Index: defaults/rc.conf =================================================================== --- defaults/rc.conf (revision 180877) +++ defaults/rc.conf (working copy) @@ -115,16 +115,29 @@ firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file +firewall_client_net="10.0.0.0" # Network base for "client" firewall. +firewall_client_mask="255.0.0.0" # Network mask for "client" firewall. +firewall_simple_inet="10.0.0.0" # Inside network base for "simple" firewall. +firewall_simple_imask="255.0.0.0" # Inside network mask for "simple" firewall. +firewall_simple_iif="rl0" # Inside network interface for "simple" + # firewall. +firewall_simple_onet="192.0.2.0" # Outside network base for "simple" firewall. +firewall_simple_omask="255.255.255.0" # Outside network mask for "simple" + # firewall. +firewall_simple_oif="xl0" # Outside network interface for "simple" + # firewall. firewall_myservices="" # List of TCP ports on which this host - # offers services -firewall_allowservices="" # List of IPs which has access to - # $firewall_myservices -firewall_trusted="" # List of IPs which has full access to this host + # offers services for "workstation" firewall. +firewall_allowservices="" # List of IPs which have access to + # $firewall_myservices for "workstation" + # firewall. +firewall_trusted="" # List of IPs which have full access to this + # host for "workstation" firewall. firewall_logdeny="NO" # Set to YES to log default denied incoming - # packets. + # packets for "workstation" firewall. firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports - # for which denied incoming packets are not - # logged. + # for which denied incoming packets are not + # logged for "workstation" firewall. firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES) firewall_nat_interface="" # Public interface or IPaddress to use firewall_nat_flags="" # Additional configuration parameters Index: rc.firewall =================================================================== --- rc.firewall (revision 180877) +++ rc.firewall (working copy) @@ -164,19 +164,24 @@ ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. + # + # Configuration: + # firewall_client_net: Network address of local network. + # firewall_client_mask: Netmask of local network. ############ # set these to your network and netmask and ip - net="192.0.2.0" - mask="255.255.255.0" - ip="192.0.2.1" + net="$firewall_client_net" + mask="$firewall_client_mask" + test -z "$net" && net="192.0.2.0" + test -z "$mask" && mask="255.255.255.0" # Allow limited broadcast traffic from my own net. ${fwcmd} add pass all from ${net}:${mask} to 255.255.255.255 # Allow any traffic to or from my own net. - ${fwcmd} add pass all from ${ip} to ${net}:${mask} - ${fwcmd} add pass all from ${net}:${mask} to ${ip} + ${fwcmd} add pass all from me to ${net}:${mask} + ${fwcmd} add pass all from ${net}:${mask} to me # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -210,19 +215,31 @@ # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines # on the inside at this machine for those services. + # + # Configuration: + # firewall_simple_iif: Inside network interface. + # firewall_simple_inet: Inside network address. + # firewall_simple_imask: Inside network mask. + # firewall_simple_oif: Outside network interface. + # firewall_simple_onet: Outside network address. + # firewall_simple_omask: Outside network mask. ############ # set these to your outside interface network and netmask and ip - oif="ed0" - onet="192.0.2.0" - omask="255.255.255.240" - oip="192.0.2.1" + oif="$firewall_simple_oif" + onet="$firewall_simple_onet" + omask="$firewall_simple_omask" + test -z "$oif" && oif="ed0" + test -z "$onet" && onet="192.0.2.0" + test -z "$omask" && omask="255.255.255.240" # set these to your inside interface network and netmask and ip - iif="ed1" - inet="192.0.2.16" - imask="255.255.255.240" - iip="192.0.2.17" + iif="$firewall_simple_iif" + inet="$firewall_simple_inet" + imask="$firewall_simple_imask" + test -z "$iif" && iif="ed1" + test -z "$inet" && inet="192.0.2.16" + test -z "$imask" && imask="255.255.255.240" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} @@ -278,15 +295,15 @@ ${fwcmd} add pass all from any to any frag # Allow setup of incoming email - ${fwcmd} add pass tcp from any to ${oip} 25 setup + ${fwcmd} add pass tcp from any to me 25 setup # Allow access to our DNS - ${fwcmd} add pass tcp from any to ${oip} 53 setup - ${fwcmd} add pass udp from any to ${oip} 53 - ${fwcmd} add pass udp from ${oip} 53 to any + ${fwcmd} add pass tcp from any to me 53 setup + ${fwcmd} add pass udp from any to me 53 + ${fwcmd} add pass udp from me 53 to any # Allow access to our WWW - ${fwcmd} add pass tcp from any to ${oip} 80 setup + ${fwcmd} add pass tcp from any to me 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup @@ -295,11 +312,11 @@ ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world - ${fwcmd} add pass tcp from ${oip} to any 53 setup keep-state - ${fwcmd} add pass udp from ${oip} to any 53 keep-state + ${fwcmd} add pass tcp from me to any 53 setup keep-state + ${fwcmd} add pass udp from me to any 53 keep-state # Allow NTP queries out in the world - ${fwcmd} add pass udp from ${oip} to any 123 keep-state + ${fwcmd} add pass udp from me to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel