From f8646944152674ae29799337cf8652dc6a1d46e9 Mon Sep 17 00:00:00 2001 From: cjc Date: Thu, 21 Feb 2002 13:14:19 +0000 Subject: Bring rc.firewall{,6} more in line with the word and spirit of rc.conf(5) and the files' inline documentation. - Add the "closed"-type, documented in both places, but which did not exist in the code. - When provided a ruleset, the system should not make any assumptions about the sites's policy and should add no rules of its own. - Make the "UNKNOWN" (documented in-line) actual work as advertised, load no rules. Prodded by: Igor M Podlesny MFC after: 1 week --- etc/rc.firewall6 | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) (limited to 'etc/rc.firewall6') diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 index 882737b..a8cd69c 100644 --- a/etc/rc.firewall6 +++ b/etc/rc.firewall6 @@ -49,6 +49,21 @@ fi # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html # +setup_local () { + ############ + # Only in rare cases do you want to change these rules + # + ${fw6cmd} add 100 pass all from any to any via lo0 + # + # ND + # + # DAD + ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + # RS, RA, NS, NA, redirect... + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 +} + if [ -n "${1}" ]; then ipv6_firewall_type="${1}" fi @@ -78,24 +93,12 @@ ${fw6cmd} -f flush # # ${fw6cmd} add 65000 pass all from any to any -############ -# Only in rare cases do you want to change these rules -# -${fw6cmd} add 100 pass all from any to any via lo0 -# -# ND -# -# DAD -${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 -# RS, RA, NS, NA, redirect... -${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 -${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 - # Prototype setups. # case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) + setup_local ${fw6cmd} add 65000 pass all from any to any ;; @@ -113,6 +116,8 @@ case ${ipv6_firewall_type} in prefixlen="64" ip="3ffe:505:2:1::1" + setup_local + # Allow any traffic to or from my own net. ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} @@ -174,6 +179,8 @@ case ${ipv6_firewall_type} in iprefixlen="64" iip="3ffe:505:2:2::1" + setup_local + # Stop spoofing ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} @@ -265,6 +272,10 @@ case ${ipv6_firewall_type} in # config file. ;; +[Cc][Ll][Oo][Ss][Ee][Dd]) + # Only enable the loopback interface + ${fw6cmd} add 100 pass all from any to any via lo0 + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) -- cgit v1.1