From root@mail.drkshdw.org  Sat Jun 16 07:13:55 2001
Return-Path: <root@mail.drkshdw.org>
Received: from mail.drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4])
	by hub.freebsd.org (Postfix) with ESMTP id E0A9B37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 16 Jun 2001 07:13:54 -0700 (PDT)
	(envelope-from root@mail.drkshdw.org)
Received: (qmail 2024 invoked by uid 0); 16 Jun 2001 14:13:52 -0000
Message-Id: <20010616141352.2023.qmail@mail.drkshdw.org>
Date: 16 Jun 2001 14:13:52 -0000
From: scorpio@drkshdw.org
Reply-To: scorpio@drkshdw.org
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: UPDATE to etc/rc.firewall
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         28200
>Category:       conf
>Synopsis:       UPDATE to etc/rc.firewall
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 16 07:20:02 PDT 2001
>Closed-Date:    Sat Jun 16 11:20:14 PDT 2001
>Last-Modified:  Sat Jun 16 11:21:39 PDT 2001
>Originator:     Jeff Palmer
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD jeff.isni.net 4.3-STABLE FreeBSD 4.3-STABLE #4: Wed May 16 12:55:48 EDT 2001
     root@jeff.isni.net:/usr/obj/usr/src/sys/FreeBSD  i386

>Description:
In the "simple" configuration,  we have the rfc1918 and draf-dodgind rules 
in twice.

        

>How-To-Repeat:
        
>Fix:

        
Index: rc.firewall
===================================================================
RCS file: /home/ncvs/src/etc/rc.firewall,v
retrieving revision 1.30.2.12
diff -u -r1.30.2.12 rc.firewall
--- rc.firewall	2001/03/06 01:58:02	1.30.2.12
+++ rc.firewall	2001/06/16 14:11:20
@@ -233,20 +233,6 @@
 		;;
 	esac
 
-	# Stop RFC1918 nets on the outside interface
-	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
-	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
-	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
-
-	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
-	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
-	# on the outside interface
-	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
-	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
-	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
-	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
-	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
-
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established
 
>Release-Note:
>Audit-Trail:

From: Jeff Palmer <scorpio@drkshdw.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: conf/28200
Date: Sat, 16 Jun 2001 12:03:07 -0600

 Guess I need to cancel this PR,
 
 At first look,  I thought they were the same rules accidentally pasted twice.
 
 Upon closer inspection,  it appears to be correct..
 protecting both sides of the divert fence..
 
 
 Sorry for the waste of time
 
 
 Jeff Palmer
 scorpio@drkshdw.org
 
State-Changed-From-To: open->closed 
State-Changed-By: roam 
State-Changed-When: Sat Jun 16 11:20:14 PDT 2001 
State-Changed-Why:  
Closed at submitter's request - the rules are indeed needed. 
(Although I must admit a quick look at /etc/rc.firewall just 
after reading the original PR left me convinced that the second 
set of rules were indeed a duplicate of the first, and wondering 
why, then, hadn't I noticed the duplicity on my machines :) 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28200 
>Unformatted:
