From 176baffe3fbc91b864b48f65ba85ef73229a1a9c Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Fri, 15 Aug 2008 19:14:25 +0000 Subject: [PATCH] For the "client" and "simple" network types, collapse the separate "net" and "mask" variables into a single "net" variable that contains a full network address (including either a netmask or prefix length at the user's choice). Update the example settings to match. MFC after: 2 weeks --- etc/rc.firewall | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/etc/rc.firewall b/etc/rc.firewall index 6e9d9d0ae861..980fb524ebbb 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -166,16 +166,15 @@ case ${firewall_type} in # against people from outside your own network. ############ - # set these to your network and netmask and ip - net="192.0.2.0" - mask="255.255.255.0" + # set these to your network + net="192.0.2.0/24" # Allow limited broadcast traffic from my own net. - ${fwcmd} add pass all from ${net}:${mask} to 255.255.255.255 + ${fwcmd} add pass all from ${net} to 255.255.255.255 # Allow any traffic to or from my own net. - ${fwcmd} add pass all from me to ${net}:${mask} - ${fwcmd} add pass all from ${net}:${mask} to me + ${fwcmd} add pass all from me to ${net} + ${fwcmd} add pass all from ${net} to me # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -210,19 +209,17 @@ case ${firewall_type} in # on the inside at this machine for those services. ############ - # set these to your outside interface network and netmask and ip + # set these to your outside interface network oif="ed0" - onet="192.0.2.0" - omask="255.255.255.240" + onet="192.0.2.0/28" - # set these to your inside interface network and netmask and ip + # set these to your inside interface network iif="ed1" - inet="192.0.2.16" - imask="255.255.255.240" + inet="192.0.2.16/28" # Stop spoofing - ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} - ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} + ${fwcmd} add deny all from ${inet} to any in via ${oif} + ${fwcmd} add deny all from ${onet} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}