bin/65258: save /etc/rc.firewall from changing for standard
firewall types
Valentin Nechayev
netch at netch.kiev.ua
Tue Apr 6 10:21:48 PDT 2004
>Number: 65258
>Category: bin
>Synopsis: save /etc/rc.firewall from changing for standard firewall types
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 06 10:20:08 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Valentin Nechayev
>Release: FreeBSD 5.2.1-RELEASE i386
>Organization:
home sweet home
>Environment:
FreeBSD 5.2.1-RELEASE
FreeBSD 4.9-RELEASE
(last -current has the same file)
>Description:
When setting up firewall of standard type, one unfortunately has to edit
/etc/rc.firewall for network, netmask and local ip.
Local ip isn't required since ipfw began understand `me'.
Network and netmask are better to get from rc.conf.
>How-To-Repeat:
Use standard firewall type.
>Fix:
--- src/etc/rc.firewall.0 Tue Apr 6 19:40:15 2004
+++ src/etc/rc.firewall Tue Apr 6 20:00:24 2004
@@ -151,15 +151,16 @@
############
# set these to your network and netmask and ip
- net="192.0.2.0"
- mask="255.255.255.0"
- ip="192.0.2.1"
+ net="$firewall_client_net"
+ mask="$firewall_client_mask"
+ test -z "$net" && net="192.0.2.0"
+ test -z "$mask" && mask="255.255.255.0"
setup_loopback
# Allow any traffic to or from my own net.
- ${fwcmd} add pass all from ${ip} to ${net}:${mask}
- ${fwcmd} add pass all from ${net}:${mask} to ${ip}
+ ${fwcmd} add pass all from me to ${net}:${mask}
+ ${fwcmd} add pass all from ${net}:${mask} to me
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
@@ -168,19 +169,19 @@
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
- ${fwcmd} add pass tcp from any to ${ip} 25 setup
+ ${fwcmd} add pass tcp from any to me 25 setup
# Allow setup of outgoing TCP connections only
- ${fwcmd} add pass tcp from ${ip} to any setup
+ ${fwcmd} add pass tcp from me to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
- ${fwcmd} add pass udp from ${ip} to any 53 keep-state
+ ${fwcmd} add pass udp from me to any 53 keep-state
# Allow NTP queries out in the world
- ${fwcmd} add pass udp from ${ip} to any 123 keep-state
+ ${fwcmd} add pass udp from me to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
@@ -195,16 +196,20 @@
############
# set these to your outside interface network and netmask and ip
- oif="ed0"
- onet="192.0.2.0"
- omask="255.255.255.240"
- oip="192.0.2.1"
+ oif="$firewall_simple_oif"
+ onet="$firewall_simple_onet"
+ omask="$firewall_simple_omask"
+ test -z "$oif" && oif="ed0"
+ test -z "$onet" && onet="192.0.2.0"
+ test -z "$omask" && omask="255.255.255.240"
# set these to your inside interface network and netmask and ip
- iif="ed1"
- inet="192.0.2.16"
- imask="255.255.255.240"
- iip="192.0.2.17"
+ iif="$firewall_simple_iif"
+ inet="$firewall_simple_inet"
+ imask="$firewall_simple_imask"
+ test -z "$iif" && iif="ed1"
+ test -z "$inet" && inet="192.0.2.16"
+ test -z "$imask" && imask="255.255.255.240"
setup_loopback
@@ -262,15 +267,15 @@
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
- ${fwcmd} add pass tcp from any to ${oip} 25 setup
+ ${fwcmd} add pass tcp from any to me 25 setup
# Allow access to our DNS
- ${fwcmd} add pass tcp from any to ${oip} 53 setup
- ${fwcmd} add pass udp from any to ${oip} 53
- ${fwcmd} add pass udp from ${oip} 53 to any
+ ${fwcmd} add pass tcp from any to me 53 setup
+ ${fwcmd} add pass udp from any to me 53
+ ${fwcmd} add pass udp from me 53 to any
# Allow access to our WWW
- ${fwcmd} add pass tcp from any to ${oip} 80 setup
+ ${fwcmd} add pass tcp from any to me 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
@@ -279,10 +284,10 @@
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
- ${fwcmd} add pass udp from ${oip} to any 53 keep-state
+ ${fwcmd} add pass udp from me to any 53 keep-state
# Allow NTP queries out in the world
- ${fwcmd} add pass udp from ${oip} to any 123 keep-state
+ ${fwcmd} add pass udp from me to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
--- src/etc/defaults/rc.conf.0 Tue Apr 6 20:06:34 2004
+++ src/etc/defaults/rc.conf Tue Apr 6 20:10:14 2004
@@ -69,6 +69,14 @@
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file
+firewall_client_net="10.0.0.0" # Network base for "client" firewall type.
+firewall_client_mask="255.0.0.0" # Network mask for "client" firewall type.
+firewall_simple_inet="10.0.0.0" # Internal network base for "simple" firewall type.
+firewall_simple_imask="255.0.0.0" # Internal network mask for "simple" firewall type.
+firewall_simple_iif="rl0" # Internal network interface for "simple" firewall type.
+firewall_simple_onet="192.0.2.0" # Internal network base for "simple" firewall type.
+firewall_simple_omask="255.255.255.0" # Internal network mask for "simple" firewall type.
+firewall_simple_oif="xl0" # Internal network interface for "simple" firewall type.
ip_portrange_first="NO" # Set first dynamically allocated port
ip_portrange_last="NO" # Set last dynamically allocated port
ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd)
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list