Date: Sat, 13 Apr 1996 16:02:03 +0200 (MET DST) From: Andreas Klemm <andreas@knobel.GUN.de> To: Poul-Henning Kamp <phk@critter.tfs.com> Cc: Bill Fenner <fenner@parc.xerox.com>, current@freebsd.org Subject: Re: rc.firewall has some syntax errors and sample config hangs machine Message-ID: <Pine.BSF.3.92.960413153705.672A-100000@knobel.gun.de> In-Reply-To: <14052.829301116@critter.tfs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 12 Apr 1996, Poul-Henning Kamp wrote:
> I have just committed the fix to ip_input.c, thanks for the help, and
> sorry for the delay.
Everything is working fine now. No panics anymore ! Thanks !
It would be fine, if the firewall configurations in /etc/rc.firewall
could be enhanced. For example one could add more examples, so
that people could pick up better, what they really need ...
I suggest adding the following which is a typical end user configuration.
Dialup to internet via Modem and PPP. Allow everything outgoing, deny
and log everythig incoming... Perhaps someone could check, if my ideas
of rules are ok... thanks...
Here in short my ipfw policy
FireWall chain entries: 256 0
01000 allow all from 127.0.0.1 to 127.0.0.1
01100 deny log tcp from any to any via tun0 setup
65000 allow all from any to any
65535 deny all from any to any
Here my suggested diffs
Index: rc.firewall
===================================================================
RCS file: /cvs/src/etc/rc.firewall,v
retrieving revision 1.2
diff -u -r1.2 rc.firewall
- --- rc.firewall 1996/04/12 09:16:42 1.2
+++ rc.firewall 1996/04/13 13:58:46
@@ -30,6 +30,11 @@
#
############
+# flush all rules, so you can modify and restart rc.firewall if you like
+
+/sbin/ipfw flush
+
+############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open.
@@ -41,11 +46,38 @@
/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
############
- -# This is a prototype setup that will protect your system somewhat against
- -# people from outside your own network.
+# These are some prototype setups, where some will protect your system
+# somewhat against people from outside your own network.
#
# To enable simply change "false" to "true" in the if line and set the
# variables to your network parameters
+
+if false ; then
+
+ # Configuration Suggestion for a typical FreeBSD "leafe-site"
+ # dials up to internet via Modem using PPP (ppp -auto ondemand)
+ # every outgoing traffic is allowed
+ # every incoming tcp traffic is denied and logged
+
+ # set these to your outside interface network and netmask and ip
+ oif="tun0"
+ onet="192.109.159.0"
+ omask="255.255.255.0"
+ oip="192.109.159.141"
+
+ # set these to your inside interface network and netmask and ip
+ iif="ed0"
+ inet="149.237.250.0"
+ imask="255.255.255.0"
+ iip="149.237.250.1"
+
+ # Reject&Log all setup of incoming connections from the outside
+ /sbin/ipfw add deny log tcp from any to any via ${oif} setup
+
+ # The rest is allowed
+ /sbin/ipfw add 65000 pass all from any to any
+
+fi
if false ; then
# set these to your network and netmask and ip
- --
andreas@knobel.gun.de /\/\___ Wiechers & Partner Datentechnik GmbH
Andreas Klemm ___/\/\/ $$ Support Unix - aklemm@wup.de $$
pgp p-key http://www-swiss.ai.mit.edu/~bal/pks-toplev.html >>> powered by <<<
ftp://sunsite.unc.edu/pub/Linux/system/Printing/aps-491.tgz >>> FreeBSD <<<
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMW+z2/MLpmkD/U+FAQFH9gP9HRpKQAoeU0uX81kk3Win2dfbip/obYV7
EkFbAVzzKsOEnVI/2GsPZU/sFlGYC0TMxAabNEGGCoU1+JyN6yEDe1VYEfV1o/vR
rWupApxq8GrrXW/2GI6yD+JkFVUjaezmLHDWOGcWPAVHE7QLxLnE5dAd7zmKG46d
1eAVpZsELAE=
=Gfck
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.92.960413153705.672A-100000>