OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: manus on February 18, 2016, 12:10:10 pm
-
Could you add an option in interface or through a config file to enable IPFW.
Currently we can't use default rc file because /usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d rewrite the firewall_enable.
So to use IPFW, I need to add a traffic shaper rules&co to use IPFW or modify previous file.
The best will be to get :
- an option in interface to enable IPFW (firewall_enable)
- an option to add ipfw_load=”YES” in /boot/loader.conf or other way to load kernel module at boot
- a field to give a full path to a file with rules to execute after:
# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
Why? because I use a compiled HAProxy in transparent mode. But some can use it for others things.
-
I change /usr/local/etc/rc.ipfw:
# reload ipfw rules
/sbin/ipfw -f /usr/local/etc/ipfw.rules
if [ -f /usr/local/etc/ipfw_custom.rules ]; then
/sbin/ipfw -f /usr/local/etc/ipfw_custom.rules
fi
/usr/local/opnsense/service/templates/OPNsense/IPFW/rc.conf.d:
firewall_enable="{% if shapers or cp_zones %}YES{% else %}YES{% endif %}"
-
OPNsense uses pf as main firewall, ipfw is only used in our system for the captive portal and traffic shaper.
We rather not provide an option to "enable" it, because we can't guarantee that the ruleset will still work if one of the above features is enabled.
You probably can add a firewall rule using the interface to do the same thing, the included proxy server contains a link to create reflect rules to put the proxy in transparent mode.