FreeBSD Bugzilla – Attachment 225933 Details for
Bug 255775
panic with ipfw turned on at boot time
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
ruleset mam
ipfw.conf.sh (text/plain), 12.30 KB, created by
Michael Meiszl
on 2021-06-19 16:45:07 UTC
(
hide
)
Description:
ruleset mam
Filename:
MIME Type:
Creator:
Michael Meiszl
Created:
2021-06-19 16:45:07 UTC
Size:
12.30 KB
patch
obsolete
>#!/bin/sh ># the file /etc/ipfw.conf.sh - configuration script for ipfw > ># already established connections continue going through > ># For the purpose of this example, 'xl0' is connected to a DSL modem for PPoE. ># 'xl1' is the adaptor connected to the internal LAN. You should change ># these to match your own system. If you are not using 'PPPoE' then you ># should exclude the entry for the adaptor that is connected to the internet. ># Otherwise, access via 'xl0' is effectively limited to the DSL modem and its ># web-page config screen, and uses a separate subnet from the remaining network. ># ># In cases where 'xl0' has a public IP, substitute 'xl0' for 'tun0'. Otherwise, ># 'tun0' is the adaptor that has the public IP address (via PPPoE). > >#ipfw -q -f flush > > ># boeser Mailangriff >ipfw add 00100 deny all from 5.188.206.0/24 to any >ipfw add 00101 deny all from 5.101.7.0/24 to any >ipfw add 00102 deny all from 217.112.142.0/24 to any >ipfw add 00110 deny all from 141.98.10.0/24 to any >ipfw add 00120 deny all from 193.169.255.0/24 to any >ipfw add 00130 deny all from 91.237.72.0/24 to any >ipfw add 00140 deny all from 91.237.73.0/24 to any >ipfw add 00141 deny all from 37.49.225.0/24 to any >ipfw add 00142 deny all from 77.247.110.0/24 to any >ipfw add 00143 deny all from 31.210.20.0/24 to any ># internal networks > ># Frankreich Clients >ipfw add 0600 deny all from 194.36.167.0/24 to any >ipfw add 0601 deny all from 37.59.0.0/16 to any >ipfw add 0602 deny all from 37.187.0.0/16 to any > ># Nerfvies aus Kanada >ipfw add 0650 deny all from 192.95.0.0/18 to any >ipfw add 0651 deny all from 192.99.0.0/16 to any > > ># Tschechei, alles nur Nervies >ipfw add 0700 deny all from 80.90.0.0/16 to any >ipfw add 0701 deny all from 109.94.224.0/24 to any >ipfw add 0702 deny all from 109.94.225.0/24 to any >ipfw add 0703 deny all from 109.94.227.0/24 to any >ipfw add 0704 deny all from 194.28.168.0/24 to any >ipfw add 0705 deny all from 194.28.169.0/24 to any >ipfw add 0706 deny all from 194.28.170.0/24 to any >ipfw add 0707 deny all from 194.28.171.0/24 to any >ipfw add 0708 deny all from 212.70.149.0/24 to any >ipfw add 0709 deny all from 176.113.192.0/24 to any >ipfw add 0710 deny all from 176.113.193.0/24 to any >ipfw add 0711 deny all from 176.113.194.0/24 to any >ipfw add 0712 deny all from 176.113.195.0/24 to any >ipfw add 0713 deny all from 176.113.196.0/24 to any >ipfw add 0714 deny all from 176.113.197.0/24 to any >ipfw add 0716 deny all from 176.113.198.0/24 to any >ipfw add 0717 deny all from 176.113.199.0/24 to any >ipfw add 0718 deny all from 176.113.200.0/24 to any >ipfw add 0719 deny all from 176.113.201.0/24 to any >ipfw add 0720 deny all from 176.113.202.0/24 to any >ipfw add 0721 deny all from 176.113.203.0/24 to any >ipfw add 0722 deny all from 176.113.204.0/24 to any >ipfw add 0724 deny all from 176.113.205.0/24 to any >ipfw add 0725 deny all from 176.113.206.0/24 to any >ipfw add 0726 deny all from 176.113.207.0/24 to any >ipfw add 0727 deny all from 192.168.48.0/22 to any >ipfw add 0728 deny all from 185.40.240.0/22 to any >ipfw add 0729 deny all from 87.249.156.0/24 to any >ipfw add 0730 deny all from 46.32.16.0/20 to any >ipfw add 0731 deny all from 46.23.128.0/20 to any >ipfw add 0732 deny all from 46.167.192.0/19 to any >ipfw add 0733 deny all from 93.99.128.0/17 to any >ipfw add 0734 deny all from 195.242.125.0/24 to any >ipfw add 0735 deny all from 91.137.128.0/17 to any >ipfw add 0736 deny all from 178.77.192.0/19 to any >ipfw add 0737 deny all from 91.82.40.0/21 to any >ipfw add 0738 deny all from 31.170.52.0/24 to any >ipfw add 0739 deny all from 31.170.53.0/24 to any >ipfw add 0740 deny all from 88.199.0.0/16 to any >ipfw add 0741 deny all from 195.136.92.0/22 to any > ># Lateinamerika, da kommt nix gutes her >ipfw add 0800 deny all from 45.0.0.0/8 to any >ipfw add 0801 deny all from 177.0.0.0/8 to any >ipfw add 0802 deny all from 179.0.0.0/8 to any >ipfw add 0803 deny all from 138.0.0.0/8 to any >ipfw add 0804 deny all from 143.0.0.0/8 to any >ipfw add 0805 deny all from 131.0.0.0/8 to any >ipfw add 0806 deny all from 187.0.0.0/8 to any >ipfw add 0807 deny all from 186.0.0.0/8 to any >ipfw add 0808 deny all from 167.0.0.0/8 to any >ipfw add 0809 deny all from 170.0.0.0/8 to any >ipfw add 0809 deny all from 201.0.0.0/8 to any >ipfw add 0810 deny all from 189.0.0.0/8 to any >ipfw add 0811 deny all from 168.0.0.0/8 to any >ipfw add 0812 deny all from 181.0.0.0/8 to any >ipfw add 0813 deny all from 190.0.0.0/8 to any >#ipfw add 0814 deny all from 198.0.0.0/8 to any > >ipfw add 0815 deny all from 217.25.112.0/22 to any > >#Indien, da kann man Spammer mit Brotkrumen einkaufen >ipfw add 0820 deny all from 103.0.0.0/8 to any > ># Iran, immer wieder ungern gesehen >ipfw add 0830 deny all from 5.190.0.0/16 to any >ipfw add 0831 deny all from 88.135.0.0/16 to any > ># die Tschechei, ein weiterer Sündenphul >ipfw add 0850 deny all from 188.0.0.0/8 to any > ># Moldawien, der Arsch der Welt >ipfw add 0860 deny all from 77.235.96.0/20 to any > > ># Russland, immer wieder einen Hacker gut >ipfw add 0870 deny all from 82.208.64.0/18 to any > ># Brasilien, voll verseucht >ipfw add 0900 deny all from 191.240.0.0/17 to any >ipfw add 0901 deny all from 186.216.64.0/18 to any >ipfw add 0902 deny all from 170.246.0.0/16 to any >ipfw add 0903 deny all from 187.109.0.0/16 to any >ipfw add 0904 deny all from 177.124.20.0/22 to any >ipfw add 0905 deny all from 191.53.0.0/16 to any >ipfw add 0906 deny all from 186.64.64.0/19 to any >ipfw add 0907 deny all from 186.236.16.0/20 to any >ipfw add 0908 deny all from 200.0.0.0/8 to any >ipfw add 0909 deny all from 191.241.160.0/21 to any >ipfw add 0910 deny all from 186.219.240.0/20 to any > ># wir sind auch seltener in Amerika >ipfw add 0920 deny all from 158.0.0.0/8 to any >ipfw add 0921 deny all from 72.192.0.0/11 to any > ># Asien, auch von da wollen wir eher selten an unsere Post >ipfw add 0950 deny all from 106.0.0.0/8 to any >ipfw add 0951 deny all from 14.0.0.0/8 to any >ipfw add 0952 deny all from 42.0.0.0/8 to any > >#ipfw add 1000 deny all from 'table(1)' to any >#ipfw add 1001 deny all from 'table(2)' to any >#ipfw add 1002 deny all from 'table(3)' to any > >ipfw add 2000 deny all from 178.20.55.18/32 to any >ipfw add 2001 deny all from 193.189.100.205/32 to any >ipfw add 2002 deny all from 139.177.183.60/32 to any > > >ipfw add 20000 deny all from 45.142.0.0/16 to any >ipfw add 20010 deny all from 192.241.0.0/16 to any > ># boerse.to, v6 funktioniert nicht >ipfw add 30000 deny all from any to 2606:4700:3038::/48 > ># deny to facebook >ipfw add 30010 deny all from 2a03:2880:f22d:c6:face:b00c:0:7260 to any >ipfw add 30011 deny all from any to 2a03:2880:f22d:c6:face:b00c:0:7260 > ># censis-scan opt out >ipfw add 30020 deny all from 74.120.14.0/24 to any >ipfw add 30021 deny all from 162.142.125.0/24 to any >ipfw add 30022 deny all from 167.248.133.0/24 to any >ipfw add 30023 deny all from 192.35.168.0/24 to any >ipfw add 30024 deny all from 192.241.237.0/24 to any > >ipfw add 31100 allow all from any to any via ix1 >ipfw add 31101 allow all from any to any via re0 >ipfw add 31102 allow all from any to any via ix0 ># don't forget the loopback interface or some things might break >ipfw add 31198 allow all from any to any via lo0 ># allow dynamic entries >ipfw add 31199 check-state > ># icmp6 (local network, basically allow all icmp6) >ipfw add 31110 allow icmp6 from any to any via ix1 icmp6types \ > 1,2,3,4,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,151,152,153,155 > ># icmp6 for gif0 tunnel (IPv6 4:6 gateway through a service provider) >ipfw add 31111 allow icmp6 from any to any via gif0 icmp6types \ > 1,2,3,4,128,129,130,131,132,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,151,152,153,155 > ># icmp6 (local network, basically allow all icmp6) >ipfw add 31112 allow icmp6 from any to any via ix0 icmp6types \ > 1,2,3,4,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,151,152,153,155 > ># protocol 41 ipv6 tunneling (may be bug, use '41' not ipv6 to prevent problems) ># limit it to the actual tunnel endpoints to prevent spoofing ># The 'tun0' interface is used by PPPoE to connect to the IPv4 internet ># To prevent tunnel hijack/spoof, specify the IP address aa.bb.cc.dd [my global IPv4 address] ># and ww.xx.yy.zz [the tunnel provider's IP address]. These IP addresses would have ># been specified in the tunnel create command for ifconfig already. >#ipfw add 1200 allow 41 from any to any src-ip ww.xx.yy.zz dst-ip aa.bb.cc.dd via tun0 >#ipfw add 1201 allow 41 from any to any src-ip aa.bb.cc.dd dst-ip ww.xx.yy.zz via tun0 > ># allow ICMP to get through on public interface (tun0) for ping, traceroute >#ipfw add 31900 allow icmp from any to any via tun0 icmptypes 0,3,8,11 > ># udp - prevent broadcast going in/out tun0 (ISP should block this, but...) >ipfw add 31998 deny udp from 255.255.255.255 to any out via gif0 >ipfw add 31999 deny udp from any to 255.255.255.255 out via gif0 > ># remaining udp access control (deny specific services to all but those specified earlier) >ipfw add 32000 allow udp from any to any 1024-65535,domain,auth > ># allow udp access to any port when the packet is outgoing or 'fragment' >ipfw add 32001 allow udp from any to any out ># ntpd needs this next one >ipfw add 32002 allow udp from any to any 123 >ipfw add 32003 allow udp from any to any frag > ># this next section denies incoming IPv4/IPv6 to various services since ALL machines ># have PUBLIC ADDRESSES if they use IPv6 > > ># DNS Server, only expose ONE host >ipfw add 32100 allow tcp from 2003:cf:9813::/48 to 2001:470:70af:1::2 dst-port 53 in via gif0 >ipfw add 32150 allow udp from 2003:cf:9813::/48 to 2001:470:70af:1::2 dst-port 53 in via gif0 > >ipfw add 32160 allow tcp from any to 2001:470:70af:1::4 dst-port 53 in via gif0 >ipfw add 32170 allow udp from any to 2001:470:70af:1::4 dst-port 53 in via gif0 >ipfw add 32180 allow tcp from any to 2001:470:10fb:244::4 dst-port 53 in via gif0 >ipfw add 32190 allow udp from any to 2001:470:10fb:244::4 dst-port 53 in via gif0 ># ># Mail Server ># >ipfw add 32500 allow tcp from 2003:cf:9813::/48 to 2001:470:1f0a:242::2 dst-port 25 in via gif0 >ipfw add 32510 allow tcp from 2003:cf:9813::/48 to 2001:470:1f0b:244::1 dst-port 25 in via gif0 >ipfw add 32511 allow tcp from 2003:cf:9813::/48 to 2001:470:70af:1::1 dst-port 25 in via gif0 >ipfw add 32512 allow tcp from 2003:cf:9813::/48 to 2001:470:70af:1::3 dst-port 25 in via gif0 >ipfw add 32521 allow tcp from 2001:470::/32 to 2001:470:1f0b:244::1 dst-port 25 in via gif0 >ipfw add 32522 allow tcp from 2001:470::/32 to 2001:470:70af:1::1 dst-port 25 in via gif0 > >ipfw add 32530 allow tcp from any to 2001:470:70af:1::3 dst-port 587 in via gif0 > ># ># imap ># >ipfw add 32600 allow tcp from any to 2001:470:70af:1::1 dst-port 143,993 in via gif0 > ># ># Webserver ># >ipfw add 32800 allow tcp from any to 2001:470:1f0b:244::1 dst-port 80,443,8080 in via gif0 >ipfw add 32810 allow tcp from any to 2001:470:70af:1::1 dst-port 80,443,8080 in via gif0 >ipfw add 32820 allow tcp from any to 2001:470:1f0b:244::3 dst-port 80,443,8080 in via gif0 >ipfw add 32830 allow tcp from any to 2001:470:1f0b:242::2 dst-port 80,443,8080 in via gif0 > ># ># FTP Server ># >ipfw add 32900 allow tcp from any to 2001:470:1f0b:244::4 dst-port 20,21,990,60000-60255 in via gif0 >ipfw add 32910 allow tcp from any to 2001:470:70af:1::4 dst-port 20,21,990,60000-60255 in via gif0 >ipfw add 32920 allow tcp from any to 2001:470:70af:1::9999 dst-port 20,21,990,60000-60255 in via gif0 > ># ># interne V6 Netze ># >ipfw add 33000 allow tcp from 2001:470:1f0b:244::/64 to 2001:470:70af::/48 >ipfw add 33001 allow tcp from 2001:470:70af::/48 to 2001:470:1f0b:244::/64 > >ipfw add 33500 allow udp from 2001:470:1f0b:244::/64 to 2001:470:70af::/48 >ipfw add 33501 allow tcp from 2001:470:70af::/48 to 2001:470:1f0b:244::/64 > ># outgoing TCP packets - no filtering at all >ipfw add 39997 allow tcp from any to any out > > ># ># Streamingzugang auf VU+ ># >#ipfw add 34000 allow tcp from any to 2001:470:70af:1:21d:ecff:fe10:5c02 dst-port 8001 > ># ># Tuerklingel ># > ># ># SSH Zugang ># nur fuer Thomas auf Oscam ># >ipfw add 36000 allow tcp from 2001:470:70af::/48 to any dst-port 22 >ipfw add 36010 allow tcp from 2001:470:1f0b:244::/64 to any dst-port 22 >ipfw add 36020 allow tcp from fdfd::/64 to any dst-port 22 > >ipfw add 49000 allow tcp from any to any established ># ># V6 deny all <10000 ># >ipfw add 49999 deny tcp from any to any dst-port 1-9999 in via gif0 >ipfw add 49998 deny udp from any to any dst-port 1-9999 in via gif0 >ipfw add 50000 allow tcp from any to any dst-port 10000-65535 in via gif0 >ipfw add 50000 allow udp from any to any dst-port 10000-65535 in via gif0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=225933">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 255775
:
224828
| 225933