From owner-freebsd-current Sat Apr 13 07:21:59 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA24886 for current-outgoing; Sat, 13 Apr 1996 07:21:59 -0700 (PDT) Received: from news1.gtn.com (news1.gtn.com [192.109.159.3]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id HAA24875 for ; Sat, 13 Apr 1996 07:21:55 -0700 (PDT) Received: (from uucp@localhost) by news1.gtn.com (8.7.2/8.7.2) id QAA27506; Sat, 13 Apr 1996 16:00:29 +0200 (MET DST) Received: from localhost (localhost [127.0.0.1]) by knobel.gun.de (8.7.5/8.7.3) with SMTP id QAA00921; Sat, 13 Apr 1996 16:02:04 +0200 (MET DST) Date: Sat, 13 Apr 1996 16:02:03 +0200 (MET DST) From: Andreas Klemm To: Poul-Henning Kamp cc: Bill Fenner , current@freebsd.org Subject: Re: rc.firewall has some syntax errors and sample config hangs machine In-Reply-To: <14052.829301116@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Fri, 12 Apr 1996, Poul-Henning Kamp wrote: > I have just committed the fix to ip_input.c, thanks for the help, and > sorry for the delay. Everything is working fine now. No panics anymore ! Thanks ! It would be fine, if the firewall configurations in /etc/rc.firewall could be enhanced. For example one could add more examples, so that people could pick up better, what they really need ... I suggest adding the following which is a typical end user configuration. Dialup to internet via Modem and PPP. Allow everything outgoing, deny and log everythig incoming... Perhaps someone could check, if my ideas of rules are ok... thanks... Here in short my ipfw policy FireWall chain entries: 256 0 01000 allow all from 127.0.0.1 to 127.0.0.1 01100 deny log tcp from any to any via tun0 setup 65000 allow all from any to any 65535 deny all from any to any Here my suggested diffs Index: rc.firewall =================================================================== RCS file: /cvs/src/etc/rc.firewall,v retrieving revision 1.2 diff -u -r1.2 rc.firewall - --- rc.firewall 1996/04/12 09:16:42 1.2 +++ rc.firewall 1996/04/13 13:58:46 @@ -30,6 +30,11 @@ # ############ +# flush all rules, so you can modify and restart rc.firewall if you like + +/sbin/ipfw flush + +############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. @@ -41,11 +46,38 @@ /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 ############ - -# This is a prototype setup that will protect your system somewhat against - -# people from outside your own network. +# These are some prototype setups, where some will protect your system +# somewhat against people from outside your own network. # # To enable simply change "false" to "true" in the if line and set the # variables to your network parameters + +if false ; then + + # Configuration Suggestion for a typical FreeBSD "leafe-site" + # dials up to internet via Modem using PPP (ppp -auto ondemand) + # every outgoing traffic is allowed + # every incoming tcp traffic is denied and logged + + # set these to your outside interface network and netmask and ip + oif="tun0" + onet="192.109.159.0" + omask="255.255.255.0" + oip="192.109.159.141" + + # set these to your inside interface network and netmask and ip + iif="ed0" + inet="149.237.250.0" + imask="255.255.255.0" + iip="149.237.250.1" + + # Reject&Log all setup of incoming connections from the outside + /sbin/ipfw add deny log tcp from any to any via ${oif} setup + + # The rest is allowed + /sbin/ipfw add 65000 pass all from any to any + +fi if false ; then # set these to your network and netmask and ip - -- andreas@knobel.gun.de /\/\___ Wiechers & Partner Datentechnik GmbH Andreas Klemm ___/\/\/ $$ Support Unix - aklemm@wup.de $$ pgp p-key http://www-swiss.ai.mit.edu/~bal/pks-toplev.html >>> powered by <<< ftp://sunsite.unc.edu/pub/Linux/system/Printing/aps-491.tgz >>> FreeBSD <<< -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMW+z2/MLpmkD/U+FAQFH9gP9HRpKQAoeU0uX81kk3Win2dfbip/obYV7 EkFbAVzzKsOEnVI/2GsPZU/sFlGYC0TMxAabNEGGCoU1+JyN6yEDe1VYEfV1o/vR rWupApxq8GrrXW/2GI6yD+JkFVUjaezmLHDWOGcWPAVHE7QLxLnE5dAd7zmKG46d 1eAVpZsELAE= =Gfck -----END PGP SIGNATURE-----