|author||Josef El-Rayes <josef@FreeBSD.org>||2004-01-25 21:53:44 +0000|
|committer||Josef El-Rayes <josef@FreeBSD.org>||2004-01-25 21:53:44 +0000|
Add some additional sample rules and add a note for 4.X users.
Approved by: simon(mentor) PR: docs/61873 Submitted by: Marc Silver <firstname.lastname@example.org>
Notes: svn path=/head/; revision=19833
1 files changed, 23 insertions, 3 deletions
diff --git a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
index 5caefcce52..3e1e488ef2 100644
@@ -79,7 +79,9 @@
recompile their kernels with <emphasis>IPFW2</emphasis>
support. &os; 4.X users should consult the &man.ipfw.8;
manual page for more information on using IPFW2 on their
+ systems, and should pay particular attention to the
+ <emphasis>USING IPFW2 IN FreeBSD-STABLE</emphasis>
@@ -183,15 +185,33 @@ fwcmd="/sbin/ipfw"
# defaults to tun0.
+# Define our inside interface. This is usually your network
+# card. Be sure to change this to match your own network
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
-# Allow all connections that we initiate, and keep their state,
-# but deny established connections that don't have a dynamic rule.
+# Check the state of all packets.
$fwcmd add check-state
+# Stop spoofing on the outside interface.
+$fwcmd add deny ip from any to any in via $oif not verrevpath
+# Allow all connections that we initiate, and keep their state.
+# but deny established connections that don't have a dynamic rule.
$fwcmd add allow ip from me to any out via $oif keep-state
$fwcmd add deny tcp from any to any established in via $oif
+# Allow all connections within our network.
+$fwcmd add allow ip from any to any via $iif
+# Allow all local traffic.
+$fwcmd add allow all from any to any via lo0
+$fwcmd add deny all from any to 127.0.0.0/8
+$fwcmd add deny ip from 127.0.0.0/8 to any
# Allow internet users to connect to the port 22 and 80.
# This example specifically allows connections to the sshd and a