diff options
| author |   Roy Marples <uberlord@gentoo.org> | 2007-05-14 14:01:36 +0000 |
|---|---|---|
| committer | Roy Marples <uberlord@gentoo.org> | 2007-05-14 14:01:36 +0000 |
| commit | 565a7c3793afebfcd712752982adc2e5bb8899a9 (patch) | |
| tree | 59629b85cf9a5bcec6011f14b587740bc074cbe2 /sys-freebsd/freebsd-sbin/files | |
| parent | Version bump. (diff) | |
| download | historical-565a7c3793afebfcd712752982adc2e5bb8899a9.tar.gz historical-565a7c3793afebfcd712752982adc2e5bb8899a9.tar.bz2 historical-565a7c3793afebfcd712752982adc2e5bb8899a9.zip | |
Add established rules to the firewall and allow logging of denied packets. Thanks to dcoats.
Package-Manager: portage-2.1.2.7
Diffstat (limited to 'sys-freebsd/freebsd-sbin/files')
| -rw-r--r-- | sys-freebsd/freebsd-sbin/files/ipfw.confd | 3 | ||||
| -rw-r--r-- | sys-freebsd/freebsd-sbin/files/ipfw.initd | 19 |
2 files changed, 17 insertions, 5 deletions
diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.confd b/sys-freebsd/freebsd-sbin/files/ipfw.confd index 78864eef549e..687f92da922f 100644 --- a/sys-freebsd/freebsd-sbin/files/ipfw.confd +++ b/sys-freebsd/freebsd-sbin/files/ipfw.confd @@ -5,3 +5,6 @@ # For ease of use, we allow auth and ssh ports through as well. # To override the list of allowed ports #PORTS_IN="auth ssh" + +# You may want to enable logging of denied connections +#LOG_DENY="yes" diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.initd b/sys-freebsd/freebsd-sbin/files/ipfw.initd index b0bd26f82fc2..865d8ce751bb 100644 --- a/sys-freebsd/freebsd-sbin/files/ipfw.initd +++ b/sys-freebsd/freebsd-sbin/files/ipfw.initd @@ -39,13 +39,15 @@ init() { } start() { - local x= + local x= log= ebegin "Starting firewall rules" if ! init ; then eend 1 "Failed to flush firewall ruleset" return 1 fi + [ "${LOG_DENY}" = "yes" ] && log="log" + # Use a statefull firewall ipfw add check-state @@ -53,23 +55,30 @@ start() { if [ -n "${PORTS_IN}" ] ; then local pin= for x in ${PORTS_IN} ; do - [ -n "${pin}" ] && pin="${pin}," - pin="${pin}${x}" + pin="${pin}${pin:+,}${x}" done + ipfw add allow tcp from any to me ${pin} established keep-state + ipfw add allow tcp from any to me6 ${pin} established keep-state ipfw add allow tcp from any to me ${pin} setup keep-state ipfw add allow tcp from any to me6 ${pin} setup keep-state + ipfw add allow udp from any to me ${pin} established ipfw add allow udp from any to me ${pin} keep-state + ipfw add allow udp from any to me6 ${pin} established ipfw add allow udp from any to me6 ${pin} keep-state fi # Nice flexable rules that disallow incoming except for stuff we # have asked for, and allow all outgoing. + ipfw add allow tcp from me to any established keep-state ipfw add allow tcp from me to any setup keep-state + ipfw add allow tcp from me6 to any established keep-state ipfw add allow tcp from me6 to any setup keep-state - ipfw add deny tcp from any to any + ipfw add deny ${log} tcp from any to any + ipfw add allow udp from me to any established ipfw add allow udp from me to any keep-state + ipfw add allow udp from me6 to any established ipfw add allow udp from me6 to any keep-state - ipfw add deny udp from any to any + ipfw add deny ${log} udp from any to any # Be a good firewall and allow some ICMP traffic. # Remove 8 if you really want to disallow ping. |