Cross Reference: /freebsd-10.1-release/etc/rc.firewall

Deleted Added

sdiff udiff text old ( 54108 ) new ( 56736 )

full compact

rc.firewall (54108)	rc.firewall (56736)
1############ 2# Setup system for firewall service.	1############ 2# Setup system for firewall service.
3# $FreeBSD: head/etc/rc.firewall 54108 1999-12-04 01:27:51Z obrien $	3# $FreeBSD: head/etc/rc.firewall 56736 2000-01-28 11:30:28Z rgrimes $
4 5# Suck in the configuration variables. 6if [ -r /etc/defaults/rc.conf ]; then 7 . /etc/defaults/rc.conf 8elif [ -r /etc/rc.conf ]; then 9 . /etc/rc.conf 10fi 11 --- 93 unchanged lines hidden (view full) --- 105 106[Cc][Ll][Ii][Ee][Nn][Tt]) 107 ############ 108 # This is a prototype setup that will protect your system somewhat 109 # against people from outside your own network. 110 ############ 111 112 # set these to your network and netmask and ip	4 5# Suck in the configuration variables. 6if [ -r /etc/defaults/rc.conf ]; then 7 . /etc/defaults/rc.conf 8elif [ -r /etc/rc.conf ]; then 9 . /etc/rc.conf 10fi 11 --- 93 unchanged lines hidden (view full) --- 105 106[Cc][Ll][Ii][Ee][Nn][Tt]) 107 ############ 108 # This is a prototype setup that will protect your system somewhat 109 # against people from outside your own network. 110 ############ 111 112 # set these to your network and netmask and ip
113 net="192.168.4.0"	113 net="192.0.2.0"
114 mask="255.255.255.0"	114 mask="255.255.255.0"
115 ip="192.168.4.17"	115 ip="192.0.2.1"
116 117 # Allow any traffic to or from my own net. 118 ${fwcmd} add pass all from ${ip} to ${net}:${mask} 119 ${fwcmd} add pass all from ${net}:${mask} to ${ip} 120 121 # Allow TCP through if setup succeeded 122 ${fwcmd} add pass tcp from any to any established 123 --- 26 unchanged lines hidden (view full) --- 150 ############ 151 # This is a prototype setup for a simple firewall. Configure this 152 # machine as a named server and ntp server, and point all the machines 153 # on the inside at this machine for those services. 154 ############ 155 156 # set these to your outside interface network and netmask and ip 157 oif="ed0"	116 117 # Allow any traffic to or from my own net. 118 ${fwcmd} add pass all from ${ip} to ${net}:${mask} 119 ${fwcmd} add pass all from ${net}:${mask} to ${ip} 120 121 # Allow TCP through if setup succeeded 122 ${fwcmd} add pass tcp from any to any established 123 --- 26 unchanged lines hidden (view full) --- 150 ############ 151 # This is a prototype setup for a simple firewall. Configure this 152 # machine as a named server and ntp server, and point all the machines 153 # on the inside at this machine for those services. 154 ############ 155 156 # set these to your outside interface network and netmask and ip 157 oif="ed0"
158 onet="192.168.4.0" 159 omask="255.255.255.0" 160 oip="192.168.4.17"	158 onet="192.0.2.0" 159 omask="255.255.255.240" 160 oip="192.0.2.1"
161 162 # set these to your inside interface network and netmask and ip 163 iif="ed1"	161 162 # set these to your inside interface network and netmask and ip 163 iif="ed1"
164 inet="192.168.3.0" 165 imask="255.255.255.0" 166 iip="192.168.3.17"	164 inet="192.0.2.16" 165 imask="255.255.255.240" 166 iip="192.0.2.17"
167 168 # Stop spoofing 169 ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 170 ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 171 172 # Stop RFC1918 nets on the outside interface	167 168 # Stop spoofing 169 ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 170 ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 171 172 # Stop RFC1918 nets on the outside interface
173 ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 174 ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} 175 ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 176 ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} 177 ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 178 ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}	173 ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 174 ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 175 ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 176 ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 177 ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 178 ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
179	179
	180 # Stop draft-manning-dsua-01.txt nets on the outside interface 181 ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 182 ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} 183 ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 184 ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} 185 ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 186 ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} 187 ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 188 ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} 189 ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 190 ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 191
180 # Allow TCP through if setup succeeded 181 ${fwcmd} add pass tcp from any to any established 182 183 # Allow IP fragments to pass through 184 ${fwcmd} add pass all from any to any frag 185 186 # Allow setup of incoming email 187 ${fwcmd} add pass tcp from any to ${oip} 25 setup --- 36 unchanged lines hidden ---	192 # Allow TCP through if setup succeeded 193 ${fwcmd} add pass tcp from any to any established 194 195 # Allow IP fragments to pass through 196 ${fwcmd} add pass all from any to any frag 197 198 # Allow setup of incoming email 199 ${fwcmd} add pass tcp from any to ${oip} 25 setup --- 36 unchanged lines hidden ---