diff options
| author |   Roy Marples <uberlord@gentoo.org> | 2007-05-14 14:01:36 +0000 |
|---|---|---|
| committer | Roy Marples <uberlord@gentoo.org> | 2007-05-14 14:01:36 +0000 |
| commit | 565a7c3793afebfcd712752982adc2e5bb8899a9 (patch) | |
| tree | 59629b85cf9a5bcec6011f14b587740bc074cbe2 /sys-freebsd | |
| parent | Version bump. (diff) | |
| download | historical-565a7c3793afebfcd712752982adc2e5bb8899a9.tar.gz historical-565a7c3793afebfcd712752982adc2e5bb8899a9.tar.bz2 historical-565a7c3793afebfcd712752982adc2e5bb8899a9.zip | |
Add established rules to the firewall and allow logging of denied packets. Thanks to dcoats.
Package-Manager: portage-2.1.2.7
Diffstat (limited to 'sys-freebsd')
| -rw-r--r-- | sys-freebsd/freebsd-sbin/ChangeLog | 7 | ||||
| -rw-r--r-- | sys-freebsd/freebsd-sbin/Manifest | 24 | ||||
| -rw-r--r-- | sys-freebsd/freebsd-sbin/files/ipfw.confd | 3 | ||||
| -rw-r--r-- | sys-freebsd/freebsd-sbin/files/ipfw.initd | 19 |
4 files changed, 35 insertions, 18 deletions
diff --git a/sys-freebsd/freebsd-sbin/ChangeLog b/sys-freebsd/freebsd-sbin/ChangeLog index 781d148e53bd..3dda8a795ffc 100644 --- a/sys-freebsd/freebsd-sbin/ChangeLog +++ b/sys-freebsd/freebsd-sbin/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for sys-freebsd/freebsd-sbin # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.36 2007/04/11 10:42:37 uberlord Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.37 2007/05/14 14:01:36 uberlord Exp $ + + 14 May 2007; Roy Marples <uberlord@gentoo.org> files/ipfw.confd, + files/ipfw.initd: + Add established rules to the firewall and allow logging of denied packets. + Thanks to dcoats. 11 Apr 2007; Roy Marples <uberlord@gentoo.org> files/devd_queue: Quick fix for baselayout-2 diff --git a/sys-freebsd/freebsd-sbin/Manifest b/sys-freebsd/freebsd-sbin/Manifest index f8fa4ee98b0d..895375d77494 100644 --- a/sys-freebsd/freebsd-sbin/Manifest +++ b/sys-freebsd/freebsd-sbin/Manifest @@ -26,14 +26,14 @@ AUX freebsd-sbin-zlib.patch 793 RMD160 ba321e563ba92e73c4183740e425d50471fbffcf MD5 ae8e21abde36bcbc19d3464d1e368033 files/freebsd-sbin-zlib.patch 793 RMD160 ba321e563ba92e73c4183740e425d50471fbffcf files/freebsd-sbin-zlib.patch 793 SHA256 a02a2f8dda23952f6d90100fd1dddc3a3a5048653a74fb1f4b52ceb18bedb448 files/freebsd-sbin-zlib.patch 793 -AUX ipfw.confd 292 RMD160 78901ec3b3dbd67da089c2a9cd40d6b6457ffa06 SHA1 a67c0d7edcf116460413b6fc8dcedffa209ca79d SHA256 8e09c8c290b9323e9e7125329886d1f8514e00165500080723f788eec5dae733 -MD5 18215c72775a2311d20176188be16525 files/ipfw.confd 292 -RMD160 78901ec3b3dbd67da089c2a9cd40d6b6457ffa06 files/ipfw.confd 292 -SHA256 8e09c8c290b9323e9e7125329886d1f8514e00165500080723f788eec5dae733 files/ipfw.confd 292 -AUX ipfw.initd 2424 RMD160 3b95ab5045493cf723d1eba7fbca43d6c65fb661 SHA1 0cf7941ca6d29579b5768d6f0ecdb223b3c84a9b SHA256 3b0d52a221210fda64faeccd2e48abfe4f50f83018d9c273f96ff089e527482e -MD5 b78c1d8cae8707de42a7729416a3f3b5 files/ipfw.initd 2424 -RMD160 3b95ab5045493cf723d1eba7fbca43d6c65fb661 files/ipfw.initd 2424 -SHA256 3b0d52a221210fda64faeccd2e48abfe4f50f83018d9c273f96ff089e527482e files/ipfw.initd 2424 +AUX ipfw.confd 364 RMD160 3dd11070d6e8936ac5fff02693aeb501255a8019 SHA1 f4dcaee7a10d29c002b95527ff85409ac61f9a89 SHA256 97911a2f003e2108c1f5da04b84a3b73fbccbde48fe58af0f056d8a9effbb3d3 +MD5 0cebeebb657dc2e0c46ce1012b2d7597 files/ipfw.confd 364 +RMD160 3dd11070d6e8936ac5fff02693aeb501255a8019 files/ipfw.confd 364 +SHA256 97911a2f003e2108c1f5da04b84a3b73fbccbde48fe58af0f056d8a9effbb3d3 files/ipfw.confd 364 +AUX ipfw.initd 2912 RMD160 3777eb8af49e70aab7fe86e49f520534998dd222 SHA1 1a3d30ccdd3f97cf381a1f087e64c156796d0587 SHA256 36fa6bbf915c16213d6e4455652fff2af2daf4b14cd6986f017fb0e1c796c990 +MD5 5dab6ca83cb058227ce12bf36c762ce0 files/ipfw.initd 2912 +RMD160 3777eb8af49e70aab7fe86e49f520534998dd222 files/ipfw.initd 2912 +SHA256 36fa6bbf915c16213d6e4455652fff2af2daf4b14cd6986f017fb0e1c796c990 files/ipfw.initd 2912 AUX sysctl.initd 664 RMD160 e07440c9cc9fb4aa36dd724ffd7e01bdcdb7658f SHA1 9928928c154eaba070e75c5c99cee539a0c9875a SHA256 3f58694d02a1cd57e02e28d51b3e598e9edb022ba52c64be352bc392604de717 MD5 edc2fd562e52937c9b100df106b39d1a files/sysctl.initd 664 RMD160 e07440c9cc9fb4aa36dd724ffd7e01bdcdb7658f files/sysctl.initd 664 @@ -53,10 +53,10 @@ EBUILD freebsd-sbin-6.2.ebuild 2756 RMD160 248395564ee560c18166c075e95b25bd48308 MD5 896bd762d6714ae266a8af3dd16fc929 freebsd-sbin-6.2.ebuild 2756 RMD160 248395564ee560c18166c075e95b25bd48308159 freebsd-sbin-6.2.ebuild 2756 SHA256 bed2cca5e89e0210e5d41f1f731d17fe6ef234cc32e9557d04c108bcb9c2d560 freebsd-sbin-6.2.ebuild 2756 -MISC ChangeLog 8666 RMD160 fe52a1464b8135cabd8f6ed1238f0a572cbc2588 SHA1 732574a7d25707be168e7acda9564fe7203095f1 SHA256 8eb39fb74a37554bbd82b330fb2bbbb1370f86cd3bac8ff0dfff788c4aadaa3b -MD5 b2779cc253cef3ce89ece3c1f31108c0 ChangeLog 8666 -RMD160 fe52a1464b8135cabd8f6ed1238f0a572cbc2588 ChangeLog 8666 -SHA256 8eb39fb74a37554bbd82b330fb2bbbb1370f86cd3bac8ff0dfff788c4aadaa3b ChangeLog 8666 +MISC ChangeLog 8851 RMD160 e22db6a5099dd004e02b10552111144c6e626b8e SHA1 28097d7dc4852fb393355182afe75ebba32386a1 SHA256 5cbf0081d47ed9873f8763fd8ed1caeaedbdf1070396b0111962c0b9aa8d0de9 +MD5 2edadc0589f7c8ed76576d51539e5260 ChangeLog 8851 +RMD160 e22db6a5099dd004e02b10552111144c6e626b8e ChangeLog 8851 +SHA256 5cbf0081d47ed9873f8763fd8ed1caeaedbdf1070396b0111962c0b9aa8d0de9 ChangeLog 8851 MISC metadata.xml 156 RMD160 60b5820a08275f307e5bd936d78f5afd1f141086 SHA1 d9d9d4f2b5afc58339ea3e562fca490156935f1f SHA256 30ab515d6ac492d3d6c36ac3c675511742c2149e56a6b3228c8d22ab8edb3ff7 MD5 2bd48a5ae413433cbb36110b219ce97c metadata.xml 156 RMD160 60b5820a08275f307e5bd936d78f5afd1f141086 metadata.xml 156 diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.confd b/sys-freebsd/freebsd-sbin/files/ipfw.confd index 78864eef549e..687f92da922f 100644 --- a/sys-freebsd/freebsd-sbin/files/ipfw.confd +++ b/sys-freebsd/freebsd-sbin/files/ipfw.confd @@ -5,3 +5,6 @@ # For ease of use, we allow auth and ssh ports through as well. # To override the list of allowed ports #PORTS_IN="auth ssh" + +# You may want to enable logging of denied connections +#LOG_DENY="yes" diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.initd b/sys-freebsd/freebsd-sbin/files/ipfw.initd index b0bd26f82fc2..865d8ce751bb 100644 --- a/sys-freebsd/freebsd-sbin/files/ipfw.initd +++ b/sys-freebsd/freebsd-sbin/files/ipfw.initd @@ -39,13 +39,15 @@ init() { } start() { - local x= + local x= log= ebegin "Starting firewall rules" if ! init ; then eend 1 "Failed to flush firewall ruleset" return 1 fi + [ "${LOG_DENY}" = "yes" ] && log="log" + # Use a statefull firewall ipfw add check-state @@ -53,23 +55,30 @@ start() { if [ -n "${PORTS_IN}" ] ; then local pin= for x in ${PORTS_IN} ; do - [ -n "${pin}" ] && pin="${pin}," - pin="${pin}${x}" + pin="${pin}${pin:+,}${x}" done + ipfw add allow tcp from any to me ${pin} established keep-state + ipfw add allow tcp from any to me6 ${pin} established keep-state ipfw add allow tcp from any to me ${pin} setup keep-state ipfw add allow tcp from any to me6 ${pin} setup keep-state + ipfw add allow udp from any to me ${pin} established ipfw add allow udp from any to me ${pin} keep-state + ipfw add allow udp from any to me6 ${pin} established ipfw add allow udp from any to me6 ${pin} keep-state fi # Nice flexable rules that disallow incoming except for stuff we # have asked for, and allow all outgoing. + ipfw add allow tcp from me to any established keep-state ipfw add allow tcp from me to any setup keep-state + ipfw add allow tcp from me6 to any established keep-state ipfw add allow tcp from me6 to any setup keep-state - ipfw add deny tcp from any to any + ipfw add deny ${log} tcp from any to any + ipfw add allow udp from me to any established ipfw add allow udp from me to any keep-state + ipfw add allow udp from me6 to any established ipfw add allow udp from me6 to any keep-state - ipfw add deny udp from any to any + ipfw add deny ${log} udp from any to any # Be a good firewall and allow some ICMP traffic. # Remove 8 if you really want to disallow ping. |