Date: Sun, 12 Apr 1998 11:48:05 +0300 (EEST) From: Ruslan Ermilov <ru@ucb.crimea.ua> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: conf/6278: /etc/rc.firewall: better RFC1918 nets protection Message-ID: <199804120848.LAA24223@relay.ucb.crimea.ua>
next in thread | raw e-mail | index | archive | help
>Number: 6278
>Category: conf
>Synopsis: /etc/rc.firewall: better RFC1918 nets protection
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 12 01:50:01 PDT 1998
>Last-Modified:
>Originator: Ruslan Ermilov
>Organization:
>Release: FreeBSD 2.2.6-STABLE i386
>Environment:
FreeBSD 2.2.6-STABLE #0: Sat Apr 11 20:19:27 EEST 1998
>Description:
There is only one half of protection of
RFC1918 nets usage on outside interface.
>How-To-Repeat:
See the source.
>Fix:
Index: rc.firewall
===================================================================
RCS file: /usr/FreeBSD-CVS/src/etc/rc.firewall,v
retrieving revision 1.6.2.6
diff -u -r1.6.2.6 rc.firewall
--- rc.firewall 1998/02/10 01:45:57 1.6.2.6
+++ rc.firewall 1998/04/12 08:28:49
@@ -140,8 +140,11 @@
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
+ $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
+ $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
+ $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804120848.LAA24223>