ipfw: Add option for firewall_type to be a directory #1828
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # | ||
| # PROVIDE: final | ||
| # REQUIRE: setup services outbound routing | ||
| # | ||
|
|
||
| # | ||
| add allow tcp from me to any out setup // default outbound | ||
|
|
||
| # silently ignore local multicast | ||
| add deny ip from any to 224.0.0.0/4 // drop multicast | ||
|
|
||
| # drop and log everything else | ||
| add reset log ip from any to any |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # REQUIRE: outbound | ||
| # PROVIDE: ntp_client ntp_servers | ||
| # BEFORE: final | ||
|
|
||
| table ntp_servers create | ||
|
|
||
| # Uncomment and your NTP servers (if they are on known ips in your network) to the following table: | ||
|
|
||
| # table ntp_servers add x.x.x.x | ||
|
|
||
| add allow ip from me to table(ntp_servers) 123 keep-state // NTP outbound |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # | ||
| # REQUIRE: services | ||
| # PROVIDE: outbound | ||
| # BEFORE: final | ||
| # | ||
| # meta class - adds no rules |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # | ||
| # REQUIRE: setup | ||
| # PROVIDE: routing | ||
| # BEFORE: services | ||
| # | ||
| # meta class - adds no rules |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # REQUIRE: setup routing | ||
| # PROVIDE: services | ||
| # BEFORE: outbound | ||
| # | ||
| # meta class - adds no rules |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # | ||
| # PROVIDE: setup blocked bogons | ||
| # BEFORE: services routing outbound final | ||
| # | ||
|
|
||
| # remove all existing tables | ||
| table all destroy | ||
| table blocked create | ||
|
|
||
| # standard (non-service specific) tables | ||
| table bogons create | ||
| table bogons add 0.0.0.0/8 | ||
| table bogons add 10.0.0.0/8 | ||
| table bogons add 172.12.0.0/12 | ||
| table bogons add 192.168.0.0/16 | ||
| table bogons add 169.254.0.0/16 | ||
| table bogons add 240.0.0.0/4 | ||
|
|
||
| # permit existing TCP sessions | ||
| add allow tcp from any to any established | ||
|
|
||
| # permit internal loopback traffic | ||
| add allow ip from any to any via lo0 | ||
| add allow ip from any to any via lo1 | ||
|
|
||
| # deny directed loopback traffic | ||
| add deny ip from any to 127.0.0.0/8 in | ||
| add deny ip from any to ::/64 in | ||
|
|
||
| # deny unexpected sources | ||
| add deny ip from table(bogons) to me in // unexpected sources | ||
|
|
||
| # deny explicitly disabled (non-persistent) sources | ||
| add deny ip from table(blocked) to me in // emergency (non-persistent) blocklist | ||
|
|
||
| # allow bsd-standard-port traceroutes | ||
| add allow udp from me to any 33434-33600 // traceroute in | ||
| add allow udp from any to me 33434-33600 // traceroute out | ||
|
Member
There was a problem hiding this comment. I would prefer:
|
||
|
|
||
| # moderately permissive ICMPv4 | ||
| add allow icmp from any to any icmptypes 0,3,8,11,13,14 // safe ICMPv4 | ||
|
|
||
| # link-local ICMPv6 (RS, RA, NS, NA) - per FreeBSD standard rules | ||
| add allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD | ||
| add allow ipv6-icmp from fe80::/10 to fe80::/10 // ICMPv6 NDP | ||
| add allow ipv6-icmp from fe80::/10 to ff02::/16 // ICMPv6 NDP | ||
| add allow ipv6-icmp from any to any icmp6types 1,2,3,128,129,135,136 // safe ICMPv6 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # REQUIRE: services | ||
| # PROVIDE: ssh_service ssh_clients | ||
| # BEFORE: outbound | ||
|
|
||
| table ssh_clients create | ||
|
|
||
| add allow tcp from table(ssh_clients) to me 22 in setup // inbound SSH |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to update share/man/man5/rc.conf.5 to note that
firewall_typecan be a directory.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That I can do -- this change came out of the way we had modded this file to meet our needs, and obviously, we didn't tweak the docs for our own use. Coming shortly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done (modulo some fighting with github)