From e18bc018d89708d1b63476116066563d36955317 Mon Sep 17 00:00:00 2001 From: alex Date: Sun, 14 Jul 1996 16:49:55 +0000 Subject: These files have been replaced by /etc/rc.firewall. --- share/misc/ipfw.samp.filters | 94 -------------------------------------------- share/misc/ipfw.samp.scripts | 18 --------- 2 files changed, 112 deletions(-) delete mode 100644 share/misc/ipfw.samp.filters delete mode 100644 share/misc/ipfw.samp.scripts (limited to 'share/misc') diff --git a/share/misc/ipfw.samp.filters b/share/misc/ipfw.samp.filters deleted file mode 100644 index 304af64e..0000000 --- a/share/misc/ipfw.samp.filters +++ /dev/null @@ -1,94 +0,0 @@ -# A bit of background is needed here. -# -# - nahanni is the name of my machine on my local Ethernet. My local -# network is a subnet of a class C network. This subnet has 29 bits for -# for the network address and 3 bits for the host address. Consequently, -# "nahanni/29" matches anything on my local network. -# -# - avalon is a (pseudonym) for a machine out on the interned that I trust -# completely. -# -# - zona is the name of my end of the PPP link to my old place of work. -# This name corresponds to an IP address on their class C network. -# Consequently, "zona/24" matches any IP address on their network. -# -# - xnahanni is my end of my PPP link to the university (i.e. the Internet). -# -# - dab-nahanni is my end of the PPP link to my new place of work. They -# have a class B network so "dab-nahanni/16" matches any IP address on -# their network. - -# Start from scratch. - -ipfw flush - -# Basic accept filters to provide local sanity. -# These are the IP addresses of the interfaces on my local machine. -# The first is an Ethernet interface. The rest are PPP interfaces. - -ipfw addf accept all from nahanni to 0/0 -ipfw addf accept all from xnahanni to 0/0 -# handled below: ipfw addf accept all from zona to 0/0 -# handled below: ipfw addf accept all from dab-nahanni to 0/0 - -# Trust my local network. - -ipfw addf accept all from nahanni/29 to 0/0 - -# Allow anything from avalon. - -ipfw addf accept all from avalon to 0/0 - -# Allow anything from our old work (they have a class C network so /24 is appropriate). -# This also allows anything from zona (our end of the work PPP link). - -ipfw addf accept all from zona/24 to 0/0 - -# Allow anything from the new work (and from our end of the PPP link to the -# new place of work). - -ipfw addf accept all from dab-nahanni/16 to 0/0 - -# Allow me to contact any external UDP service and others to contact a few -# of my special udp services. - -ipfw addf accept udp from 0/0 to 0/0 900:5000 domain bootp talk ntalk route - -# Allow me to contact other services available on untrusted hosts. -# This one is a bit tricky. We allow packets from any foreign port number -# to any local port in the range 900 to 5000. When we are outbound, privileged -# applications use port numbers slightly less than 1024 and normal applications -# allow the local port number to be set by the system (which always picks -# port numbers in the range 1024 to 5000. -# The only services that we offer are for port numbers either below 900 -# or over 5000. -# -# This approach theoretically allows outsiders to connect to any services -# that we may offer in the 900:5000 range. The /etc/services file lists -# couple of services in this range (in my humble opinion, this is a bug -# in the /etc/services file). Since we don't run any of these services, -# allowing outsiders to connect to services in this range doesn't constitute -# a security hole. - -ipfw addf accept tcp from 0/0 to 0/0 900:5000 - -# Allow others to contact X-servers on my local network. -# Depend on xhosts to protect things. - -ipfw addf accept tcp from 0/0 to nahanni/29 6000 - -# Allow others to connect to a few basic services. -# We don't actually run the auth service. Allowing it means that others -# get a "connection refused" which is better than the total silence that -# they get if we block it. Also, I've noticed a few sites try to connect -# to it when I send them e-mail. Might as well be polite ... -# -# Note that I don't accept packets destined for sendmail. I send my e-mail -# via the Internet but I receive my e-mail via uucp. If you get your e-mail -# via the Internet then you'll have to add smtp to the list of ports to allow. - -ipfw addf accept tcp from 0/0 to 0/0 daytime time nameserver auth - -# Allow icmp stuff from anywhere (this isn't described in the README - sorry). - -ipfw addf accept icmp from 0/0 to 0/0 diff --git a/share/misc/ipfw.samp.scripts b/share/misc/ipfw.samp.scripts deleted file mode 100644 index 534f0cb..0000000 --- a/share/misc/ipfw.samp.scripts +++ /dev/null @@ -1,18 +0,0 @@ -# This file shows how we allow and deny users in runtime -# -# Default settings...They deny anybody , which connected to our -# PPP lines,to access any host on our development network: -# 192.114.207.* -ipfw addf deny all from 192.114.201.231 to 192.114.208.0/24 -ipfw addf deny all from 192.114.201.232 to 192.114.208.0/24 -..... -ipfw addf deny all from 192.114.201.238 to 192.114.208.0/24 -# VIP Login: this option executes when user VIP enters the system. -# His IP is $VIPIP,which is one of our dial-up lines,for example -# 192.114.201.233 -ipfw delf deny all from $VIPIP to 192.114.208.0/24 - -# VIP Logout: the guy leaves the system... -ipfw addf deny all from $VIPIP to 192.114.208.0/24 - -#Thats all folks... -- cgit v1.1