From owner-freebsd-current Sat Apr 13 10:24:30 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA04289 for current-outgoing; Sat, 13 Apr 1996 10:24:30 -0700 (PDT) Received: from news1.gtn.com (news1.gtn.com [192.109.159.3]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA04282 for ; Sat, 13 Apr 1996 10:24:27 -0700 (PDT) Received: (from uucp@localhost) by news1.gtn.com (8.7.2/8.7.2) id TAA22110; Sat, 13 Apr 1996 19:00:37 +0200 (MET DST) Received: from localhost (localhost [127.0.0.1]) by knobel.gun.de (8.7.5/8.7.3) with SMTP id SAA04352; Sat, 13 Apr 1996 18:18:45 +0200 (MET DST) Date: Sat, 13 Apr 1996 18:18:44 +0200 (MET DST) From: Andreas Klemm To: Poul-Henning Kamp cc: Bill Fenner , current@FreeBSD.ORG Subject: Re: rc.firewall has some syntax errors and sample config hangs machine In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Sat, 13 Apr 1996, Andreas Klemm wrote: > Here my suggested diffs > > Index: rc.firewall > =================================================================== > RCS file: /cvs/src/etc/rc.firewall,v > retrieving revision 1.2 > diff -u -r1.2 rc.firewall > --- rc.firewall 1996/04/12 09:16:42 1.2 > +++ rc.firewall 1996/04/13 13:58:46 Hmm, forget it, this one seems to be better ;-) Index: rc.firewall =================================================================== RCS file: /cvs/src/etc/rc.firewall,v retrieving revision 1.2 diff -u -r1.2 rc.firewall - --- rc.firewall 1996/04/12 09:16:42 1.2 +++ rc.firewall 1996/04/13 16:16:31 @@ -30,6 +30,11 @@ # ############ +# flush all rules, so you can modify and restart rc.firewall if you like + +/sbin/ipfw flush + +############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. @@ -46,6 +51,47 @@ # # To enable simply change "false" to "true" in the if line and set the # variables to your network parameters + +if false ; then + + # Configuration Suggestion for a typical FreeBSD "leafe-site" + # dials up to internet via Modem using PPP (ppp -auto ondemand) + # every outgoing traffic is allowed + # every incoming tcp traffic is denied and logged + + # set these to your outside interface network and netmask and ip + oif="tun0" + onet="192.109.159.0" + omask="255.255.255.0" + oip="192.109.159.141" + + # set these to your inside interface network and netmask and ip + iif="ed0" + inet="149.237.250.0" + imask="255.255.255.0" + iip="149.237.250.1" + + # allow uucp + /sbin/ipfw add pass tcp from any to any 540 + + # allow ftp + /sbin/ipfw add pass tcp from any to any 21 + + # allow telnet + /sbin/ipfw add pass tcp from any to any 23 + + # allow WWW + /sbin/ipfw add pass tcp from any to any 80 setup + + # Reject&Log all setup of all other incoming connections from outside + /sbin/ipfw add deny log tcp from any to any via ${oif} setup + + # Everything other is generally allowed + # - outgoing packets of every types + # - but only allowed incoming data streams as ftp and http + /sbin/ipfw add 65000 pass all from any to any + +fi if false ; then # set these to your network and netmask and ip - -- andreas@knobel.gun.de /\/\___ Wiechers & Partner Datentechnik GmbH Andreas Klemm ___/\/\/ $$ Support Unix - aklemm@wup.de $$ pgp p-key http://www-swiss.ai.mit.edu/~bal/pks-toplev.html >>> powered by <<< ftp://sunsite.unc.edu/pub/Linux/system/Printing/aps-491.tgz >>> FreeBSD <<< -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMW/T5PMLpmkD/U+FAQGbcwQArrLNRoSrYeR6Is7ZxH0dZA4lqwLiKCLo xoO+w5MuJmEoFIl59JvJIxxDxQA5NJH8FFL+PIf2kRxqmvr/Rq/Teb6pPwrsB6/E WlNHdOtvxChSzNwNqMMeDgpH2ufFzFxU4BklkDjyo2dHM3zv28xuMyFTd+4f07w2 NnfS0//zE0k= =y7oS -----END PGP SIGNATURE-----