From owner-freebsd-questions@FreeBSD.ORG Sat Jan 31 11:04:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5F2716A4DD for ; Sat, 31 Jan 2004 11:04:52 -0800 (PST) Received: from out007.verizon.net (out007pub.verizon.net [206.46.170.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C5F843D41 for ; Sat, 31 Jan 2004 11:04:51 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com ([68.160.236.34]) by out007.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040131190450.TKTQ13340.out007.verizon.net@mac.com>; Sat, 31 Jan 2004 13:04:50 -0600 Message-ID: <401BFC4E.3090104@mac.com> Date: Sat, 31 Jan 2004 14:04:46 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peder Blom References: <200401301846.52757.ecrist@adtechintegrated.com> <401AFCBB.1010300@mac.com> <200401301947.54492.ecrist@adtechintegrated.com> <20040131153521.1d660315.peder.blom@bredband.net> <401BCEBB.90001@mac.com> <20040131185300.3ced93f6.dion@bredband.net> In-Reply-To: <20040131185300.3ced93f6.dion@bredband.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out007.verizon.net from [68.160.236.34] at Sat, 31 Jan 2004 13:04:50 -0600 cc: ecrist@adtechintegrated.com cc: freebsd-questions@freebsd.org Subject: Re: where am I supposed to put my rc.firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2004 19:04:53 -0000 Peder Blom wrote: > I've never done it this way, but in this case I assume that you just > define the rules in '/etc/ERICS_firewall', thus: > > -------------- > add 100 pass all from any to any via lo0 > add 200 deny all from any to 127.0.0.0/8 > add 300 deny ip from 127.0.0.0/8 to any > add 600 allow all from any to any > -------------- > > Using your suggestions for rc.conf, of course. > > Is this correct? Exactly. And then you add a preprocessor like cpp, and you can define: #### # set these to your inside interface network and netmask and ip #define IIF fxp0 #define INET 10.1.1.0/24 #define IIP 10.1.1.1 [ ...OIF info snipped... ] # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 # basic stuff add 100 pass all from any to any via lo0 add deny all from any to 127.0.0.0/8 add deny ip from 127.0.0.0/8 to any add deny all from INET to any in via OIF add deny all from ONET to any in via IIF ...and go from there. -- -Chuck