diff options
author | jhb <jhb@FreeBSD.org> | 2008-08-15 19:14:25 +0000 |
---|---|---|
committer | jhb <jhb@FreeBSD.org> | 2008-08-15 19:14:25 +0000 |
commit | 879012b8bdb81c0666a6fc8060b9f1a51f6e7501 (patch) | |
tree | 131b871ba1d359c0d268f3b199dc3d8fa6fdd716 | |
parent | 358e19cca4f4fa0119351482a80556676a4587d5 (diff) | |
download | FreeBSD-src-879012b8bdb81c0666a6fc8060b9f1a51f6e7501.zip FreeBSD-src-879012b8bdb81c0666a6fc8060b9f1a51f6e7501.tar.gz |
For the "client" and "simple" network types, collapse the separate "net"
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix length at the user's
choice). Update the example settings to match.
MFC after: 2 weeks
-rw-r--r-- | etc/rc.firewall | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall index 6e9d9d0..980fb52 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -166,16 +166,15 @@ case ${firewall_type} in # against people from outside your own network. ############ - # set these to your network and netmask and ip - net="192.0.2.0" - mask="255.255.255.0" + # set these to your network + net="192.0.2.0/24" # Allow limited broadcast traffic from my own net. - ${fwcmd} add pass all from ${net}:${mask} to 255.255.255.255 + ${fwcmd} add pass all from ${net} to 255.255.255.255 # Allow any traffic to or from my own net. - ${fwcmd} add pass all from me to ${net}:${mask} - ${fwcmd} add pass all from ${net}:${mask} to me + ${fwcmd} add pass all from me to ${net} + ${fwcmd} add pass all from ${net} to me # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -210,19 +209,17 @@ case ${firewall_type} in # on the inside at this machine for those services. ############ - # set these to your outside interface network and netmask and ip + # set these to your outside interface network oif="ed0" - onet="192.0.2.0" - omask="255.255.255.240" + onet="192.0.2.0/28" - # set these to your inside interface network and netmask and ip + # set these to your inside interface network iif="ed1" - inet="192.0.2.16" - imask="255.255.255.240" + inet="192.0.2.16/28" # Stop spoofing - ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} - ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} + ${fwcmd} add deny all from ${inet} to any in via ${oif} + ${fwcmd} add deny all from ${onet} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} |