[PC-BSD Commits] r13400 - pcbsd/current/system-overlay/usr/local/share/pcbsd/scripts

svn at pcbsd.org svn at pcbsd.org
Mon Oct 17 08:52:13 PDT 2011


Author: kris
Date: 2011-10-17 08:52:13 -0700 (Mon, 17 Oct 2011)
New Revision: 13400

Modified:
   pcbsd/current/system-overlay/usr/local/share/pcbsd/scripts/reset-firewall
Log:

Improve our default firewall rules with comments and fixes



Modified: pcbsd/current/system-overlay/usr/local/share/pcbsd/scripts/reset-firewall
===================================================================
--- pcbsd/current/system-overlay/usr/local/share/pcbsd/scripts/reset-firewall	2011-10-17 15:17:51 UTC (rev 13399)
+++ pcbsd/current/system-overlay/usr/local/share/pcbsd/scripts/reset-firewall	2011-10-17 15:52:13 UTC (rev 13400)
@@ -19,16 +19,29 @@
 echo "antispoof quick for lo0 inet" >> $pf_rules
 # block anything coming from source we have no back routes for
 echo "block in from no-route to any" >> $pf_rules
-# Allow all outgoing traffic
+
+echo "# Block all other incoming" >> $pf_rules
+echo "block in log" >> $pf_rules
+
+echo ''  >> $pf_rules
+echo '# Allow all outgoing traffic' >> $pf_rules
 echo "pass out keep state" >> $pf_rules
-echo 'table <blacklist> persist file "/etc/blacklist"'  >> $pf_rules
-echo "pass inet proto icmp from any to any" >> $pf_rules
-echo "pass inet6 proto icmp6 from any to any" >> $pf_rules
-#############################################################
 
 # Deny all from our blacklist
+echo ''  >> $pf_rules
+echo '# Block blacklist'  >> $pf_rules
+echo 'table <blacklist> persist file "/etc/blacklist"'  >> $pf_rules
 echo "block from <blacklist> to any" >> $pf_rules
 
+echo ''  >> $pf_rules
+echo "# Enable ICMP for IPv4 IPv6" >> $pf_rules
+echo "pass proto icmp all" >> $pf_rules
+echo "pass proto icmp6 all" >> $pf_rules
+#############################################################
+
+echo ''  >> $pf_rules
+echo '# Nic Specific Rules'  >> $pf_rules
+
 DEVLIST=`ifconfig -l`
 
 echo ${DEVLIST} | grep "lagg0" >/dev/null 2>/dev/null
@@ -76,6 +89,3 @@
   fi
 done
 
-echo "# Block all other incoming" >> $pf_rules
-echo "block in log" >> $pf_rules
-



More information about the Commits mailing list