[Midnightbsd-cvs] src: rc.firewall: Add a desktop configuration example with mild
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Aug 30 22:12:37 EDT 2007
Log Message:
-----------
Add a desktop configuration example with mild protection for desktops. This ruleset is not intrusive and blocks ping + unsolicited TCP traffic.
Modified Files:
--------------
src/etc:
rc.firewall (r1.2 -> r1.3)
-------------- next part --------------
Index: rc.firewall
===================================================================
RCS file: /home/cvs/src/etc/rc.firewall,v
retrieving revision 1.2
retrieving revision 1.3
diff -Letc/rc.firewall -Letc/rc.firewall -u -r1.2 -r1.3
--- etc/rc.firewall
+++ etc/rc.firewall
@@ -44,6 +44,7 @@
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - will allow anyone in
+# desktop - will try to protect a simple desktop
# client - will try to protect just this machine
# simple - will try to protect a whole network
# closed - totally disables IP services except via lo0 interface
@@ -118,7 +119,7 @@
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
-[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
+[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]|[Dd][Ee][Ss][Kk][Tt][Oo][Pp])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
@@ -145,6 +146,18 @@
${fwcmd} add 65000 pass all from any to any
;;
+[Dd][Ee][Ss][Kk][Tt][Oo][Pp])
+ setup_loopback
+ ${fwcmd} add deny ip from 224.0.0.0/3 to any in
+ ${fwcmd} add deny tcp from any to 224.0.0.0/3 in
+ ${fwcmd} add allow tcp from any to any out
+ ${fwcmd} add allow tcp from any to any established
+ ${fwcmd} add allow tcp from any to any frag
+ ${fwcmd} add 65000 deny tcp from any to any
+ ${fwcmd} add 65100 deny icmp from any to me in icmptypes 8
+ ${fwcmd} add 65200 allow all from any to any
+ ;;
+
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
More information about the Midnightbsd-cvs
mailing list