FreeBSD Bugzilla – Attachment 8992 Details for
Bug 18621
Adding ip6fw/firewall support for IPv6 to rc.*
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 5.99 KB, created by
James Housley
on 2000-05-17 14:10:00 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
James Housley
Created:
2000-05-17 14:10:00 UTC
Size:
5.99 KB
patch
obsolete
>--- rc.firewall Mon May 1 15:00:31 2000 >+++ rc.firewall.new Wed May 17 08:47:26 2000 >@@ -66,6 +66,15 @@ > ${fwcmd} -f flush > > ############ >+# If IPv6 firewall is used we need to a a pass rule for IPv6 >+# >+case ${firewall_enable} in >+[Yy][Ee][Ss]) >+ ${fwcmd} add 25 allow ipv6 from any to any >+ ;; >+esac >+ >+############ > # These rules are required for using natd. All packets are passed to > # natd before they encounter your remaining rules. The firewall rules > # will then be run again on each packet after translation by natd, >@@ -74,7 +83,7 @@ > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then >- ${fwcmd} add divert natd all from any to any via ${natd_interface} >+ ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} > fi > ;; > esac >--- rc.firewall6 Wed May 17 08:57:05 2000 >+++ rc.firewall6.new Wed May 17 08:51:30 2000 >@@ -0,0 +1,132 @@ >+############ >+# Setup system for firewall service. >+# $FreeBSD$ >+ >+# Suck in the configuration variables. >+if [ -r /etc/defaults/rc.conf ]; then >+ . /etc/defaults/rc.conf >+elif [ -r /etc/rc.conf ]; then >+ . /etc/rc.conf >+fi >+ >+############ >+# Define the firewall type in /etc/rc.conf. Valid values are: >+# open - will allow anyone in >+# client - will try to protect just this machine >+# simple - will try to protect a whole network >+# closed - totally disables IP services except via lo0 interface >+# UNKNOWN - disables the loading of firewall rules. >+# filename - will load the rules in the given filename (full path required) >+# >+# For ``client'' and ``simple'' the entries below should be customized >+# appropriately. >+ >+############ >+# >+# If you don't know enough about packet filtering, we suggest that you >+# take time to read this book: >+# >+# Building Internet Firewalls >+# Brent Chapman and Elizabeth Zwicky >+# >+# O'Reilly & Associates, Inc >+# ISBN 1-56592-124-0 >+# http://www.ora.com/ >+# >+# For a more advanced treatment of Internet Security read: >+# >+# Firewalls & Internet Security >+# Repelling the wily hacker >+# William R. Cheswick, Steven M. Bellowin >+# >+# Addison-Wesley >+# ISBN 0-201-6337-4 >+# http://www.awl.com/ >+# >+ >+if [ -n "${1}" ]; then >+ firewall6_type="${1}" >+fi >+ >+############ >+# Set quiet mode if requested >+# >+case ${firewall6_quiet} in >+[Yy][Ee][Ss]) >+ fw6cmd="/sbin/ip6fw -q" >+ ;; >+*) >+ fw6cmd="/sbin/ip6fw" >+ ;; >+esac >+ >+############ >+# Flush out the list before we begin. >+# >+${fw6cmd} -f flush >+ >+############ >+# If you just configured ipfw in the kernel as a tool to solve network >+# problems or you just want to disallow some particular kinds of traffic >+# then you will want to change the default policy to open. You can also >+# do this as your only action by setting the firewall6_type to ``open''. >+# >+# ${fw6cmd} add 65000 pass all from any to any >+ >+############ >+# Only in rare cases do you want to change these rules >+# >+${fw6cmd} add 100 pass all from any to any via lo0 >+ >+ >+# Prototype setups. >+# >+case ${firewall6_type} in >+[Oo][Pp][Ee][Nn]) >+ ${fw6cmd} add 65000 pass all from any to any >+ ;; >+ >+[Cc][Ll][Ii][Ee][Nn][Tt]) >+ ############ >+ # This is a prototype setup that will protect your system somewhat >+ # against people from outside your own network. >+ ############ >+ >+ # set these to your network and netmask and ip >+ # >+ # This needs more work >+ # >+ ;; >+ >+[Ss][Ii][Mm][Pp][Ll][Ee]) >+ ############ >+ # This is a prototype setup for a simple firewall. Configure this >+ # machine as a named server and ntp server, and point all the machines >+ # on the inside at this machine for those services. >+ ############ >+ >+ # >+ # ND >+ # >+ # DAD >+ ${fw6cmd} add pass ipv6-icmp from ff02::/16 to :: >+ ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 >+ # RS, RA, NS, NA, redirect... >+ ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 >+ ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 >+ >+ ${fw6cmd} add pass tcp from any to any established >+ >+ # RIPng >+ ${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 >+ >+ ;; >+ >+[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) >+ ;; >+*) >+ if [ -r "${firewall6_type}" ]; then >+ ${fw6cmd} ${firewall6_flags} ${firewall6_type} >+ fi >+ ;; >+esac >--- rc.network Mon Mar 27 16:39:49 2000 >+++ rc.network.new Wed May 17 08:54:29 2000 >@@ -228,6 +228,41 @@ > ;; > esac > >+ case ${firewall6_enable} in >+ [Yy][Ee][Ss]) >+ if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then >+ firewall_in_kernel=1 >+ echo "Kernel firewall module loaded." >+ elif [ "${firewall_in_kernel}" -eq 0 ]; then >+ echo "Warning: firewall kernel module failed to load." >+ fi >+ ;; >+ esac >+ >+ # Load the filters if required >+ # >+ case ${firewall_in_kernel} in >+ 1) >+ if [ -z "${firewall6_script}" ]; then >+ firewall6_script=/etc/rc.firewall6 >+ fi >+ >+ case ${firewall6_enable} in >+ [Yy][Ee][Ss]) >+ if [ -r "${firewall6_script}" ]; then >+ . "${firewall6_script}" >+ echo -n 'Firewall rules loaded, starting divert daemons:' >+ >+ elif [ "`ip6fw l 65535`" = "65535 deny ip from any to any" ]; then >+ echo -n "Warning: kernel has firewall functionality, " >+ echo "but firewall rules are not enabled." >+ echo " All ip services are disabled." >+ fi >+ ;; >+ esac >+ ;; >+ esac >+ > # Additional ATM interface configuration > # > if [ -n "${atm_pass1_done}" ]; then >--- defaults/rc.conf Mon Apr 17 09:17:11 2000 >+++ defaults/rc.conf.new Wed May 17 08:39:41 2000 >@@ -48,6 +48,11 @@ > firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) > firewall_quiet="NO" # Set to YES to suppress rule display > firewall_flags="" # Flags passed to ipfw when type is a file >+firewall6_enable="NO" # Set to YES to enable firewall functionality >+firewall6_script="/etc/rc.firewall6" # Which script to run to set up the firewall >+firewall6_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) >+firewall6_quiet="NO" # Set to YES to suppress rule display >+firewall6_flags="" # Flags passed to ipfw when type is a file > natd_program="/sbin/natd" # path to natd, if you want a different one. > natd_enable="NO" # Enable natd (if firewall_enable == YES). > natd_interface="fxp0" # Public interface or IPaddress to use.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8992">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 18621
: 8992