From f8646944152674ae29799337cf8652dc6a1d46e9 Mon Sep 17 00:00:00 2001 From: cjc Date: Thu, 21 Feb 2002 13:14:19 +0000 Subject: [PATCH] Bring rc.firewall{,6} more in line with the word and spirit of rc.conf(5) and the files' inline documentation. - Add the "closed"-type, documented in both places, but which did not exist in the code. - When provided a ruleset, the system should not make any assumptions about the sites's policy and should add no rules of its own. - Make the "UNKNOWN" (documented in-line) actual work as advertised, load no rules. Prodded by: Igor M Podlesny MFC after: 1 week --- etc/rc.firewall | 24 +++++++++++++++++------- etc/rc.firewall6 | 37 ++++++++++++++++++++++++------------- 2 files changed, 41 insertions(+), 20 deletions(-) diff --git a/etc/rc.firewall b/etc/rc.firewall index 68e2ef05d45d..57ce6bf2c575 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -76,6 +76,15 @@ fi # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html # +setup_loopback () { + ############ + # Only in rare cases do you want to change these rules + # + ${fwcmd} add 100 pass all from any to any via lo0 + ${fwcmd} add 200 deny all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any +} + if [ -n "${1}" ]; then firewall_type="${1}" fi @@ -125,18 +134,12 @@ esac # # ${fwcmd} add 65000 pass all from any to any -############ -# Only in rare cases do you want to change these rules -# -${fwcmd} add 100 pass all from any to any via lo0 -${fwcmd} add 200 deny all from any to 127.0.0.0/8 -${fwcmd} add 300 deny ip from 127.0.0.0/8 to any - # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) + setup_loopback ${fwcmd} add 65000 pass all from any to any ;; @@ -151,6 +154,8 @@ case ${firewall_type} in mask="255.255.255.0" ip="192.0.2.1" + setup_loopback + # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} @@ -200,6 +205,8 @@ case ${firewall_type} in imask="255.255.255.240" iip="192.0.2.17" + setup_loopback + # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} @@ -281,6 +288,9 @@ case ${firewall_type} in # config file. ;; +[Cc][Ll][Oo][Ss][Ee][Dd]) + setup_loopback + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 index 882737b67002..a8cd69c7290e 100644 --- a/etc/rc.firewall6 +++ b/etc/rc.firewall6 @@ -49,6 +49,21 @@ fi # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html # +setup_local () { + ############ + # Only in rare cases do you want to change these rules + # + ${fw6cmd} add 100 pass all from any to any via lo0 + # + # ND + # + # DAD + ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + # RS, RA, NS, NA, redirect... + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 +} + if [ -n "${1}" ]; then ipv6_firewall_type="${1}" fi @@ -78,24 +93,12 @@ ${fw6cmd} -f flush # # ${fw6cmd} add 65000 pass all from any to any -############ -# Only in rare cases do you want to change these rules -# -${fw6cmd} add 100 pass all from any to any via lo0 -# -# ND -# -# DAD -${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 -# RS, RA, NS, NA, redirect... -${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 -${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 - # Prototype setups. # case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) + setup_local ${fw6cmd} add 65000 pass all from any to any ;; @@ -113,6 +116,8 @@ case ${ipv6_firewall_type} in prefixlen="64" ip="3ffe:505:2:1::1" + setup_local + # Allow any traffic to or from my own net. ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} @@ -174,6 +179,8 @@ case ${ipv6_firewall_type} in iprefixlen="64" iip="3ffe:505:2:2::1" + setup_local + # Stop spoofing ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} @@ -265,6 +272,10 @@ case ${ipv6_firewall_type} in # config file. ;; +[Cc][Ll][Oo][Ss][Ee][Dd]) + # Only enable the loopback interface + ${fw6cmd} add 100 pass all from any to any via lo0 + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *)