rc.firewall (206479) | rc.firewall (208060) |
---|---|
1#!/bin/sh - 2# Copyright (c) 1996 Poul-Henning Kamp 3# All rights reserved. 4# 5# Redistribution and use in source and binary forms, with or without 6# modification, are permitted provided that the following conditions 7# are met: 8# 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24# SUCH DAMAGE. 25# | 1#!/bin/sh - 2# Copyright (c) 1996 Poul-Henning Kamp 3# All rights reserved. 4# 5# Redistribution and use in source and binary forms, with or without 6# modification, are permitted provided that the following conditions 7# are met: 8# 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24# SUCH DAMAGE. 25# |
26# $FreeBSD: head/etc/rc.firewall 206479 2010-04-11 15:31:09Z ume $ | 26# $FreeBSD: head/etc/rc.firewall 208060 2010-05-14 04:53:57Z dougb $ |
27# 28 29# 30# Setup system for ipfw(4) firewall service. 31# 32 33# Suck in the configuration variables. 34if [ -z "${source_rc_confs_defined}" ]; then --- 421 unchanged lines hidden (view full) --- 456 457 # Allow DHCP. 458 ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out 459 ${fwcmd} add pass udp from any 67 to me 68 in 460 ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in 461 if [ $ipv6_available -eq 0 ]; then 462 ${fwcmd} add pass udp from fe80::/10 to me 546 in 463 fi | 27# 28 29# 30# Setup system for ipfw(4) firewall service. 31# 32 33# Suck in the configuration variables. 34if [ -z "${source_rc_confs_defined}" ]; then --- 421 unchanged lines hidden (view full) --- 456 457 # Allow DHCP. 458 ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out 459 ${fwcmd} add pass udp from any 67 to me 68 in 460 ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in 461 if [ $ipv6_available -eq 0 ]; then 462 ${fwcmd} add pass udp from fe80::/10 to me 546 in 463 fi |
464 # Some servers will ping the IP while trying to decide if it's | 464 # Some servers will ping the IP while trying to decide if it's |
465 # still in use. 466 ${fwcmd} add pass icmp from any to any icmptype 8 467 if [ $ipv6_available -eq 0 ]; then 468 ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129 469 fi 470 471 # Allow "mandatory" ICMP in. 472 ${fwcmd} add pass icmp from any to any icmptype 3,4,11 473 if [ $ipv6_available -eq 0 ]; then 474 ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3 475 fi 476 477 # Add permits for this workstations published services below 478 # Only IPs and nets in firewall_allowservices is allowed in. | 465 # still in use. 466 ${fwcmd} add pass icmp from any to any icmptype 8 467 if [ $ipv6_available -eq 0 ]; then 468 ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129 469 fi 470 471 # Allow "mandatory" ICMP in. 472 ${fwcmd} add pass icmp from any to any icmptype 3,4,11 473 if [ $ipv6_available -eq 0 ]; then 474 ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3 475 fi 476 477 # Add permits for this workstations published services below 478 # Only IPs and nets in firewall_allowservices is allowed in. |
479 # If you really wish to let anyone use services on your | 479 # If you really wish to let anyone use services on your |
480 # workstation, then set "firewall_allowservices='any'" in /etc/rc.conf 481 # 482 # Note: We don't use keep-state as that would allow DoS of | 480 # workstation, then set "firewall_allowservices='any'" in /etc/rc.conf 481 # 482 # Note: We don't use keep-state as that would allow DoS of |
483 # our statetable. | 483 # our statetable. |
484 # You can add 'keep-state' to the lines for slightly 485 # better performance if you fell that DoS of your 486 # workstation won't be a problem. 487 # 488 for i in ${firewall_allowservices} ; do 489 for j in ${firewall_myservices} ; do 490 ${fwcmd} add pass tcp from $i to me $j 491 done --- 48 unchanged lines hidden --- | 484 # You can add 'keep-state' to the lines for slightly 485 # better performance if you fell that DoS of your 486 # workstation won't be a problem. 487 # 488 for i in ${firewall_allowservices} ; do 489 for j in ${firewall_myservices} ; do 490 ${fwcmd} add pass tcp from $i to me $j 491 done --- 48 unchanged lines hidden --- |