From netch@grizzly.carrier.kiev.ua  Tue Apr  6 10:13:09 2004
Return-Path: <netch@grizzly.carrier.kiev.ua>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9B45816A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 Apr 2004 10:13:09 -0700 (PDT)
Received: from grizzly.carrier.kiev.ua (grizzly.carrier.kiev.ua [193.193.193.138])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 388E043D4C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 Apr 2004 10:13:08 -0700 (PDT)
	(envelope-from netch@grizzly.carrier.kiev.ua)
Received: from grizzly.carrier.kiev.ua (localhost [127.0.0.1])
	by grizzly.carrier.kiev.ua (8.12.10/8.12.10) with ESMTP id i36HCFw6049750;
	Tue, 6 Apr 2004 20:12:15 +0300 (EEST)
	(envelope-from netch@grizzly.carrier.kiev.ua)
Received: (from root@localhost)
	by grizzly.carrier.kiev.ua (8.12.10/8.12.10/Submit) id i36HCEtG049749;
	Tue, 6 Apr 2004 20:12:14 +0300 (EEST)
	(envelope-from netch)
Message-Id: <200404061712.i36HCEtG049749@grizzly.carrier.kiev.ua>
Date: Tue, 6 Apr 2004 20:12:14 +0300 (EEST)
From: Valentin Nechayev <netch@netch.kiev.ua>
Reply-To: Valentin Nechayev <netch@netch.kiev.ua>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: save /etc/rc.firewall from changing for standard firewall types
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         65258
>Category:       bin
>Synopsis:       [patch] [request] save /etc/rc.firewall from changing for standard firewall types
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jhb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 06 10:20:08 PDT 2004
>Closed-Date:    Thu Sep 11 19:27:54 UTC 2008
>Last-Modified:  Thu Sep 11 19:27:54 UTC 2008
>Originator:     Valentin Nechayev
>Release:        FreeBSD 5.2.1-RELEASE i386
>Organization:
home sweet home
>Environment:
FreeBSD 5.2.1-RELEASE
FreeBSD 4.9-RELEASE

(last -current has the same file)

>Description:

When setting up firewall of standard type, one unfortunately has to edit
/etc/rc.firewall for network, netmask and local ip.
Local ip isn't required since ipfw began understand `me'.
Network and netmask are better to get from rc.conf.

>How-To-Repeat:

Use standard firewall type.

>Fix:

--- src/etc/rc.firewall.0	Tue Apr  6 19:40:15 2004
+++ src/etc/rc.firewall	Tue Apr  6 20:00:24 2004
@@ -151,15 +151,16 @@
 	############
 
 	# set these to your network and netmask and ip
-	net="192.0.2.0"
-	mask="255.255.255.0"
-	ip="192.0.2.1"
+	net="$firewall_client_net"
+	mask="$firewall_client_mask"
+	test -z "$net" && net="192.0.2.0"
+	test -z "$mask" && mask="255.255.255.0"
 
 	setup_loopback
 
 	# Allow any traffic to or from my own net.
-	${fwcmd} add pass all from ${ip} to ${net}:${mask}
-	${fwcmd} add pass all from ${net}:${mask} to ${ip}
+	${fwcmd} add pass all from me to ${net}:${mask}
+	${fwcmd} add pass all from ${net}:${mask} to me
 
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established
@@ -168,19 +169,19 @@
 	${fwcmd} add pass all from any to any frag
 
 	# Allow setup of incoming email
-	${fwcmd} add pass tcp from any to ${ip} 25 setup
+	${fwcmd} add pass tcp from any to me 25 setup
 
 	# Allow setup of outgoing TCP connections only
-	${fwcmd} add pass tcp from ${ip} to any setup
+	${fwcmd} add pass tcp from me to any setup
 
 	# Disallow setup of all other TCP connections
 	${fwcmd} add deny tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from ${ip} to any 53 keep-state
+	${fwcmd} add pass udp from me to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from ${ip} to any 123 keep-state
+	${fwcmd} add pass udp from me to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
@@ -195,16 +196,20 @@
 	############
 
 	# set these to your outside interface network and netmask and ip
-	oif="ed0"
-	onet="192.0.2.0"
-	omask="255.255.255.240"
-	oip="192.0.2.1"
+	oif="$firewall_simple_oif"
+	onet="$firewall_simple_onet"
+	omask="$firewall_simple_omask"
+	test -z "$oif" && oif="ed0"
+	test -z "$onet" && onet="192.0.2.0"
+	test -z "$omask" && omask="255.255.255.240"
 
 	# set these to your inside interface network and netmask and ip
-	iif="ed1"
-	inet="192.0.2.16"
-	imask="255.255.255.240"
-	iip="192.0.2.17"
+	iif="$firewall_simple_iif"
+	inet="$firewall_simple_inet"
+	imask="$firewall_simple_imask"
+	test -z "$iif" && iif="ed1"
+	test -z "$inet" && inet="192.0.2.16"
+	test -z "$imask" && imask="255.255.255.240"
 
 	setup_loopback
 
@@ -262,15 +267,15 @@
 	${fwcmd} add pass all from any to any frag
 
 	# Allow setup of incoming email
-	${fwcmd} add pass tcp from any to ${oip} 25 setup
+	${fwcmd} add pass tcp from any to me 25 setup
 
 	# Allow access to our DNS
-	${fwcmd} add pass tcp from any to ${oip} 53 setup
-	${fwcmd} add pass udp from any to ${oip} 53
-	${fwcmd} add pass udp from ${oip} 53 to any
+	${fwcmd} add pass tcp from any to me 53 setup
+	${fwcmd} add pass udp from any to me 53
+	${fwcmd} add pass udp from me 53 to any
 
 	# Allow access to our WWW
-	${fwcmd} add pass tcp from any to ${oip} 80 setup
+	${fwcmd} add pass tcp from any to me 80 setup
 
 	# Reject&Log all setup of incoming connections from the outside
 	${fwcmd} add deny log tcp from any to any in via ${oif} setup
@@ -279,10 +284,10 @@
 	${fwcmd} add pass tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from ${oip} to any 53 keep-state
+	${fwcmd} add pass udp from me to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from ${oip} to any 123 keep-state
+	${fwcmd} add pass udp from me to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel

--- src/etc/defaults/rc.conf.0	Tue Apr  6 20:06:34 2004
+++ src/etc/defaults/rc.conf	Tue Apr  6 20:10:14 2004
@@ -69,6 +69,14 @@
 firewall_quiet="NO"		# Set to YES to suppress rule display
 firewall_logging="NO"		# Set to YES to enable events logging
 firewall_flags=""		# Flags passed to ipfw when type is a file
+firewall_client_net="10.0.0.0"	# Network base for "client" firewall type.
+firewall_client_mask="255.0.0.0"	# Network mask for "client" firewall type.
+firewall_simple_inet="10.0.0.0"	# Internal network base for "simple" firewall type.
+firewall_simple_imask="255.0.0.0"	# Internal network mask for "simple" firewall type.
+firewall_simple_iif="rl0"	# Internal network interface for "simple" firewall type.
+firewall_simple_onet="192.0.2.0"	# Internal network base for "simple" firewall type.
+firewall_simple_omask="255.255.255.0"	# Internal network mask for "simple" firewall type.
+firewall_simple_oif="xl0"	# Internal network interface for "simple" firewall type.
 ip_portrange_first="NO"		# Set first dynamically allocated port
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ike_enable="NO"			# Enable IKE daemon (usually racoon or isakmpd)
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Thu Feb 14 06:34:45 UTC 2008 
State-Changed-Why:  
Volker Werth notes that the patch may need to be brought up to date. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65258 
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Feb 14 06:53:11 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

Volker Werth notes that this may indeed still be a good idea, even though 
the patch may be out of date.  Assign this to the mailing list to see if 
we can stimulate discussion on this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65258 
State-Changed-From-To: feedback->suspended 
State-Changed-By: vwe 
State-Changed-When: Thu May 8 22:47:47 UTC 2008 
State-Changed-Why:  

Mark suspended until someone takes care - patch needs to be updated 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65258 

From: John Baldwin <jhb@FreeBSD.org>
To: bug-followup@FreeBSD.org, netch@netch.kiev.ua
Cc: net@FreeBSD.org
Subject: Re: bin/65258: [patch] [request] save /etc/rc.firewall from changing for standard firewall types
Date: Mon, 28 Jul 2008 16:25:57 -0400

 An updated patch is available at 
 http://www.FreeBSD.org/~jhb/patches/firewall_rc_conf.patch.  I'm not sure 
 that we need to have the default values in /etc/rc.firewall anymore though 
 with this patch.  I think I'd rather make the script error out if any of the 
 required values aren't supplied.  Also, I updated the description of the 
 other firewall toggles that are only for the "workstation" type to indicate 
 as such in their comments.
 
 -- 
 John Baldwin

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/65258: commit references a PR
Date: Fri, 15 Aug 2008 18:58:33 +0000 (UTC)

 jhb         2008-08-15 18:58:15 UTC
 
   FreeBSD src repository
 
   Modified files:
     etc                  rc.firewall 
   Log:
   SVN rev 181760 on 2008-08-15 18:58:15Z by jhb
   
   Use 'me' rather than explicit IP addresses for the "simple" and "client"
   firewall configurations.
   
   PR:             bin/65258
   Silence on:     net@
   MFC after:      1 week
   
   Revision  Changes    Path
   1.58      +9 -12     src/etc/rc.firewall
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: suspended->patched 
State-Changed-By: jhb 
State-Changed-When: Fri Aug 15 19:23:20 UTC 2008 
State-Changed-Why:  
Barring any uproar after my commits today, I will merge this to 6.x and 
7.x after a couple of weeks. 


Responsible-Changed-From-To: freebsd-rc->jhb 
Responsible-Changed-By: jhb 
Responsible-Changed-When: Fri Aug 15 19:23:20 UTC 2008 
Responsible-Changed-Why:  
Barring any uproar after my commits today, I will merge this to 6.x and 
7.x after a couple of weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65258 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/65258: commit references a PR
Date: Fri, 15 Aug 2008 19:32:56 +0000 (UTC)

 jhb         2008-08-15 19:20:59 UTC
 
   FreeBSD src repository
 
   Modified files:
     etc                  rc.firewall 
     etc/defaults         rc.conf 
   Log:
   SVN rev 181762 on 2008-08-15 19:20:59Z by jhb
   
   Allow the network addresses and interface names for the "client" and
   "workstation" firewall types to be set from rc.conf so that rc.firewall
   no longer needs local patching to be usable for those types.  For now
   I've set the variables in /etc/defaults/rc.conf to the previous defaults
   in /etc/rc.firewall.
   
   PR:             bin/65258
   Submitted by:   Valentin Nechayev  netch of netch.kiev.ua
   Silence from:   net
   MFC after:      2 weeks
   
   Revision  Changes    Path
   1.341     +9 -0      src/etc/defaults/rc.conf
   1.60      +15 -6     src/etc/rc.firewall
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jhb 
State-Changed-When: Thu Sep 11 19:27:26 UTC 2008 
State-Changed-Why:  
This is now merged to 6.x and 7.x. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65258 
>Unformatted:
