View | Details | Raw Unified | Return to bug 176347
Collapse All | Expand All

(-)/etc/defaults/rc.conf-new (+8 lines)
Lines 153-158 Link Here
153
				# firewall.
153
				# firewall.
154
firewall_trusted=""		# List of IPs which have full access to this
154
firewall_trusted=""		# List of IPs which have full access to this
155
				# host for "workstation" firewall.
155
				# host for "workstation" firewall.
156
firewall_denied=""		# List of files containing IPv4 and/or IPv6
157
				# addresses that have no access to this host.
158
firewall_denied_rule="550"	# ipfw rule number used to host all rules
159
				# denying access to this host.
160
firewall_denied_services="*"	# List of TCP ports on which this host
161
				# denies services for "workstation" firewall.
162
				# If '*' is entered, then all services will
163
				# be blocked, TCP or UDP.
156
firewall_logdeny="NO"		# Set to YES to log default denied incoming
164
firewall_logdeny="NO"		# Set to YES to log default denied incoming
157
				# packets for "workstation" firewall.
165
				# packets for "workstation" firewall.
158
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
166
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
(-)/etc/rc.firewall-new (+42 lines)
Lines 433-438 Link Here
433
	#				 This option can seriously degrade
433
	#				 This option can seriously degrade
434
	#				 the level of protection provided by
434
	#				 the level of protection provided by
435
	#				 the firewall.
435
	#				 the firewall.
436
	#  firewall_denied:		List of files containing IPv4 and/or
437
	#				 IPv6 addresses that have no access
438
	#				 to this host.
439
	#  firewall_denied_rule:	ipfw rule number used to host all
440
	#				 rules denying access to hosts listed
441
	#				 in the files in $firewall_denied.
442
	#  firewall_denied_rule:	ipfw rule number used to host all rules
443
	#				 denying access to this host.
444
	#  firewall_denied_services:	List of TCP ports on which this host
445
	#				 denies services for "workstation" firewall.
446
	#				 If '*' is entered, then all services
447
	#				 will be blocked, TCP or UDP.
436
	#  firewall_logdeny:		Boolean (YES/NO) specifying if the
448
	#  firewall_logdeny:		Boolean (YES/NO) specifying if the
437
	#				 default denied packets should be
449
	#				 default denied packets should be
438
	#				 logged (in /var/log/security).
450
	#				 logged (in /var/log/security).
Lines 498-503 Link Here
498
	  ${fwcmd} add pass ip from $i to me
510
	  ${fwcmd} add pass ip from $i to me
499
	done
511
	done
500
512
513
	# If specified, deny hosts from reaching this machine.
514
	ds=`echo ${firewall_denied_services} | sed 's/ /,/g'`
515
	for i in ${firewall_denied} ; do
516
		# check that file exists first.
517
		if [ -f $i ]; then
518
			oldIFS=$IFS
519
			IFS="
520
"
521
			# Go over all IPs listed in the file.
522
			for ip in `cat $i` ; do
523
				# Block IP if first character isn't a dash.
524
				i=${ip%${ip#?}}
525
				if [ $i != "#" ]; then
526
					# Cut string when first space is found.
527
					# Practical for Postfix files and geographic
528
					# CIDR's obtained from online sources.
529
					ip=`echo $ip | cut -d " " -f 1`
530
531
					# Add block rule for target IP.
532
					if [ "*" = $ds ]; then
533
						${fwcmd} add ${firewall_denied_rule} deny ip from $ip to me
534
					else
535
						${fwcmd} add ${firewall_denied_rule} deny tcp from $ip to me $ds in
536
					fi
537
				fi
538
			done
539
			IFS=$oldIFS
540
		fi
541
	done
542
501
	${fwcmd} add 65000 count ip from any to any
543
	${fwcmd} add 65000 count ip from any to any
502
544
503
	# Drop packets to ports where we don't want logging
545
	# Drop packets to ports where we don't want logging

Return to bug 176347