From 879012b8bdb81c0666a6fc8060b9f1a51f6e7501 Mon Sep 17 00:00:00 2001 From: jhb Date: Fri, 15 Aug 2008 19:14:25 +0000 Subject: For the "client" and "simple" network types, collapse the separate "net" and "mask" variables into a single "net" variable that contains a full network address (including either a netmask or prefix length at the user's choice). Update the example settings to match. MFC after: 2 weeks --- etc/rc.firewall | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) (limited to 'etc') diff --git a/etc/rc.firewall b/etc/rc.firewall index 6e9d9d0..980fb52 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -166,16 +166,15 @@ case ${firewall_type} in # against people from outside your own network. ############ - # set these to your network and netmask and ip - net="192.0.2.0" - mask="255.255.255.0" + # set these to your network + net="192.0.2.0/24" # Allow limited broadcast traffic from my own net. - ${fwcmd} add pass all from ${net}:${mask} to 255.255.255.255 + ${fwcmd} add pass all from ${net} to 255.255.255.255 # Allow any traffic to or from my own net. - ${fwcmd} add pass all from me to ${net}:${mask} - ${fwcmd} add pass all from ${net}:${mask} to me + ${fwcmd} add pass all from me to ${net} + ${fwcmd} add pass all from ${net} to me # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -210,19 +209,17 @@ case ${firewall_type} in # on the inside at this machine for those services. ############ - # set these to your outside interface network and netmask and ip + # set these to your outside interface network oif="ed0" - onet="192.0.2.0" - omask="255.255.255.240" + onet="192.0.2.0/28" - # set these to your inside interface network and netmask and ip + # set these to your inside interface network iif="ed1" - inet="192.0.2.16" - imask="255.255.255.240" + inet="192.0.2.16/28" # Stop spoofing - ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} - ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} + ${fwcmd} add deny all from ${inet} to any in via ${oif} + ${fwcmd} add deny all from ${onet} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} -- cgit v1.1