Date: Sat, 13 Apr 1996 18:18:44 +0200 (MET DST) From: Andreas Klemm <andreas@knobel.gun.de> To: Poul-Henning Kamp <phk@critter.tfs.com> Cc: Bill Fenner <fenner@parc.xerox.com>, current@FreeBSD.ORG Subject: Re: rc.firewall has some syntax errors and sample config hangs machine Message-ID: <Pine.BSF.3.92.960413181733.672B-100000@knobel.gun.de> In-Reply-To: <Pine.BSF.3.92.960413153705.672A-100000@knobel.gun.de>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 13 Apr 1996, Andreas Klemm wrote:
> Here my suggested diffs
>
> Index: rc.firewall
> ===================================================================
> RCS file: /cvs/src/etc/rc.firewall,v
> retrieving revision 1.2
> diff -u -r1.2 rc.firewall
> --- rc.firewall 1996/04/12 09:16:42 1.2
> +++ rc.firewall 1996/04/13 13:58:46
Hmm, forget it, this one seems to be better ;-)
Index: rc.firewall
===================================================================
RCS file: /cvs/src/etc/rc.firewall,v
retrieving revision 1.2
diff -u -r1.2 rc.firewall
- --- rc.firewall 1996/04/12 09:16:42 1.2
+++ rc.firewall 1996/04/13 16:16:31
@@ -30,6 +30,11 @@
#
############
+# flush all rules, so you can modify and restart rc.firewall if you like
+
+/sbin/ipfw flush
+
+############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open.
@@ -46,6 +51,47 @@
#
# To enable simply change "false" to "true" in the if line and set the
# variables to your network parameters
+
+if false ; then
+
+ # Configuration Suggestion for a typical FreeBSD "leafe-site"
+ # dials up to internet via Modem using PPP (ppp -auto ondemand)
+ # every outgoing traffic is allowed
+ # every incoming tcp traffic is denied and logged
+
+ # set these to your outside interface network and netmask and ip
+ oif="tun0"
+ onet="192.109.159.0"
+ omask="255.255.255.0"
+ oip="192.109.159.141"
+
+ # set these to your inside interface network and netmask and ip
+ iif="ed0"
+ inet="149.237.250.0"
+ imask="255.255.255.0"
+ iip="149.237.250.1"
+
+ # allow uucp
+ /sbin/ipfw add pass tcp from any to any 540
+
+ # allow ftp
+ /sbin/ipfw add pass tcp from any to any 21
+
+ # allow telnet
+ /sbin/ipfw add pass tcp from any to any 23
+
+ # allow WWW
+ /sbin/ipfw add pass tcp from any to any 80 setup
+
+ # Reject&Log all setup of all other incoming connections from outside
+ /sbin/ipfw add deny log tcp from any to any via ${oif} setup
+
+ # Everything other is generally allowed
+ # - outgoing packets of every types
+ # - but only allowed incoming data streams as ftp and http
+ /sbin/ipfw add 65000 pass all from any to any
+
+fi
if false ; then
# set these to your network and netmask and ip
- --
andreas@knobel.gun.de /\/\___ Wiechers & Partner Datentechnik GmbH
Andreas Klemm ___/\/\/ $$ Support Unix - aklemm@wup.de $$
pgp p-key http://www-swiss.ai.mit.edu/~bal/pks-toplev.html >>> powered by <<<
ftp://sunsite.unc.edu/pub/Linux/system/Printing/aps-491.tgz >>> FreeBSD <<<
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMW/T5PMLpmkD/U+FAQGbcwQArrLNRoSrYeR6Is7ZxH0dZA4lqwLiKCLo
xoO+w5MuJmEoFIl59JvJIxxDxQA5NJH8FFL+PIf2kRxqmvr/Rq/Teb6pPwrsB6/E
WlNHdOtvxChSzNwNqMMeDgpH2ufFzFxU4BklkDjyo2dHM3zv28xuMyFTd+4f07w2
NnfS0//zE0k=
=y7oS
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.92.960413181733.672B-100000>