bin/65258: save /etc/rc.firewall from changing for standard firewall types

Valentin Nechayev netch at netch.kiev.ua
Tue Apr 6 10:21:48 PDT 2004 

>Number:         65258
>Category:       bin
>Synopsis:       save /etc/rc.firewall from changing for standard firewall types
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 06 10:20:08 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Valentin Nechayev
>Release:        FreeBSD 5.2.1-RELEASE i386
>Organization:
home sweet home
>Environment:
FreeBSD 5.2.1-RELEASE
FreeBSD 4.9-RELEASE

(last -current has the same file)

>Description:

When setting up firewall of standard type, one unfortunately has to edit
/etc/rc.firewall for network, netmask and local ip.
Local ip isn't required since ipfw began understand `me'.
Network and netmask are better to get from rc.conf.

>How-To-Repeat:

Use standard firewall type.

>Fix:

--- src/etc/rc.firewall.0	Tue Apr  6 19:40:15 2004
+++ src/etc/rc.firewall	Tue Apr  6 20:00:24 2004
@@ -151,15 +151,16 @@
 	############
 
 	# set these to your network and netmask and ip
-	net="192.0.2.0"
-	mask="255.255.255.0"
-	ip="192.0.2.1"
+	net="$firewall_client_net"
+	mask="$firewall_client_mask"
+	test -z "$net" && net="192.0.2.0"
+	test -z "$mask" && mask="255.255.255.0"
 
 	setup_loopback
 
 	# Allow any traffic to or from my own net.
-	${fwcmd} add pass all from ${ip} to ${net}:${mask}
-	${fwcmd} add pass all from ${net}:${mask} to ${ip}
+	${fwcmd} add pass all from me to ${net}:${mask}
+	${fwcmd} add pass all from ${net}:${mask} to me
 
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established
@@ -168,19 +169,19 @@
 	${fwcmd} add pass all from any to any frag
 
 	# Allow setup of incoming email
-	${fwcmd} add pass tcp from any to ${ip} 25 setup
+	${fwcmd} add pass tcp from any to me 25 setup
 
 	# Allow setup of outgoing TCP connections only
-	${fwcmd} add pass tcp from ${ip} to any setup
+	${fwcmd} add pass tcp from me to any setup
 
 	# Disallow setup of all other TCP connections
 	${fwcmd} add deny tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from ${ip} to any 53 keep-state
+	${fwcmd} add pass udp from me to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from ${ip} to any 123 keep-state
+	${fwcmd} add pass udp from me to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
@@ -195,16 +196,20 @@
 	############
 
 	# set these to your outside interface network and netmask and ip
-	oif="ed0"
-	onet="192.0.2.0"
-	omask="255.255.255.240"
-	oip="192.0.2.1"
+	oif="$firewall_simple_oif"
+	onet="$firewall_simple_onet"
+	omask="$firewall_simple_omask"
+	test -z "$oif" && oif="ed0"
+	test -z "$onet" && onet="192.0.2.0"
+	test -z "$omask" && omask="255.255.255.240"
 
 	# set these to your inside interface network and netmask and ip
-	iif="ed1"
-	inet="192.0.2.16"
-	imask="255.255.255.240"
-	iip="192.0.2.17"
+	iif="$firewall_simple_iif"
+	inet="$firewall_simple_inet"
+	imask="$firewall_simple_imask"
+	test -z "$iif" && iif="ed1"
+	test -z "$inet" && inet="192.0.2.16"
+	test -z "$imask" && imask="255.255.255.240"
 
 	setup_loopback
 
@@ -262,15 +267,15 @@
 	${fwcmd} add pass all from any to any frag
 
 	# Allow setup of incoming email
-	${fwcmd} add pass tcp from any to ${oip} 25 setup
+	${fwcmd} add pass tcp from any to me 25 setup
 
 	# Allow access to our DNS
-	${fwcmd} add pass tcp from any to ${oip} 53 setup
-	${fwcmd} add pass udp from any to ${oip} 53
-	${fwcmd} add pass udp from ${oip} 53 to any
+	${fwcmd} add pass tcp from any to me 53 setup
+	${fwcmd} add pass udp from any to me 53
+	${fwcmd} add pass udp from me 53 to any
 
 	# Allow access to our WWW
-	${fwcmd} add pass tcp from any to ${oip} 80 setup
+	${fwcmd} add pass tcp from any to me 80 setup
 
 	# Reject&Log all setup of incoming connections from the outside
 	${fwcmd} add deny log tcp from any to any in via ${oif} setup
@@ -279,10 +284,10 @@
 	${fwcmd} add pass tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from ${oip} to any 53 keep-state
+	${fwcmd} add pass udp from me to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from ${oip} to any 123 keep-state
+	${fwcmd} add pass udp from me to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel

--- src/etc/defaults/rc.conf.0	Tue Apr  6 20:06:34 2004
+++ src/etc/defaults/rc.conf	Tue Apr  6 20:10:14 2004
@@ -69,6 +69,14 @@
 firewall_quiet="NO"		# Set to YES to suppress rule display
 firewall_logging="NO"		# Set to YES to enable events logging
 firewall_flags=""		# Flags passed to ipfw when type is a file
+firewall_client_net="10.0.0.0"	# Network base for "client" firewall type.
+firewall_client_mask="255.0.0.0"	# Network mask for "client" firewall type.
+firewall_simple_inet="10.0.0.0"	# Internal network base for "simple" firewall type.
+firewall_simple_imask="255.0.0.0"	# Internal network mask for "simple" firewall type.
+firewall_simple_iif="rl0"	# Internal network interface for "simple" firewall type.
+firewall_simple_onet="192.0.2.0"	# Internal network base for "simple" firewall type.
+firewall_simple_omask="255.255.255.0"	# Internal network mask for "simple" firewall type.
+firewall_simple_oif="xl0"	# Internal network interface for "simple" firewall type.
 ip_portrange_first="NO"		# Set first dynamically allocated port
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ike_enable="NO"			# Enable IKE daemon (usually racoon or isakmpd)
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list