[Midnightbsd-cvs] src: rc.firewall6: My first pass at a desktop rule like we have for ipv4
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Mar 22 01:50:40 EDT 2008
Log Message:
-----------
My first pass at a desktop rule like we have for ipv4 that enables ssh.
Modified Files:
--------------
src/etc:
rc.firewall6 (r1.2 -> r1.3)
-------------- next part --------------
Index: rc.firewall6
===================================================================
RCS file: /home/cvs/src/etc/rc.firewall6,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/rc.firewall6 -L etc/rc.firewall6 -u -r1.2 -r1.3
--- etc/rc.firewall6
+++ etc/rc.firewall6
@@ -17,6 +17,7 @@
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - will allow anyone in
+# desktop - will try to protect a simple desktop
# client - will try to protect just this machine
# simple - will try to protect a whole network
# closed - totally disables IP services except via lo0 interface
@@ -106,6 +107,26 @@
${fw6cmd} add 65000 pass all from any to any
;;
+[Dd][Ee][Ss][Kk][Tt][Oo][Pp])
+ setup_local
+ ${fw6cmd} add allow tcp from any to any out
+ ${fw6cmd} add allow tcp from any to any established
+ ${fw6cmd} add allow tcp from any to any frag
+ case ${sshd_enable} in
+ [Yy][Ee][Ss])
+ ${fw6cmd} add pass tcp from any to me 22 setup
+ ;;
+ esac
+ ${fw6cmd} add 65000 deny tcp from any to any
+ # Allow ICMPv6 destination unreach
+ ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
+
+ # Allow NS/NA/toobig (don't filter it out)
+ ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
+ # Allow other traffic
+ ${fw6cmd} add 65200 allow all from any to any
+ ;;
+
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
More information about the Midnightbsd-cvs
mailing list