aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJosef El-Rayes <josef@FreeBSD.org>2004-01-25 21:53:44 +0000
committerJosef El-Rayes <josef@FreeBSD.org>2004-01-25 21:53:44 +0000
commit29d94e46206a222cec93acf00e8450b5635d5887 (patch)
tree99dc7011036b8c5f37d88d09e481d5972dfe5143
parentf9f227c8270a0e549c01f46e252f0113b10eac5f (diff)
downloaddoc-29d94e46206a222cec93acf00e8450b5635d5887.tar.gz
doc-29d94e46206a222cec93acf00e8450b5635d5887.zip
Add some additional sample rules and add a note for 4.X users.
Approved by: simon(mentor) PR: docs/61873 Submitted by: Marc Silver <marcs@draenor.org>
Notes
Notes: svn path=/head/; revision=19833
-rw-r--r--en_US.ISO8859-1/articles/dialup-firewall/article.sgml26
1 files changed, 23 insertions, 3 deletions
diff --git a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
index 5caefcce52..3e1e488ef2 100644
--- a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
+++ b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
@@ -79,7 +79,9 @@
recompile their kernels with <emphasis>IPFW2</emphasis>
support. &os; 4.X users should consult the &man.ipfw.8;
manual page for more information on using IPFW2 on their
- systems.</para></note>
+ systems, and should pay particular attention to the
+ <emphasis>USING IPFW2 IN FreeBSD-STABLE</emphasis>
+ section.</para></note>
</listitem>
</varlistentry>
@@ -183,15 +185,33 @@ fwcmd="/sbin/ipfw"
# defaults to tun0.
oif="tun0"
+# Define our inside interface. This is usually your network
+# card. Be sure to change this to match your own network
+# interface.
+iif="fxp0"
+
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
-# Allow all connections that we initiate, and keep their state,
-# but deny established connections that don't have a dynamic rule.
+# Check the state of all packets.
$fwcmd add check-state
+
+# Stop spoofing on the outside interface.
+$fwcmd add deny ip from any to any in via $oif not verrevpath
+
+# Allow all connections that we initiate, and keep their state.
+# but deny established connections that don't have a dynamic rule.
$fwcmd add allow ip from me to any out via $oif keep-state
$fwcmd add deny tcp from any to any established in via $oif
+# Allow all connections within our network.
+$fwcmd add allow ip from any to any via $iif
+
+# Allow all local traffic.
+$fwcmd add allow all from any to any via lo0
+$fwcmd add deny all from any to 127.0.0.0/8
+$fwcmd add deny ip from 127.0.0.0/8 to any
+
# Allow internet users to connect to the port 22 and 80.
# This example specifically allows connections to the sshd and a
# webserver.