From owner-freebsd-bugs@FreeBSD.ORG Tue Apr 6 10:21:48 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD95C16A4CE for ; Tue, 6 Apr 2004 10:21:48 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A327443D39 for ; Tue, 6 Apr 2004 10:21:48 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i36HK9bv050803 for ; Tue, 6 Apr 2004 10:20:09 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i36HK9aB050802; Tue, 6 Apr 2004 10:20:09 -0700 (PDT) (envelope-from gnats) Resent-Date: Tue, 6 Apr 2004 10:20:09 -0700 (PDT) Resent-Message-Id: <200404061720.i36HK9aB050802@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Valentin Nechayev Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B45816A4CE for ; Tue, 6 Apr 2004 10:13:09 -0700 (PDT) Received: from grizzly.carrier.kiev.ua (grizzly.carrier.kiev.ua [193.193.193.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 388E043D4C for ; Tue, 6 Apr 2004 10:13:08 -0700 (PDT) (envelope-from netch@grizzly.carrier.kiev.ua) Received: from grizzly.carrier.kiev.ua (localhost [127.0.0.1]) i36HCFw6049750; Tue, 6 Apr 2004 20:12:15 +0300 (EEST) (envelope-from netch@grizzly.carrier.kiev.ua) Received: (from root@localhost) by grizzly.carrier.kiev.ua (8.12.10/8.12.10/Submit) id i36HCEtG049749; Tue, 6 Apr 2004 20:12:14 +0300 (EEST) (envelope-from netch) Message-Id: <200404061712.i36HCEtG049749@grizzly.carrier.kiev.ua> Date: Tue, 6 Apr 2004 20:12:14 +0300 (EEST) From: Valentin Nechayev To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/65258: save /etc/rc.firewall from changing for standard firewall types X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Valentin Nechayev List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 17:21:48 -0000 >Number: 65258 >Category: bin >Synopsis: save /etc/rc.firewall from changing for standard firewall types >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Apr 06 10:20:08 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Valentin Nechayev >Release: FreeBSD 5.2.1-RELEASE i386 >Organization: home sweet home >Environment: FreeBSD 5.2.1-RELEASE FreeBSD 4.9-RELEASE (last -current has the same file) >Description: When setting up firewall of standard type, one unfortunately has to edit /etc/rc.firewall for network, netmask and local ip. Local ip isn't required since ipfw began understand `me'. Network and netmask are better to get from rc.conf. >How-To-Repeat: Use standard firewall type. >Fix: --- src/etc/rc.firewall.0 Tue Apr 6 19:40:15 2004 +++ src/etc/rc.firewall Tue Apr 6 20:00:24 2004 @@ -151,15 +151,16 @@ ############ # set these to your network and netmask and ip - net="192.0.2.0" - mask="255.255.255.0" - ip="192.0.2.1" + net="$firewall_client_net" + mask="$firewall_client_mask" + test -z "$net" && net="192.0.2.0" + test -z "$mask" && mask="255.255.255.0" setup_loopback # Allow any traffic to or from my own net. - ${fwcmd} add pass all from ${ip} to ${net}:${mask} - ${fwcmd} add pass all from ${net}:${mask} to ${ip} + ${fwcmd} add pass all from me to ${net}:${mask} + ${fwcmd} add pass all from ${net}:${mask} to me # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -168,19 +169,19 @@ ${fwcmd} add pass all from any to any frag # Allow setup of incoming email - ${fwcmd} add pass tcp from any to ${ip} 25 setup + ${fwcmd} add pass tcp from any to me 25 setup # Allow setup of outgoing TCP connections only - ${fwcmd} add pass tcp from ${ip} to any setup + ${fwcmd} add pass tcp from me to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world - ${fwcmd} add pass udp from ${ip} to any 53 keep-state + ${fwcmd} add pass udp from me to any 53 keep-state # Allow NTP queries out in the world - ${fwcmd} add pass udp from ${ip} to any 123 keep-state + ${fwcmd} add pass udp from me to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -195,16 +196,20 @@ ############ # set these to your outside interface network and netmask and ip - oif="ed0" - onet="192.0.2.0" - omask="255.255.255.240" - oip="192.0.2.1" + oif="$firewall_simple_oif" + onet="$firewall_simple_onet" + omask="$firewall_simple_omask" + test -z "$oif" && oif="ed0" + test -z "$onet" && onet="192.0.2.0" + test -z "$omask" && omask="255.255.255.240" # set these to your inside interface network and netmask and ip - iif="ed1" - inet="192.0.2.16" - imask="255.255.255.240" - iip="192.0.2.17" + iif="$firewall_simple_iif" + inet="$firewall_simple_inet" + imask="$firewall_simple_imask" + test -z "$iif" && iif="ed1" + test -z "$inet" && inet="192.0.2.16" + test -z "$imask" && imask="255.255.255.240" setup_loopback @@ -262,15 +267,15 @@ ${fwcmd} add pass all from any to any frag # Allow setup of incoming email - ${fwcmd} add pass tcp from any to ${oip} 25 setup + ${fwcmd} add pass tcp from any to me 25 setup # Allow access to our DNS - ${fwcmd} add pass tcp from any to ${oip} 53 setup - ${fwcmd} add pass udp from any to ${oip} 53 - ${fwcmd} add pass udp from ${oip} 53 to any + ${fwcmd} add pass tcp from any to me 53 setup + ${fwcmd} add pass udp from any to me 53 + ${fwcmd} add pass udp from me 53 to any # Allow access to our WWW - ${fwcmd} add pass tcp from any to ${oip} 80 setup + ${fwcmd} add pass tcp from any to me 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup @@ -279,10 +284,10 @@ ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world - ${fwcmd} add pass udp from ${oip} to any 53 keep-state + ${fwcmd} add pass udp from me to any 53 keep-state # Allow NTP queries out in the world - ${fwcmd} add pass udp from ${oip} to any 123 keep-state + ${fwcmd} add pass udp from me to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel --- src/etc/defaults/rc.conf.0 Tue Apr 6 20:06:34 2004 +++ src/etc/defaults/rc.conf Tue Apr 6 20:10:14 2004 @@ -69,6 +69,14 @@ firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file +firewall_client_net="10.0.0.0" # Network base for "client" firewall type. +firewall_client_mask="255.0.0.0" # Network mask for "client" firewall type. +firewall_simple_inet="10.0.0.0" # Internal network base for "simple" firewall type. +firewall_simple_imask="255.0.0.0" # Internal network mask for "simple" firewall type. +firewall_simple_iif="rl0" # Internal network interface for "simple" firewall type. +firewall_simple_onet="192.0.2.0" # Internal network base for "simple" firewall type. +firewall_simple_omask="255.255.255.0" # Internal network mask for "simple" firewall type. +firewall_simple_oif="xl0" # Internal network interface for "simple" firewall type. ip_portrange_first="NO" # Set first dynamically allocated port ip_portrange_last="NO" # Set last dynamically allocated port ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd) >Release-Note: >Audit-Trail: >Unformatted: