Add established rules to the firewall and allow logging of denied packets. Thanks to dcoats.

(Portage version: 2.1.2.7)

3 files changed, 23 insertions, 6 deletions

diff --git a/sys-freebsd/freebsd-sbin/ChangeLog b/sys-freebsd/freebsd-sbin/ChangeLog
index 781d148e53bd..3dda8a795ffc 100644
--- a/sys-freebsd/freebsd-sbin/ChangeLog
+++ b/sys-freebsd/freebsd-sbin/ChangeLog
@@ -1,6 +1,11 @@
 # ChangeLog for sys-freebsd/freebsd-sbin
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.36 2007/04/11 10:42:37 uberlord Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.37 2007/05/14 14:01:36 uberlord Exp $
+
+  14 May 2007; Roy Marples <uberlord@gentoo.org> files/ipfw.confd,
+  files/ipfw.initd:
+  Add established rules to the firewall and allow logging of denied packets.
+  Thanks to dcoats.
 
   11 Apr 2007; Roy Marples <uberlord@gentoo.org> files/devd_queue:
   Quick fix for baselayout-2
diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.confd b/sys-freebsd/freebsd-sbin/files/ipfw.confd
index 78864eef549e..687f92da922f 100644
--- a/sys-freebsd/freebsd-sbin/files/ipfw.confd
+++ b/sys-freebsd/freebsd-sbin/files/ipfw.confd
@@ -5,3 +5,6 @@
 # For ease of use, we allow auth and ssh ports through as well.
 # To override the list of allowed ports
 #PORTS_IN="auth ssh"
+
+# You may want to enable logging of denied connections
+#LOG_DENY="yes"
diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.initd b/sys-freebsd/freebsd-sbin/files/ipfw.initd
index b0bd26f82fc2..865d8ce751bb 100644
--- a/sys-freebsd/freebsd-sbin/files/ipfw.initd
+++ b/sys-freebsd/freebsd-sbin/files/ipfw.initd
@@ -39,13 +39,15 @@ init() {
 }
 
 start() {
-	local x=
+	local x= log=
 	ebegin "Starting firewall rules"
 	if ! init ; then
 		eend 1 "Failed to flush firewall ruleset"
 		return 1
 	fi
 
+	[ "${LOG_DENY}" = "yes" ] && log="log"
+
 	# Use a statefull firewall
 	ipfw add check-state
 
@@ -53,23 +55,30 @@ start() {
 	if [ -n "${PORTS_IN}" ] ; then
 		local pin=
 		for x in ${PORTS_IN} ; do
-		    [ -n "${pin}" ] && pin="${pin},"
-		    pin="${pin}${x}"
+		    pin="${pin}${pin:+,}${x}"
 		done
+		ipfw add allow tcp from any to me ${pin} established keep-state
+		ipfw add allow tcp from any to me6 ${pin} established keep-state
 		ipfw add allow tcp from any to me ${pin} setup keep-state
 		ipfw add allow tcp from any to me6 ${pin} setup keep-state
+		ipfw add allow udp from any to me ${pin} established
 		ipfw add allow udp from any to me ${pin} keep-state
+		ipfw add allow udp from any to me6 ${pin} established
 		ipfw add allow udp from any to me6 ${pin} keep-state
 	fi
 
 	# Nice flexable rules that disallow incoming except for stuff we
 	# have asked for, and allow all outgoing.
+	ipfw add allow tcp from me to any established keep-state
 	ipfw add allow tcp from me to any setup keep-state
+	ipfw add allow tcp from me6 to any established keep-state 
 	ipfw add allow tcp from me6 to any setup keep-state 
-	ipfw add deny tcp from any to any
+	ipfw add deny ${log} tcp from any to any
+	ipfw add allow udp from me to any established 
 	ipfw add allow udp from me to any keep-state
+	ipfw add allow udp from me6 to any established
 	ipfw add allow udp from me6 to any keep-state
-	ipfw add deny udp from any to any
+	ipfw add deny ${log} udp from any to any
 
 	# Be a good firewall and allow some ICMP traffic.
 	# Remove 8 if you really want to disallow ping.