From 66f8d384cf1352e7269973271766595f12b2e2c1 Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Fri, 15 Aug 2008 19:20:59 +0000 Subject: [PATCH] Allow the network addresses and interface names for the "client" and "workstation" firewall types to be set from rc.conf so that rc.firewall no longer needs local patching to be usable for those types. For now I've set the variables in /etc/defaults/rc.conf to the previous defaults in /etc/rc.firewall. PR: bin/65258 Submitted by: Valentin Nechayev netch of netch.kiev.ua Silence from: net MFC after: 2 weeks --- etc/defaults/rc.conf | 9 +++++++++ etc/rc.firewall | 21 +++++++++++++++------ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index e82da9d96291..07d86f45f9e2 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -115,6 +115,15 @@ firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file +firewall_client_net="192.0.2.0/24" # Network address for "client" firewall. +firewall_simple_iif="ed1" # Inside network interface for "simple" + # firewall. +firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple" + # firewall. +firewall_simple_oif="ed0" # Outside network interface for "simple" + # firewall. +firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple" + # firewall. firewall_myservices="" # List of TCP ports on which this host # offers services for "workstation" firewall. firewall_allowservices="" # List of IPs which have access to diff --git a/etc/rc.firewall b/etc/rc.firewall index 980fb524ebbb..bc700d1f8b27 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -164,10 +164,13 @@ case ${firewall_type} in ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. + # + # Configuration: + # firewall_client_net: Network address of local network. ############ - # set these to your network - net="192.0.2.0/24" + # set this to your local network + net="$firewall_client_net" # Allow limited broadcast traffic from my own net. ${fwcmd} add pass all from ${net} to 255.255.255.255 @@ -207,15 +210,21 @@ case ${firewall_type} in # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines # on the inside at this machine for those services. + # + # Configuration: + # firewall_simple_iif: Inside network interface. + # firewall_simple_inet: Inside network address. + # firewall_simple_oif: Outside network interface. + # firewall_simple_onet: Outside network address. ############ # set these to your outside interface network - oif="ed0" - onet="192.0.2.0/28" + oif="$firewall_simple_oif" + onet="$firewall_simple_onet" # set these to your inside interface network - iif="ed1" - inet="192.0.2.16/28" + iif="$firewall_simple_iif" + inet="$firewall_simple_inet" # Stop spoofing ${fwcmd} add deny all from ${inet} to any in via ${oif}