mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-27 21:44:34 +01:00
These files have been replaced by /etc/rc.firewall.
This commit is contained in:
Alexander Langer
parent
72383443f2
commit
da6a96e853
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=17170
@ -1,94 +0,0 @@
|
||||
# A bit of background is needed here.
|
||||
#
|
||||
# - nahanni is the name of my machine on my local Ethernet. My local
|
||||
# network is a subnet of a class C network. This subnet has 29 bits for
|
||||
# for the network address and 3 bits for the host address. Consequently,
|
||||
# "nahanni/29" matches anything on my local network.
|
||||
#
|
||||
# - avalon is a (pseudonym) for a machine out on the interned that I trust
|
||||
# completely.
|
||||
#
|
||||
# - zona is the name of my end of the PPP link to my old place of work.
|
||||
# This name corresponds to an IP address on their class C network.
|
||||
# Consequently, "zona/24" matches any IP address on their network.
|
||||
#
|
||||
# - xnahanni is my end of my PPP link to the university (i.e. the Internet).
|
||||
#
|
||||
# - dab-nahanni is my end of the PPP link to my new place of work. They
|
||||
# have a class B network so "dab-nahanni/16" matches any IP address on
|
||||
# their network.
|
||||
|
||||
# Start from scratch.
|
||||
|
||||
ipfw flush
|
||||
|
||||
# Basic accept filters to provide local sanity.
|
||||
# These are the IP addresses of the interfaces on my local machine.
|
||||
# The first is an Ethernet interface. The rest are PPP interfaces.
|
||||
|
||||
ipfw addf accept all from nahanni to 0/0
|
||||
ipfw addf accept all from xnahanni to 0/0
|
||||
# handled below: ipfw addf accept all from zona to 0/0
|
||||
# handled below: ipfw addf accept all from dab-nahanni to 0/0
|
||||
|
||||
# Trust my local network.
|
||||
|
||||
ipfw addf accept all from nahanni/29 to 0/0
|
||||
|
||||
# Allow anything from avalon.
|
||||
|
||||
ipfw addf accept all from avalon to 0/0
|
||||
|
||||
# Allow anything from our old work (they have a class C network so /24 is appropriate).
|
||||
# This also allows anything from zona (our end of the work PPP link).
|
||||
|
||||
ipfw addf accept all from zona/24 to 0/0
|
||||
|
||||
# Allow anything from the new work (and from our end of the PPP link to the
|
||||
# new place of work).
|
||||
|
||||
ipfw addf accept all from dab-nahanni/16 to 0/0
|
||||
|
||||
# Allow me to contact any external UDP service and others to contact a few
|
||||
# of my special udp services.
|
||||
|
||||
ipfw addf accept udp from 0/0 to 0/0 900:5000 domain bootp talk ntalk route
|
||||
|
||||
# Allow me to contact other services available on untrusted hosts.
|
||||
# This one is a bit tricky. We allow packets from any foreign port number
|
||||
# to any local port in the range 900 to 5000. When we are outbound, privileged
|
||||
# applications use port numbers slightly less than 1024 and normal applications
|
||||
# allow the local port number to be set by the system (which always picks
|
||||
# port numbers in the range 1024 to 5000.
|
||||
# The only services that we offer are for port numbers either below 900
|
||||
# or over 5000.
|
||||
#
|
||||
# This approach theoretically allows outsiders to connect to any services
|
||||
# that we may offer in the 900:5000 range. The /etc/services file lists
|
||||
# couple of services in this range (in my humble opinion, this is a bug
|
||||
# in the /etc/services file). Since we don't run any of these services,
|
||||
# allowing outsiders to connect to services in this range doesn't constitute
|
||||
# a security hole.
|
||||
|
||||
ipfw addf accept tcp from 0/0 to 0/0 900:5000
|
||||
|
||||
# Allow others to contact X-servers on my local network.
|
||||
# Depend on xhosts to protect things.
|
||||
|
||||
ipfw addf accept tcp from 0/0 to nahanni/29 6000
|
||||
|
||||
# Allow others to connect to a few basic services.
|
||||
# We don't actually run the auth service. Allowing it means that others
|
||||
# get a "connection refused" which is better than the total silence that
|
||||
# they get if we block it. Also, I've noticed a few sites try to connect
|
||||
# to it when I send them e-mail. Might as well be polite ...
|
||||
#
|
||||
# Note that I don't accept packets destined for sendmail. I send my e-mail
|
||||
# via the Internet but I receive my e-mail via uucp. If you get your e-mail
|
||||
# via the Internet then you'll have to add smtp to the list of ports to allow.
|
||||
|
||||
ipfw addf accept tcp from 0/0 to 0/0 daytime time nameserver auth
|
||||
|
||||
# Allow icmp stuff from anywhere (this isn't described in the README - sorry).
|
||||
|
||||
ipfw addf accept icmp from 0/0 to 0/0
|
||||
@ -1,18 +0,0 @@
|
||||
# This file shows how we allow and deny users in runtime
|
||||
#
|
||||
# Default settings...They deny anybody , which connected to our
|
||||
# PPP lines,to access any host on our development network:
|
||||
# 192.114.207.*
|
||||
ipfw addf deny all from 192.114.201.231 to 192.114.208.0/24
|
||||
ipfw addf deny all from 192.114.201.232 to 192.114.208.0/24
|
||||
.....
|
||||
ipfw addf deny all from 192.114.201.238 to 192.114.208.0/24
|
||||
# VIP Login: this option executes when user VIP enters the system.
|
||||
# His IP is $VIPIP,which is one of our dial-up lines,for example
|
||||
# 192.114.201.233
|
||||
ipfw delf deny all from $VIPIP to 192.114.208.0/24
|
||||
|
||||
# VIP Logout: the guy leaves the system...
|
||||
ipfw addf deny all from $VIPIP to 192.114.208.0/24
|
||||
|
||||
#Thats all folks...
|
||||
Loading…
Reference in New Issue
Block a user