Update this with the additional nets recomended by reading
draft-manning-dsua-01.txt.
Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.
Reviewed by: readers of freebsd-security did not respond to a request
for review
This commit is contained in:
rgrimes
parent
17f54b4408
commit
286cc6ca6a
@ -110,9 +110,9 @@ case ${firewall_type} in
|
||||
############
|
||||
|
||||
# set these to your network and netmask and ip
|
||||
net="192.168.4.0"
|
||||
net="192.0.2.0"
|
||||
mask="255.255.255.0"
|
||||
ip="192.168.4.17"
|
||||
ip="192.0.2.1"
|
||||
|
||||
# Allow any traffic to or from my own net.
|
||||
${fwcmd} add pass all from ${ip} to ${net}:${mask}
|
||||
@ -155,27 +155,39 @@ case ${firewall_type} in
|
||||
|
||||
# set these to your outside interface network and netmask and ip
|
||||
oif="ed0"
|
||||
onet="192.168.4.0"
|
||||
omask="255.255.255.0"
|
||||
oip="192.168.4.17"
|
||||
onet="192.0.2.0"
|
||||
omask="255.255.255.240"
|
||||
oip="192.0.2.1"
|
||||
|
||||
# set these to your inside interface network and netmask and ip
|
||||
iif="ed1"
|
||||
inet="192.168.3.0"
|
||||
imask="255.255.255.0"
|
||||
iip="192.168.3.17"
|
||||
inet="192.0.2.16"
|
||||
imask="255.255.255.240"
|
||||
iip="192.0.2.17"
|
||||
|
||||
# Stop spoofing
|
||||
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
|
||||
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
|
||||
|
||||
# Stop RFC1918 nets on the outside interface
|
||||
${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
|
||||
${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
|
||||
${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
|
||||
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
|
||||
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
|
||||
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
|
||||
|
||||
# Stop draft-manning-dsua-01.txt nets on the outside interface
|
||||
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
|
||||
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
|
||||
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
|
||||
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
|
||||
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
|
||||
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
|
||||
|
||||
# Allow TCP through if setup succeeded
|
||||
${fwcmd} add pass tcp from any to any established
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user