From 863ae437a0926c666886c0cb01683cc2129ecade Mon Sep 17 00:00:00 2001 From: Roy Marples Date: Mon, 14 May 2007 14:01:36 +0000 Subject: Add established rules to the firewall and allow logging of denied packets. Thanks to dcoats. (Portage version: 2.1.2.7) --- sys-freebsd/freebsd-sbin/ChangeLog | 7 ++++++- sys-freebsd/freebsd-sbin/files/ipfw.confd | 3 +++ sys-freebsd/freebsd-sbin/files/ipfw.initd | 19 ++++++++++++++----- 3 files changed, 23 insertions(+), 6 deletions(-) (limited to 'sys-freebsd') diff --git a/sys-freebsd/freebsd-sbin/ChangeLog b/sys-freebsd/freebsd-sbin/ChangeLog index 781d148e53bd..3dda8a795ffc 100644 --- a/sys-freebsd/freebsd-sbin/ChangeLog +++ b/sys-freebsd/freebsd-sbin/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for sys-freebsd/freebsd-sbin # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.36 2007/04/11 10:42:37 uberlord Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.37 2007/05/14 14:01:36 uberlord Exp $ + + 14 May 2007; Roy Marples files/ipfw.confd, + files/ipfw.initd: + Add established rules to the firewall and allow logging of denied packets. + Thanks to dcoats. 11 Apr 2007; Roy Marples files/devd_queue: Quick fix for baselayout-2 diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.confd b/sys-freebsd/freebsd-sbin/files/ipfw.confd index 78864eef549e..687f92da922f 100644 --- a/sys-freebsd/freebsd-sbin/files/ipfw.confd +++ b/sys-freebsd/freebsd-sbin/files/ipfw.confd @@ -5,3 +5,6 @@ # For ease of use, we allow auth and ssh ports through as well. # To override the list of allowed ports #PORTS_IN="auth ssh" + +# You may want to enable logging of denied connections +#LOG_DENY="yes" diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.initd b/sys-freebsd/freebsd-sbin/files/ipfw.initd index b0bd26f82fc2..865d8ce751bb 100644 --- a/sys-freebsd/freebsd-sbin/files/ipfw.initd +++ b/sys-freebsd/freebsd-sbin/files/ipfw.initd @@ -39,13 +39,15 @@ init() { } start() { - local x= + local x= log= ebegin "Starting firewall rules" if ! init ; then eend 1 "Failed to flush firewall ruleset" return 1 fi + [ "${LOG_DENY}" = "yes" ] && log="log" + # Use a statefull firewall ipfw add check-state @@ -53,23 +55,30 @@ start() { if [ -n "${PORTS_IN}" ] ; then local pin= for x in ${PORTS_IN} ; do - [ -n "${pin}" ] && pin="${pin}," - pin="${pin}${x}" + pin="${pin}${pin:+,}${x}" done + ipfw add allow tcp from any to me ${pin} established keep-state + ipfw add allow tcp from any to me6 ${pin} established keep-state ipfw add allow tcp from any to me ${pin} setup keep-state ipfw add allow tcp from any to me6 ${pin} setup keep-state + ipfw add allow udp from any to me ${pin} established ipfw add allow udp from any to me ${pin} keep-state + ipfw add allow udp from any to me6 ${pin} established ipfw add allow udp from any to me6 ${pin} keep-state fi # Nice flexable rules that disallow incoming except for stuff we # have asked for, and allow all outgoing. + ipfw add allow tcp from me to any established keep-state ipfw add allow tcp from me to any setup keep-state + ipfw add allow tcp from me6 to any established keep-state ipfw add allow tcp from me6 to any setup keep-state - ipfw add deny tcp from any to any + ipfw add deny ${log} tcp from any to any + ipfw add allow udp from me to any established ipfw add allow udp from me to any keep-state + ipfw add allow udp from me6 to any established ipfw add allow udp from me6 to any keep-state - ipfw add deny udp from any to any + ipfw add deny ${log} udp from any to any # Be a good firewall and allow some ICMP traffic. # Remove 8 if you really want to disallow ping. -- cgit v1.2.3-65-gdbad