diff options
| author | cjc <cjc@FreeBSD.org> | 2002-02-21 13:14:19 +0000 |
|---|---|---|
| committer | cjc <cjc@FreeBSD.org> | 2002-02-21 13:14:19 +0000 |
| commit | f8646944152674ae29799337cf8652dc6a1d46e9 (patch) | |
| tree | 2417849c6082af2f7bb40e4386537d24fa7cc7a9 /etc/rc.firewall6 | |
| parent | 410e57d607b880921d54f9943b712bc5cca607cd (diff) | |
| download | FreeBSD-src-f8646944152674ae29799337cf8652dc6a1d46e9.zip FreeBSD-src-f8646944152674ae29799337cf8652dc6a1d46e9.tar.gz | |
Bring rc.firewall{,6} more in line with the word and spirit of
rc.conf(5) and the files' inline documentation.
- Add the "closed"-type, documented in both places, but which did not
exist in the code.
- When provided a ruleset, the system should not make any assumptions
about the sites's policy and should add no rules of its own.
- Make the "UNKNOWN" (documented in-line) actual work as advertised,
load no rules.
Prodded by: Igor M Podlesny <poige@morning.ru>
MFC after: 1 week
Diffstat (limited to 'etc/rc.firewall6')
| -rw-r--r-- | etc/rc.firewall6 | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 index 882737b..a8cd69c 100644 --- a/etc/rc.firewall6 +++ b/etc/rc.firewall6 @@ -49,6 +49,21 @@ fi # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html # +setup_local () { + ############ + # Only in rare cases do you want to change these rules + # + ${fw6cmd} add 100 pass all from any to any via lo0 + # + # ND + # + # DAD + ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + # RS, RA, NS, NA, redirect... + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 +} + if [ -n "${1}" ]; then ipv6_firewall_type="${1}" fi @@ -78,24 +93,12 @@ ${fw6cmd} -f flush # # ${fw6cmd} add 65000 pass all from any to any -############ -# Only in rare cases do you want to change these rules -# -${fw6cmd} add 100 pass all from any to any via lo0 -# -# ND -# -# DAD -${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 -# RS, RA, NS, NA, redirect... -${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 -${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 - # Prototype setups. # case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) + setup_local ${fw6cmd} add 65000 pass all from any to any ;; @@ -113,6 +116,8 @@ case ${ipv6_firewall_type} in prefixlen="64" ip="3ffe:505:2:1::1" + setup_local + # Allow any traffic to or from my own net. ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} @@ -174,6 +179,8 @@ case ${ipv6_firewall_type} in iprefixlen="64" iip="3ffe:505:2:2::1" + setup_local + # Stop spoofing ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} @@ -265,6 +272,10 @@ case ${ipv6_firewall_type} in # config file. ;; +[Cc][Ll][Oo][Ss][Ee][Dd]) + # Only enable the loopback interface + ${fw6cmd} add 100 pass all from any to any via lo0 + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) |
