary to call the script the same. Follow by load_rc_config=$name most scripts then just includes the line run_rc_command "$1" - everything is defined by the functions in rc.subr. Now, you can set the commands to be run and define them in your script, see eg. ipfilter. rc.subr also contains a "checkyesno" function answering your question above - however, it is normal to check "[Yy][Ee][Ss]" and treat everything else as a no. After all, what are you gonna do if you only accept "yes" or "no" but some one typed "yeah right"? You must have a default action. Since your script isn't default, maybe don't add default settings to /etc/defaults/rc.conf. Instead variables can have defaults eg: ${ipfilter_program:-/sbin/ipf} will use /sbin/ipf unless the ipfilter_program variable is set. Finally, don't use bash, use /bin/sh and nothing else, you don't know if bash is available when your script run. Regarding your script, which I got deleted from this mail (sorry), I think there is an error: > if [ "$grog_firewall_enable" = "YES" ] this "=" is assignment and will always evaulate to true. You want if [ "$grog_firewall_enable" -eq "YES" ] I'm not sure if "==" works, but always be careful you're not using asignment in if-statements. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
[Eric: sorry if you see this twice. Resending online. hit REPLY instead of REPLY ALL by accident] On Jan 3, 2005, at 3:49 PM, Eric F Crist wrote: First off, let me thank you very much for the massive amount of information you've given me thus far. I am a commandline geek from way back, so you're welcome. My brother actually had a Dilbert from years ago that he gave me where Dilbert runs into a guy with a long beard and suspenders and says "Hey, you're one of those Unix geeks, aren't you?" I wish I could get that on a T-Shirt! Anyway, the sourcing idea is definitely a good one. I'm not usually working with such easy source material (I do a lot of stuff where I'm pulling information off a website, etc) Do me a favor and tell me if this syntax is correct: #!/bin/sh . /etc/rc.conf if [ "$grog_firewall_enable" = "YES" ] then echo "Firewall enabled." elif [ "$grog_firewall_enable" = "NO" ] then echo "Firewall disabled." fi exit 0 yes, that's right This seems to work when I try it at a command line. There's one other question. How would I add the following line (please correct syntax): elif [ "$grog_firewall_enable" <> "YES" or "NO" ] then echo "Syntax error in /etc/rc.conf file. grog_firewall_enable must be YES or NO" fi Ah, ok. When you are done with the "elif" (short for "else if" BTW) you may use an "ELSE" that covers everything else. Since you've already matched for YES and NO then all you need is to add in a catch-all (NOTE: there is no "THEN" when dealing with ELSE. only IF or ELIF takes a THEN if [ "$grog_firewall_enable" = "YES" ] then echo "Firewall enabled." elif [ "$grog_firewall_enable" = "NO" ] then echo "Firewall disabled." else echo "Syntax error in /etc/rc.conf file. grog_firewall_enable must be YES or NO" exit 1 fi the 'exit 1' is optional. If you include it, the script will end right there, which may or may not be ideal. TjL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 2:30 PM, Timothy Luoma wrote: On Jan 3, 2005, at 1:38 PM, Hexren wrote: I am not that great at bash but look in /etc/rc.firewall for the line where it says: ". /etc/defaults/rc.conf" I think this line includes /etc/rc.conf into the running script and as code in rc.conf is evaluated at the time it is included, all the variables defined in rc.conf are created at that time in your script. (you do realize that for example gateway_enable="YES" is an variable declaration with initialization when read as shell script ?) Hexren is right, ". /some/file" does mean "include /some/file" (sometimes called "source") #!/bin/sh . /etc/rc.conf if [ "$gateway_enable" = "YES" ] then echo "yes, this machine is a gateway" else echo "no, this is not a gateway" fi exit 0 TjL First off, let me thank you very much for the massive amount of information you've given me thus far. Do me a favor and tell me if this syntax is correct: #!/bin/sh . /etc/rc.conf if [ "$grog_firewall_enable" = "YES" ] then echo "Firewall enabled." elif [ "$grog_firewall_enable" = "NO" ] then echo "Firewall disabled." fi exit 0 This seems to work when I try it at a command line. There's one other question. How would I add the following line (please correct syntax): elif [ "$grog_firewall_enable" <> "YES" or "NO" ] then echo "Syntax error in /etc/rc.conf file. grog_firewall_enable must be YES or NO" fi Thanks again for all the help. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 1:38 PM, Hexren wrote: I am not that great at bash but look in /etc/rc.firewall for the line where it says: ". /etc/defaults/rc.conf" I think this line includes /etc/rc.conf into the running script and as code in rc.conf is evaluated at the time it is included, all the variables defined in rc.conf are created at that time in your script. (you do realize that for example gateway_enable="YES" is an variable declaration with initialization when read as shell script ?) Hexren is right, ". /some/file" does mean "include /some/file" (sometimes called "source") #!/bin/sh . /etc/rc.conf if [ "$gateway_enable" = "YES" ] then echo "yes, this machine is a gateway" else echo "no, this is not a gateway" fi exit 0 TjL ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 12:44 PM, Timothy Luoma wrote: On Jan 3, 2005, at 1:19 PM, Eric F Crist wrote: I'm trying to create a shell script for firewalling. What I'm hoping to do is create a generic script that looks for variables in /etc/rc.conf. I've tried looking at other scripts that use variables placed there, but don't understand how to pull the information from the file. Ah, now I may be a FreeBSD newbie, but I've been doing shell scripts for a long time. What specifically are you trying to pull out of /etc/rc.conf? TjL ps - that said, why aren't you setting firewall configuration once and leaving it alone? Well, I'm hoping to put some variables such as grog_firewall_enable, grog_firewall_iif, grog_firewall_oif, and possibly one or two more. These variables will change from one system to another, as this script will be installed on multiple systems. By setting these variables in rc.conf (or any other, separate file), I can change one copy of this script, propagate it throughout a set of servers, without having to customize each one for a particular server. In regards to your ps, I AM setting the config once, but this setup allows me to easily upgrade/improve my ruleset. Besides, I'm learning a lot writing this damn thing. ;) ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part
Re: my lame attempt at a shell script...
On Jan 3, 2005, at 1:19 PM, Eric F Crist wrote: I'm trying to create a shell script for firewalling. What I'm hoping to do is create a generic script that looks for variables in /etc/rc.conf. I've tried looking at other scripts that use variables placed there, but don't understand how to pull the information from the file. Ah, now I may be a FreeBSD newbie, but I've been doing shell scripts for a long time. What specifically are you trying to pull out of /etc/rc.conf? TjL ps - that said, why aren't you setting firewall configuration once and leaving it alone? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: my lame attempt at a shell script...
EFC> Hello all, EFC> I'm trying to create a shell script for firewalling. What I'm hoping EFC> to do is create a generic script that looks for variables in EFC> /etc/rc.conf. I've tried looking at other scripts that use variables EFC> placed there, but don't understand how to pull the information from the EFC> file. EFC> Thanks for the info. EFC> ___ EFC> Eric F Crist "I am so smart, S.M.R.T!" EFC> Secure Computing Networks -Homer J Simpson - I am not that great at bash but look in /etc/rc.firewall for the line where it says: ". /etc/defaults/rc.conf" I think this line includes /etc/rc.conf into the running script and as code in rc.conf is evaluated at the time it is included, all the variables defined in rc.conf are created at that time in your script. (you do realize that for example gateway_enable="YES" is an variable declaration with initialization when read as shell script ?) Hexren ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
my lame attempt at a shell script...
Hello all, I'm trying to create a shell script for firewalling. What I'm hoping to do is create a generic script that looks for variables in /etc/rc.conf. I've tried looking at other scripts that use variables placed there, but don't understand how to pull the information from the file. Thanks for the info. ___ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson PGP.sig Description: This is a digitally signed message part