From owner-freebsd-bugs Fri Jan 4 10:10:33 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 28AD537B422 for ; Fri, 4 Jan 2002 10:10:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g04IA1019618; Fri, 4 Jan 2002 10:10:01 -0800 (PST) (envelope-from gnats) Received: from femail20.sdc1.sfba.home.com (femail20.sdc1.sfba.home.com [24.0.95.129]) by hub.freebsd.org (Postfix) with ESMTP id 548FF37B416 for ; Fri, 4 Jan 2002 10:08:40 -0800 (PST) Received: from cc158233-a.catv1.md.home.com ([24.3.25.17]) by femail20.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20020104180839.JXDR3327.femail20.sdc1.sfba.home.com@cc158233-a.catv1.md.home.com> for ; Fri, 4 Jan 2002 10:08:39 -0800 Received: (from sjr@localhost) by cc158233-a.catv1.md.home.com (8.11.6/8.11.6) id g04I8ci17205; Fri, 4 Jan 2002 13:08:38 -0500 (EST) (envelope-from sjr) Message-Id: <200201041808.g04I8ci17205@cc158233-a.catv1.md.home.com> Date: Fri, 4 Jan 2002 13:08:38 -0500 (EST) From: "Stephen J. Roznowski" Reply-To: "Stephen J. Roznowski" To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: conf/33545: Add variables to rc.conf for rc.firewall Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 33545 >Category: conf >Synopsis: Add variables to rc.conf for rc.firewall >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Jan 04 10:10:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Stephen J. Roznowski >Release: FreeBSD 4.5-PRERELEASE i386 >Organization: >Environment: System: FreeBSD istari.home.com 4.5-PRERELEASE FreeBSD 4.5-PRERELEASE #0: Wed Jan 2 15:56:51 EST 2002 sjr@istari.home.com:/usr/obj/usr/src/sys/ISTARI i386 >Description: Right now, you need to edit rc.firewall to set variables before use. The attached patch creates a series of variables in rc.conf to remove the need to edit rc.firewall. >How-To-Repeat: >Fix: --- etc/defaults/rc.conf.orig Thu Jan 3 23:23:55 2002 +++ etc/defaults/rc.conf Thu Jan 3 23:47:18 2002 @@ -50,6 +50,17 @@ firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file +firewall_client_net="192.0.2.0" # Client firewall network +firewall_client_mask="255.255.255.0" # Client firewall netmask +firewall_client_ip="192.0.2.1" # Client firewall IP address +firewall_simple_oif="ed0" # Simple firewall outside interface +firewall_simple_onet="192.0.2.0" # Simple firewall outside network +firewall_simple_omask="255.255.255.240" # Simple firewall outside netmask +firewall_simple_oip="192.0.2.1" # Simple firewall outside IP address +firewall_simple_iif="ed1" # Simple firewall inside interface +firewall_simple_inet="192.0.2.16" # Simple firewall inside network +firewall_simple_imask="255.255.255.240" # Simple firewall inside netmask +firewall_simple_iip="192.0.2.17" # Simple firewall inside IP address ip_portrange_first="NO" # Set first dynamically allocated port ip_portrange_last="NO" # Set last dynamically allocated port ipsec_enable="NO" # Set to YES to run setkey on ipsec_file @@ -291,6 +302,17 @@ ipv6_firewall_quiet="NO" # Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file +ipv6_firewall_client_net="3ffe:505:2:1::" # Client firewall network +ipv6_firewall_client_prefixlen="64" # Client firewall prefixlen +ipv6_firewall_client_ip="3ffe:505:2:1::1" # Client firewall IP +ipv6_firewall_simple_oif="ed0" # Simple firewall outside interface +ipv6_firewall_simple_onet="3ffe:505:2:1::" # Simple firewall outside network +ipv6_firewall_simple_oprefixlen="64" # Simple firewall outside netmask +ipv6_firewall_simple_oip="3ffe:505:2:1::1" # Simple firewall outside IP +ipv6_firewall_simple_iif="ed1" # Simple firewall inside interface +ipv6_firewall_simple_inet="3ffe:505:2:2::" # Simple firewall inside network +ipv6_firewall_simple_iprefixlen="64" # Simple firewall inside netmask +ipv6_firewall_simple_iip="3ffe:505:2:2::1" # Simple firewall inside IP address ############################################################## ### System console options ################################# --- etc/rc.firewall.orig Thu Jan 3 23:23:55 2002 +++ etc/rc.firewall Thu Jan 3 23:31:56 2002 @@ -147,9 +147,9 @@ ############ # set these to your network and netmask and ip - net="192.0.2.0" - mask="255.255.255.0" - ip="192.0.2.1" + net=${firewall_client_net} + mask=${firewall_client_mask} + ip=${firewall_client_ip} # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} @@ -189,16 +189,16 @@ ############ # set these to your outside interface network and netmask and ip - oif="ed0" - onet="192.0.2.0" - omask="255.255.255.240" - oip="192.0.2.1" + oif=${firewall_simple_oif} + onet=${firewall_simple_onet} + omask=${firewall_simple_omask} + oip=${firewall_simple_oip} # set these to your inside interface network and netmask and ip - iif="ed1" - inet="192.0.2.16" - imask="255.255.255.240" - iip="192.0.2.17" + iif=${firewall_simple_iif} + inet=${firewall_simple_inet} + imask=${firewall_simple_imask} + iip=${firewall_simple_iip} # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} --- etc/rc.firewall6.orig Thu Jan 3 23:23:55 2002 +++ etc/rc.firewall6 Thu Jan 3 23:44:23 2002 @@ -110,9 +110,9 @@ # # This needs more work # - net="3ffe:505:2:1::" - prefixlen="64" - ip="3ffe:505:2:1::1" + net=${ipv6_firewall_client_net} + prefixlen=${ipv6_firewall_client_prefixlen} + ip=${ipv6_firewall_client_ip} # Allow any traffic to or from my own net. ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} @@ -164,16 +164,16 @@ ############ # set these to your outside interface network and prefixlen and ip - oif="ed0" - onet="3ffe:505:2:1::" - oprefixlen="64" - oip="3ffe:505:2:1::1" + oif=${ipv6_firewall_simple_oif} + onet=${ipv6_firewall_simple_onet} + oprefixlen=${ipv6_firewall_simple_oprefixlen} + oip=${ipv6_firewall_simple_oip} # set these to your inside interface network and prefixlen and ip - iif="ed1" - inet="3ffe:505:2:2::" - iprefixlen="64" - iip="3ffe:505:2:2::1" + iif=${ipv6_firewall_simple_iif} + inet=${ipv6_firewall_simple_inet} + iprefixlen=${ipv6_firewall_simple_iprefixlen} + iip=${ipv6_firewall_simple_iip} # Stop spoofing ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message