diff options
| author | cjc <cjc@FreeBSD.org> | 2002-02-21 13:14:19 +0000 |
|---|---|---|
| committer | cjc <cjc@FreeBSD.org> | 2002-02-21 13:14:19 +0000 |
| commit | f8646944152674ae29799337cf8652dc6a1d46e9 (patch) | |
| tree | 2417849c6082af2f7bb40e4386537d24fa7cc7a9 /etc/rc.firewall | |
| parent | 410e57d607b880921d54f9943b712bc5cca607cd (diff) | |
| download | FreeBSD-src-f8646944152674ae29799337cf8652dc6a1d46e9.zip FreeBSD-src-f8646944152674ae29799337cf8652dc6a1d46e9.tar.gz | |
Bring rc.firewall{,6} more in line with the word and spirit of
rc.conf(5) and the files' inline documentation.
- Add the "closed"-type, documented in both places, but which did not
exist in the code.
- When provided a ruleset, the system should not make any assumptions
about the sites's policy and should add no rules of its own.
- Make the "UNKNOWN" (documented in-line) actual work as advertised,
load no rules.
Prodded by: Igor M Podlesny <poige@morning.ru>
MFC after: 1 week
Diffstat (limited to 'etc/rc.firewall')
| -rw-r--r-- | etc/rc.firewall | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall index 68e2ef0..57ce6bf 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -76,6 +76,15 @@ fi # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html # +setup_loopback () { + ############ + # Only in rare cases do you want to change these rules + # + ${fwcmd} add 100 pass all from any to any via lo0 + ${fwcmd} add 200 deny all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any +} + if [ -n "${1}" ]; then firewall_type="${1}" fi @@ -125,18 +134,12 @@ esac # # ${fwcmd} add 65000 pass all from any to any -############ -# Only in rare cases do you want to change these rules -# -${fwcmd} add 100 pass all from any to any via lo0 -${fwcmd} add 200 deny all from any to 127.0.0.0/8 -${fwcmd} add 300 deny ip from 127.0.0.0/8 to any - # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) + setup_loopback ${fwcmd} add 65000 pass all from any to any ;; @@ -151,6 +154,8 @@ case ${firewall_type} in mask="255.255.255.0" ip="192.0.2.1" + setup_loopback + # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} @@ -200,6 +205,8 @@ case ${firewall_type} in imask="255.255.255.240" iip="192.0.2.17" + setup_loopback + # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} @@ -281,6 +288,9 @@ case ${firewall_type} in # config file. ;; +[Cc][Ll][Oo][Ss][Ee][Dd]) + setup_loopback + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) |
