diff options
| author | Rodney W. Grimes <rgrimes@FreeBSD.org> | 2000-01-28 11:30:28 +0000 |
|---|---|---|
| committer | Rodney W. Grimes <rgrimes@FreeBSD.org> | 2000-01-28 11:30:28 +0000 |
| commit | 9b20e2ca56e02f3a5830d9017094a878eea39a0f (patch) | |
| tree | 4c9c00a94c3e398e7cb04dbb722c80fa35855aef /etc/rc.firewall | |
| parent | 9e4be63dd6e312fe0e864d23e9636f43cc869541 (diff) | |
| download | src-9b20e2ca56e02f3a5830d9017094a878eea39a0f.tar.gz src-9b20e2ca56e02f3a5830d9017094a878eea39a0f.zip | |
Update this with the additional nets recomended by reading
draft-manning-dsua-01.txt.
Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.
Reviewed by: readers of freebsd-security did not respond to a request
for review
Notes
Notes:
svn path=/head/; revision=56736
Diffstat (limited to 'etc/rc.firewall')
| -rw-r--r-- | etc/rc.firewall | 40 |
1 files changed, 26 insertions, 14 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall index 47f13631f78a..b8643e3c323a 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -110,9 +110,9 @@ case ${firewall_type} in ############ # set these to your network and netmask and ip - net="192.168.4.0" + net="192.0.2.0" mask="255.255.255.0" - ip="192.168.4.17" + ip="192.0.2.1" # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} @@ -155,27 +155,39 @@ case ${firewall_type} in # set these to your outside interface network and netmask and ip oif="ed0" - onet="192.168.4.0" - omask="255.255.255.0" - oip="192.168.4.17" + onet="192.0.2.0" + omask="255.255.255.240" + oip="192.0.2.1" # set these to your inside interface network and netmask and ip iif="ed1" - inet="192.168.3.0" - imask="255.255.255.0" - iip="192.168.3.17" + inet="192.0.2.16" + imask="255.255.255.240" + iip="192.0.2.17" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface - ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} - ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} - ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} + ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} + ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} + ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} + ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} + ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} + ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + + # Stop draft-manning-dsua-01.txt nets on the outside interface + ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} + ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} + ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} + ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} + ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} + ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} + ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} + ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} + ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} + ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established |