Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw scripts as well.
This commit is contained in:
Max Laier
parent
8a7c7f9cc3
commit
9277da52e1
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=158497
@ -171,15 +171,9 @@ daily_status_security_pfdenied_enable="YES"
|
||||
# 550.ipfwlimit
|
||||
daily_status_security_ipfwlimit_enable="YES"
|
||||
|
||||
# 600.ip6fwdenied
|
||||
daily_status_security_ip6fwdenied_enable="YES"
|
||||
|
||||
# 610.ipf6denied
|
||||
daily_status_security_ipf6denied_enable="YES"
|
||||
|
||||
# 650.ip6fwlimit
|
||||
daily_status_security_ip6fwlimit_enable="YES"
|
||||
|
||||
# 700.kernelmsg
|
||||
daily_status_security_kernelmsg_enable="YES"
|
||||
|
||||
|
||||
@ -1,53 +0,0 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
. /etc/periodic/security/security.functions
|
||||
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_ip6fwdenied_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
TMP=`mktemp -t security`
|
||||
if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
|
||||
check_diff new_only ip6fw ${TMP} "${host} ip6fw denied packets:"
|
||||
fi
|
||||
rc=$?
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
||||
@ -1,63 +0,0 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show ip6fw rules which have reached the log limit
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_ip6fwlimit_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
TMP=`mktemp -t security`
|
||||
IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
|
||||
if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
|
||||
ip6fw -a l | grep " log " | \
|
||||
grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
|
||||
awk -v limit="$IPFW_LOG_LIMIT" \
|
||||
'{if ($2 > limit) {print $0}}' > ${TMP}
|
||||
if [ -s "${TMP}" ]; then
|
||||
rc=1
|
||||
echo ""
|
||||
echo 'ip6fw log limit reached:'
|
||||
cat ${TMP}
|
||||
fi
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
||||
@ -8,8 +8,6 @@ FILES= 100.chksetuid \
|
||||
510.ipfdenied \
|
||||
520.pfdenied \
|
||||
550.ipfwlimit \
|
||||
600.ip6fwdenied \
|
||||
650.ip6fwlimit \
|
||||
700.kernelmsg \
|
||||
800.loginfail \
|
||||
900.tcpwrap \
|
||||
|
||||
@ -20,7 +20,7 @@ ip6fw_prestart()
|
||||
{
|
||||
# Load IPv6 firewall module, if not already loaded
|
||||
if ! ${SYSCTL} net.inet6.ip6.fw.enable > /dev/null 2>&1; then
|
||||
kldload ip6fw && {
|
||||
kldload ipfw && {
|
||||
debug 'Kernel IPv6 firewall module loaded.'
|
||||
return 0
|
||||
}
|
||||
@ -41,7 +41,7 @@ ip6fw_start()
|
||||
if [ -r "${ipv6_firewall_script}" ]; then
|
||||
. "${ipv6_firewall_script}"
|
||||
echo 'IPv6 Firewall rules loaded.'
|
||||
elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
|
||||
elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then
|
||||
warn 'IPv6 firewall rules have not been loaded. Default' \
|
||||
' to DENY all access.'
|
||||
fi
|
||||
@ -50,7 +50,7 @@ ip6fw_start()
|
||||
#
|
||||
if checkyesno ipv6_firewall_logging; then
|
||||
echo 'IPv6 Firewall logging=YES'
|
||||
sysctl net.inet6.ip6.fw.verbose=1 >/dev/null
|
||||
sysctl net.inet.ip.fw.verbose=1 >/dev/null
|
||||
fi
|
||||
|
||||
# Enable the firewall
|
||||
|
||||
153
etc/rc.firewall6
153
etc/rc.firewall6
@ -54,17 +54,17 @@ setup_local () {
|
||||
############
|
||||
# Only in rare cases do you want to change these rules
|
||||
#
|
||||
${fw6cmd} add 100 pass all from any to any via lo0
|
||||
${fw6cmd} add 200 deny all from any to ::1
|
||||
${fw6cmd} add 300 deny all from ::1 to any
|
||||
${fw6cmd} add 100 pass ip6 from any to any via lo0
|
||||
${fw6cmd} add 200 deny ip6 from any to ::1
|
||||
${fw6cmd} add 300 deny ip6 from ::1 to any
|
||||
#
|
||||
# ND
|
||||
#
|
||||
# DAD
|
||||
${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
|
||||
${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp
|
||||
# RS, RA, NS, NA, redirect...
|
||||
${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
|
||||
${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
|
||||
${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
|
||||
${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
|
||||
}
|
||||
|
||||
if [ -n "${1}" ]; then
|
||||
@ -76,10 +76,10 @@ fi
|
||||
#
|
||||
case ${ipv6_firewall_quiet} in
|
||||
[Yy][Ee][Ss])
|
||||
fw6cmd="/sbin/ip6fw -q"
|
||||
fw6cmd="/sbin/ipfw -q"
|
||||
;;
|
||||
*)
|
||||
fw6cmd="/sbin/ip6fw"
|
||||
fw6cmd="/sbin/ipfw"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -102,7 +102,7 @@ ${fw6cmd} -f flush
|
||||
case ${ipv6_firewall_type} in
|
||||
[Oo][Pp][Ee][Nn])
|
||||
setup_local
|
||||
${fw6cmd} add 65000 pass all from any to any
|
||||
${fw6cmd} add 65000 pass ip6 from any to any
|
||||
;;
|
||||
|
||||
[Cc][Ll][Ii][Ee][Nn][Tt])
|
||||
@ -122,41 +122,42 @@ case ${ipv6_firewall_type} in
|
||||
setup_local
|
||||
|
||||
# Allow any traffic to or from my own net.
|
||||
${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen}
|
||||
${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip}
|
||||
${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen}
|
||||
${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip}
|
||||
|
||||
# Allow any link-local multicast traffic
|
||||
${fw6cmd} add pass all from fe80::/10 to ff02::/16
|
||||
${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16
|
||||
${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16
|
||||
${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16
|
||||
|
||||
# Allow TCP through if setup succeeded
|
||||
${fw6cmd} add pass tcp from any to any established
|
||||
${fw6cmd} add pass ip6 from any to any established proto tcp
|
||||
|
||||
# Allow IP fragments to pass through
|
||||
${fw6cmd} add pass all from any to any frag
|
||||
${fw6cmd} add pass ip6 from any to any frag
|
||||
|
||||
# Allow setup of incoming email
|
||||
${fw6cmd} add pass tcp from any to ${ip} 25 setup
|
||||
${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp
|
||||
|
||||
# Allow setup of outgoing TCP connections only
|
||||
${fw6cmd} add pass tcp from ${ip} to any setup
|
||||
${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp
|
||||
|
||||
# Disallow setup of all other TCP connections
|
||||
${fw6cmd} add deny tcp from any to any setup
|
||||
${fw6cmd} add deny ip6 from any to any setup proto tcp
|
||||
|
||||
# Allow DNS queries out in the world
|
||||
${fw6cmd} add pass udp from any 53 to ${ip}
|
||||
${fw6cmd} add pass udp from ${ip} to any 53
|
||||
${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp
|
||||
${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp
|
||||
|
||||
# Allow NTP queries out in the world
|
||||
${fw6cmd} add pass udp from any 123 to ${ip}
|
||||
${fw6cmd} add pass udp from ${ip} to any 123
|
||||
${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp
|
||||
${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp
|
||||
|
||||
# Allow ICMPv6 destination unreach
|
||||
${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
|
||||
${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
|
||||
|
||||
# Allow NS/NA/toobig (don't filter it out)
|
||||
${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
|
||||
${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \
|
||||
proto ipv6-icmp
|
||||
|
||||
# Everything else is denied by default, unless the
|
||||
# IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
|
||||
@ -185,94 +186,96 @@ case ${ipv6_firewall_type} in
|
||||
setup_local
|
||||
|
||||
# Stop spoofing
|
||||
${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif}
|
||||
${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif}
|
||||
${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif}
|
||||
${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif}
|
||||
|
||||
# Stop unique local unicast address on the outside interface
|
||||
${fw6cmd} add deny all from fc00::/7 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to fc00::/7 via ${oif}
|
||||
${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif}
|
||||
|
||||
# Stop site-local on the outside interface
|
||||
${fw6cmd} add deny all from fec0::/10 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to fec0::/10 via ${oif}
|
||||
${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif}
|
||||
|
||||
# Disallow "internal" addresses to appear on the wire.
|
||||
${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif}
|
||||
${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif}
|
||||
|
||||
# Disallow packets to malicious IPv4 compatible prefix.
|
||||
${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif}
|
||||
${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif}
|
||||
${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif}
|
||||
${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif}
|
||||
${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif}
|
||||
${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif}
|
||||
${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif}
|
||||
${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif}
|
||||
|
||||
${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif}
|
||||
${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif}
|
||||
|
||||
# Disallow packets to malicious 6to4 prefix.
|
||||
${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif}
|
||||
${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif}
|
||||
${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif}
|
||||
${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif}
|
||||
${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif}
|
||||
${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif}
|
||||
${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif}
|
||||
${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif}
|
||||
|
||||
${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif}
|
||||
${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif}
|
||||
${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif}
|
||||
${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif}
|
||||
${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif}
|
||||
${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif}
|
||||
|
||||
${fw6cmd} add deny all from ff05::/16 to any via ${oif}
|
||||
${fw6cmd} add deny all from any to ff05::/16 via ${oif}
|
||||
${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif}
|
||||
${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif}
|
||||
|
||||
# Allow TCP through if setup succeeded
|
||||
${fw6cmd} add pass tcp from any to any established
|
||||
|
||||
# Allow IP fragments to pass through
|
||||
${fw6cmd} add pass all from any to any frag
|
||||
${fw6cmd} add pass ip6 from any to any frag
|
||||
|
||||
# Allow setup of incoming email
|
||||
${fw6cmd} add pass tcp from any to ${oip} 25 setup
|
||||
${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp
|
||||
|
||||
# Allow access to our DNS
|
||||
${fw6cmd} add pass tcp from any to ${oip} 53 setup
|
||||
${fw6cmd} add pass udp from any to ${oip} 53
|
||||
${fw6cmd} add pass udp from ${oip} 53 to any
|
||||
${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp
|
||||
${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp
|
||||
${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp
|
||||
|
||||
# Allow access to our WWW
|
||||
${fw6cmd} add pass tcp from any to ${oip} 80 setup
|
||||
${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp
|
||||
|
||||
# Reject&Log all setup of incoming connections from the outside
|
||||
${fw6cmd} add deny log tcp from any to any in via ${oif} setup
|
||||
${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \
|
||||
proto tcp
|
||||
|
||||
# Allow setup of any other TCP connection
|
||||
${fw6cmd} add pass tcp from any to any setup
|
||||
${fw6cmd} add pass ip6 from any to any setup proto tcp
|
||||
|
||||
# Allow DNS queries out in the world
|
||||
${fw6cmd} add pass udp from any 53 to ${oip}
|
||||
${fw6cmd} add pass udp from ${oip} to any 53
|
||||
${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp
|
||||
${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp
|
||||
|
||||
# Allow NTP queries out in the world
|
||||
${fw6cmd} add pass udp from any 123 to ${oip}
|
||||
${fw6cmd} add pass udp from ${oip} to any 123
|
||||
${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp
|
||||
${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp
|
||||
|
||||
# Allow RIPng
|
||||
#${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521
|
||||
#${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521
|
||||
#${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp
|
||||
#${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp
|
||||
|
||||
# Allow ICMPv6 destination unreach
|
||||
${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
|
||||
${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
|
||||
|
||||
# Allow NS/NA/toobig (don't filter it out)
|
||||
${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
|
||||
${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \
|
||||
proto ipv6-icmp
|
||||
|
||||
# Everything else is denied by default, unless the
|
||||
# IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
|
||||
@ -281,7 +284,7 @@ case ${ipv6_firewall_type} in
|
||||
|
||||
[Cc][Ll][Oo][Ss][Ee][Dd])
|
||||
# Only enable the loopback interface
|
||||
${fw6cmd} add 100 pass all from any to any via lo0
|
||||
${fw6cmd} add 100 pass ip6 from any to any via lo0
|
||||
;;
|
||||
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
|
||||
;;
|
||||
|
||||
@ -536,20 +536,6 @@ Set to
|
||||
to display
|
||||
.Xr ipfw 8
|
||||
rules that have reached their verbosity limit.
|
||||
.It Va daily_status_security_ip6fwdenied_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to show log entries for packets denied by
|
||||
.Xr ip6fw 8
|
||||
since yesterday's check.
|
||||
.It Va daily_status_security_ip6fwlimit_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to display
|
||||
.Xr ip6fw 8
|
||||
rules that have reached their verbosity limit.
|
||||
.It Va daily_status_security_kernelmsg_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
|
||||
@ -402,7 +402,7 @@ to load IPv6 firewall rules at startup.
|
||||
If the kernel was not built with
|
||||
.Cd "options IPV6FIREWALL" ,
|
||||
the
|
||||
.Pa ip6fw.ko
|
||||
.Pa ipfw.ko
|
||||
kernel module will be loaded.
|
||||
.It Va firewall_script
|
||||
.Pq Vt str
|
||||
|
||||
Loading…
Reference in New Issue
Block a user