Remove the rules using 'me6'. Now, 'me' matches both any IPv6 address
and any IPv4 address configured on an interface in the system. Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingli MFC after: 2 weeks
This commit is contained in:
parent
416458131a
commit
6c1e384c63
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=202460
@ -143,9 +143,7 @@ firewall_myservices="" # List of TCP ports on which this host
|
|||||||
firewall_allowservices="" # List of IPs which have access to
|
firewall_allowservices="" # List of IPs which have access to
|
||||||
# $firewall_myservices for "workstation"
|
# $firewall_myservices for "workstation"
|
||||||
# firewall.
|
# firewall.
|
||||||
firewall_trusted="" # List of IPv4s which have full access to this
|
firewall_trusted="" # List of IPs which have full access to this
|
||||||
# host for "workstation" firewall.
|
|
||||||
firewall_trusted_ipv6="" # List of IPv6s which have full access to this
|
|
||||||
# host for "workstation" firewall.
|
# host for "workstation" firewall.
|
||||||
firewall_logdeny="NO" # Set to YES to log default denied incoming
|
firewall_logdeny="NO" # Set to YES to log default denied incoming
|
||||||
# packets for "workstation" firewall.
|
# packets for "workstation" firewall.
|
||||||
|
@ -212,8 +212,8 @@ case ${firewall_type} in
|
|||||||
${fwcmd} add pass all from me to ${net}
|
${fwcmd} add pass all from me to ${net}
|
||||||
${fwcmd} add pass all from ${net} to me
|
${fwcmd} add pass all from ${net} to me
|
||||||
if [ -n "$net6" ]; then
|
if [ -n "$net6" ]; then
|
||||||
${fwcmd} add pass all from me6 to ${net6}
|
${fwcmd} add pass all from me to ${net6}
|
||||||
${fwcmd} add pass all from ${net6} to me6
|
${fwcmd} add pass all from ${net6} to me
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$net6" ]; then
|
if [ -n "$net6" ]; then
|
||||||
@ -221,7 +221,7 @@ case ${firewall_type} in
|
|||||||
${fwcmd} add pass all from fe80::/10 to ff02::/16
|
${fwcmd} add pass all from fe80::/10 to ff02::/16
|
||||||
${fwcmd} add pass all from ${net6} to ff02::/16
|
${fwcmd} add pass all from ${net6} to ff02::/16
|
||||||
# Allow DHCPv6
|
# Allow DHCPv6
|
||||||
${fwcmd} add pass udp from fe80::/10 to me6 546
|
${fwcmd} add pass udp from fe80::/10 to me 546
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Allow TCP through if setup succeeded
|
# Allow TCP through if setup succeeded
|
||||||
@ -232,30 +232,18 @@ case ${firewall_type} in
|
|||||||
|
|
||||||
# Allow setup of incoming email
|
# Allow setup of incoming email
|
||||||
${fwcmd} add pass tcp from any to me 25 setup
|
${fwcmd} add pass tcp from any to me 25 setup
|
||||||
if [ -n "$net6" ]; then
|
|
||||||
${fwcmd} add pass tcp from any to me6 25 setup
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Allow setup of outgoing TCP connections only
|
# Allow setup of outgoing TCP connections only
|
||||||
${fwcmd} add pass tcp from me to any setup
|
${fwcmd} add pass tcp from me to any setup
|
||||||
if [ -n "$net6" ]; then
|
|
||||||
${fwcmd} add pass tcp from me6 to any setup
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Disallow setup of all other TCP connections
|
# Disallow setup of all other TCP connections
|
||||||
${fwcmd} add deny tcp from any to any setup
|
${fwcmd} add deny tcp from any to any setup
|
||||||
|
|
||||||
# Allow DNS queries out in the world
|
# Allow DNS queries out in the world
|
||||||
${fwcmd} add pass udp from me to any 53 keep-state
|
${fwcmd} add pass udp from me to any 53 keep-state
|
||||||
if [ -n "$net6" ]; then
|
|
||||||
${fwcmd} add pass udp from me6 to any 53 keep-state
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Allow NTP queries out in the world
|
# Allow NTP queries out in the world
|
||||||
${fwcmd} add pass udp from me to any 123 keep-state
|
${fwcmd} add pass udp from me to any 123 keep-state
|
||||||
if [ -n "$net6" ]; then
|
|
||||||
${fwcmd} add pass udp from me6 to any 123 keep-state
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Everything else is denied by default, unless the
|
# Everything else is denied by default, unless the
|
||||||
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
|
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
|
||||||
@ -402,25 +390,14 @@ case ${firewall_type} in
|
|||||||
|
|
||||||
# Allow setup of incoming email
|
# Allow setup of incoming email
|
||||||
${fwcmd} add pass tcp from any to me 25 setup
|
${fwcmd} add pass tcp from any to me 25 setup
|
||||||
if [ -n "$inet6" ]; then
|
|
||||||
${fwcmd} add pass tcp from any to me6 25 setup
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Allow access to our DNS
|
# Allow access to our DNS
|
||||||
${fwcmd} add pass tcp from any to me 53 setup
|
${fwcmd} add pass tcp from any to me 53 setup
|
||||||
${fwcmd} add pass udp from any to me 53
|
${fwcmd} add pass udp from any to me 53
|
||||||
${fwcmd} add pass udp from me 53 to any
|
${fwcmd} add pass udp from me 53 to any
|
||||||
if [ -n "$inet6" ]; then
|
|
||||||
${fwcmd} add pass tcp from any to me6 53 setup
|
|
||||||
${fwcmd} add pass udp from any to me6 53
|
|
||||||
${fwcmd} add pass udp from me6 53 to any
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Allow access to our WWW
|
# Allow access to our WWW
|
||||||
${fwcmd} add pass tcp from any to me 80 setup
|
${fwcmd} add pass tcp from any to me 80 setup
|
||||||
if [ -n "$inet6" ]; then
|
|
||||||
${fwcmd} add pass tcp from any to me6 80 setup
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Reject&Log all setup of incoming connections from the outside
|
# Reject&Log all setup of incoming connections from the outside
|
||||||
${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
|
${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
|
||||||
@ -434,15 +411,9 @@ case ${firewall_type} in
|
|||||||
|
|
||||||
# Allow DNS queries out in the world
|
# Allow DNS queries out in the world
|
||||||
${fwcmd} add pass udp from me to any 53 keep-state
|
${fwcmd} add pass udp from me to any 53 keep-state
|
||||||
if [ -n "$inet6" ]; then
|
|
||||||
${fwcmd} add pass udp from me6 to any 53 keep-state
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Allow NTP queries out in the world
|
# Allow NTP queries out in the world
|
||||||
${fwcmd} add pass udp from me to any 123 keep-state
|
${fwcmd} add pass udp from me to any 123 keep-state
|
||||||
if [ -n "$inet6" ]; then
|
|
||||||
${fwcmd} add pass udp from me6 to any 123 keep-state
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Everything else is denied by default, unless the
|
# Everything else is denied by default, unless the
|
||||||
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
|
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
|
||||||
@ -477,18 +448,13 @@ case ${firewall_type} in
|
|||||||
|
|
||||||
# For services permitted below.
|
# For services permitted below.
|
||||||
${fwcmd} add pass tcp from me to any established
|
${fwcmd} add pass tcp from me to any established
|
||||||
if [ $ipv6_available -eq 0 ]; then
|
|
||||||
${fwcmd} add pass tcp from me6 to any established
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Allow any connection out, adding state for each.
|
# Allow any connection out, adding state for each.
|
||||||
${fwcmd} add pass tcp from me to any setup keep-state
|
${fwcmd} add pass tcp from me to any setup keep-state
|
||||||
${fwcmd} add pass udp from me to any keep-state
|
${fwcmd} add pass udp from me to any keep-state
|
||||||
${fwcmd} add pass icmp from me to any keep-state
|
${fwcmd} add pass icmp from me to any keep-state
|
||||||
if [ $ipv6_available -eq 0 ]; then
|
if [ $ipv6_available -eq 0 ]; then
|
||||||
${fwcmd} add pass tcp from me6 to any setup keep-state
|
${fwcmd} add pass ipv6-icmp from me to any keep-state
|
||||||
${fwcmd} add pass udp from me6 to any keep-state
|
|
||||||
${fwcmd} add pass ipv6-icmp from me6 to any keep-state
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Allow DHCP.
|
# Allow DHCP.
|
||||||
@ -496,7 +462,7 @@ case ${firewall_type} in
|
|||||||
${fwcmd} add pass udp from any 67 to me 68 in
|
${fwcmd} add pass udp from any 67 to me 68 in
|
||||||
${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in
|
${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in
|
||||||
if [ $ipv6_available -eq 0 ]; then
|
if [ $ipv6_available -eq 0 ]; then
|
||||||
${fwcmd} add pass udp from fe80::/10 to me6 546 in
|
${fwcmd} add pass udp from fe80::/10 to me 546 in
|
||||||
fi
|
fi
|
||||||
# Some servers will ping the IP while trying to decide if it's
|
# Some servers will ping the IP while trying to decide if it's
|
||||||
# still in use.
|
# still in use.
|
||||||
@ -525,9 +491,6 @@ case ${firewall_type} in
|
|||||||
for i in ${firewall_allowservices} ; do
|
for i in ${firewall_allowservices} ; do
|
||||||
for j in ${firewall_myservices} ; do
|
for j in ${firewall_myservices} ; do
|
||||||
${fwcmd} add pass tcp from $i to me $j
|
${fwcmd} add pass tcp from $i to me $j
|
||||||
if [ $ipv6_available -eq 0 ]; then
|
|
||||||
${fwcmd} add pass tcp from $i to me6 $j
|
|
||||||
fi
|
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -537,9 +500,6 @@ case ${firewall_type} in
|
|||||||
for i in ${firewall_trusted} ; do
|
for i in ${firewall_trusted} ; do
|
||||||
${fwcmd} add pass ip from $i to me
|
${fwcmd} add pass ip from $i to me
|
||||||
done
|
done
|
||||||
for i in ${firewall_trusted_ipv6} ; do
|
|
||||||
${fwcmd} add pass all from $i to me6
|
|
||||||
done
|
|
||||||
|
|
||||||
${fwcmd} add 65000 count ip from any to any
|
${fwcmd} add 65000 count ip from any to any
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user