Attachment #132122 for bug #176344

View | Details | Raw Unified | Return to bug 176344
Collapse All | Expand All

Lines 153-158 Link Here

(-)/etc/defaults/rc.conf-new (+5 lines)
153	# firewall.	153	# firewall.
154	firewall_trusted="" # List of IPs which have full access to this	154	firewall_trusted="" # List of IPs which have full access to this
155	# host for "workstation" firewall.	155	# host for "workstation" firewall.
		156	firewall_denied="" # List of files containing IPv4 and/or IPv6
		157	# addresses that have no access to this host.
		158	firewall_denied_rule="550" # ipfw rule number used to host all rules
		159	# denying access to hosts listed in the files
		160	# in $firewall_denied.
156	firewall_logdeny="NO" # Set to YES to log default denied incoming	161	firewall_logdeny="NO" # Set to YES to log default denied incoming
157	# packets for "workstation" firewall.	162	# packets for "workstation" firewall.
158	firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports	163	firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports

Lines 433-438 Link Here

(-)/etc/rc.firewall-new (+31 lines)
433	# This option can seriously degrade	433	# This option can seriously degrade
434	# the level of protection provided by	434	# the level of protection provided by
435	# the firewall.	435	# the firewall.
		436	# firewall_denied: List of files containing IPv4 and/or
		437	# IPv6 addresses that have no access
		438	# to this host.
		439	# firewall_denied_rule: ipfw rule number used to host all
		440	# rules denying access to hosts listed
		441	# in the files in $firewall_denied.
436	# firewall_logdeny: Boolean (YES/NO) specifying if the	442	# firewall_logdeny: Boolean (YES/NO) specifying if the
437	# default denied packets should be	443	# default denied packets should be
438	# logged (in /var/log/security).	444	# logged (in /var/log/security).
Lines 498-503 Link Here
498	${fwcmd} add pass ip from $i to me	504	${fwcmd} add pass ip from $i to me
499	done	505	done
500		506
		507	# If specified, deny hosts from reaching this machine.
		508	for i in ${firewall_denied} ; do
		509	# check that file exists first.
		510	if [ -f $i ]; then
		511	oldIFS=$IFS
		512	IFS="
		513	"
		514	# Go over all IPs listed in the file.
		515	for ip in `cat $i` ; do
		516	# Block IP if first character isn't a dash.
		517	i=${ip%${ip#?}}
		518	if [ $i != "#" ]; then
		519	# Cut string when first space is found.
		520	# Practical for Postfix files and geographic
		521	# CIDR's obtained from online sources.
		522	ip=`echo $ip \| cut -d " " -f 1`
		523
		524	# Add block rule for target IP.
		525	${fwcmd} add ${firewall_denied_rule} deny ip from $ip to me
		526	fi
		527	done
		528	IFS=$oldIFS
		529	fi
		530	done
		531
501	${fwcmd} add 65000 count ip from any to any	532	${fwcmd} add 65000 count ip from any to any
502		533
503	# Drop packets to ports where we don't want logging	534	# Drop packets to ports where we don't want logging

Return to bug 176344