FreeBSD Bugzilla – Attachment 132123 Details for
Bug 176347
[rc.conf] [patch] Add support for firewall deny lists (workstation type)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 2.81 KB, created by
Noor Dawod
on 2013-02-22 10:50:01 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Noor Dawod
Created:
2013-02-22 10:50:01 UTC
Size:
2.81 KB
patch
obsolete
>--- /etc/defaults/rc.conf 2013-02-22 09:37:36.000000000 +0000 >+++ /etc/defaults/rc.conf-new 2013-02-22 10:42:15.000000000 +0000 >@@ -153,6 +153,14 @@ > # firewall. > firewall_trusted="" # List of IPs which have full access to this > # host for "workstation" firewall. >+firewall_denied="" # List of files containing IPv4 and/or IPv6 >+ # addresses that have no access to this host. >+firewall_denied_rule="550" # ipfw rule number used to host all rules >+ # denying access to this host. >+firewall_denied_services="*" # List of TCP ports on which this host >+ # denies services for "workstation" firewall. >+ # If '*' is entered, then all services will >+ # be blocked, TCP or UDP. > firewall_logdeny="NO" # Set to YES to log default denied incoming > # packets for "workstation" firewall. > firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports > >--- /etc/rc.firewall 2012-11-21 09:08:57.000000000 +0000 >+++ /etc/rc.firewall-new 2013-02-22 10:39:02.000000000 +0000 >@@ -433,6 +433,18 @@ > # This option can seriously degrade > # the level of protection provided by > # the firewall. >+ # firewall_denied: List of files containing IPv4 and/or >+ # IPv6 addresses that have no access >+ # to this host. >+ # firewall_denied_rule: ipfw rule number used to host all >+ # rules denying access to hosts listed >+ # in the files in $firewall_denied. >+ # firewall_denied_rule: ipfw rule number used to host all rules >+ # denying access to this host. >+ # firewall_denied_services: List of TCP ports on which this host >+ # denies services for "workstation" firewall. >+ # If '*' is entered, then all services >+ # will be blocked, TCP or UDP. > # firewall_logdeny: Boolean (YES/NO) specifying if the > # default denied packets should be > # logged (in /var/log/security). >@@ -498,6 +510,36 @@ > ${fwcmd} add pass ip from $i to me > done > >+ # If specified, deny hosts from reaching this machine. >+ ds=`echo ${firewall_denied_services} | sed 's/ /,/g'` >+ for i in ${firewall_denied} ; do >+ # check that file exists first. >+ if [ -f $i ]; then >+ oldIFS=$IFS >+ IFS=" >+" >+ # Go over all IPs listed in the file. >+ for ip in `cat $i` ; do >+ # Block IP if first character isn't a dash. >+ i=${ip%${ip#?}} >+ if [ $i != "#" ]; then >+ # Cut string when first space is found. >+ # Practical for Postfix files and geographic >+ # CIDR's obtained from online sources. >+ ip=`echo $ip | cut -d " " -f 1` >+ >+ # Add block rule for target IP. >+ if [ "*" = $ds ]; then >+ ${fwcmd} add ${firewall_denied_rule} deny ip from $ip to me >+ else >+ ${fwcmd} add ${firewall_denied_rule} deny tcp from $ip to me $ds in >+ fi >+ fi >+ done >+ IFS=$oldIFS >+ fi >+ done >+ > ${fwcmd} add 65000 count ip from any to any > > # Drop packets to ports where we don't want logging
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=132123">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 176347
: 132123