The different functions are called by typing one word after the "bsdwall" command itself. As mentioned on the bsdwall install page just running the command "bsdwall" by itself only tells it to print out a "help page".
Command | Explanation |
---|---|
bsdwall install | This one needs a whole page of explanation: bsdwall install command help page |
bsdwall remove | This removes the firewall changes, but not the bsdwall script or the /etc/bsdwall directory of firewall config files. Can be "undone" by the Unix command "cp /etc/bsdwall/* /etc" |
bsdwall uninstall | This undoes everything - does a remove first, then removes the /etc/bsdwall directory, and the script itself from /usr/local/bin. Only /etc/original is left (as a safety measure). |
bsdwall backup or bsdwall backup foobar |
Copies all the bsdwall-modified files in /etc/ to /etc/bsdwall/backup If a name is added, copies to the directory /etc/bsdwall/backup_foobar Allows saving the current firewall setup before making any changes |
bsdwall restore or bsdwall restore foobar |
Copies everything in /etc/bsdwall/backup (or /etc/bsdwall/backup_foobar)
back to /etc. Allows restoration of a saved firewall setup. |
bsdwall open | Does not change the filter rules stored in the master copy: /etc/bsdwall/ipf.rules but it does change the currently-operating file /etc/ipf.rules to contain only two lines that expressly allow ANYTHING in and out. Effectively turns the firewall into a fully-open router. Leaves user unprotected, but does allow an easy way to briefly remove the firewalling function to clear up whether your game is not working because of the firewall, or just because its a bad game. |
bsdwall close | Does not change the master copy either, just rewrites the /etc/ipf.rules file to allow any traffic on the INSIDE interface, but NOTHING on the OUTSIDE interface. This is exactly equivalent to unplugging the Ethernet cable from that interface. But doesn't require you to go down into the basement and reach behind the dryer, or wherever you stash the wall. Recommended for moments when you are aware you are under attack or already compromised. |
bsdwall filter | The "undo" for both open and close; it copies the master copy /etc/bsdwall/ipf.rules back up into /etc, and runs "ipf" command to make OpenBSD use those rules again. Turns the firewall from open or closed back to firewalling with the "normal" rules. |
bsdwall watch | NB: Can only be stopped with a CONTROL-C key combo. Normal OpenBSD machines show a console message "logged" packet, i.e. all the blocked ones for our rules. This is annoying when trying to work as root, so bsdwall turns it off and only sends the log messages to /var/log/ipflog. This command does a "tail -f" on that file so that the messages can be watched on screen. It also filters the info a bit to make it more readable, and only prints a "." if a message is identical to the one before it so that blocks of "DOS" attacks don't fill the screen so fast. |
bsdwall web | OpenBSD comes with an apache web server, turned off by default. bsdwall turns
it on, but restricts it to the inside interface. (Not just with the packet
filtering, Apache is instructed to ignore the outside interface too.) Shown
on the web are various log files. If
the server is turned off, this turns it on.
Important Note: OpenBSD 3.3 and later have "chrooted" the web server; this means IT CAN'T SHOW YOUR LOG FILES. We haven't fixed this yet |
bsdwall noweb | Turns the above-mentioned web server off. Saves on cycles if you need them. It is VERY unlikely that Apache only listening inside is a security risk, but if you're sufficiently paranoid, you can reduce your worries by one. |