@@ -859,22 +859,15 @@ $IPFW add 5310 set 5 $unreach_host_prohib $logall tcp from any to any $tcp_ports # ############################################################################## -for (( index=0; index < intf_count; index++ )); do - netw=${networks[$index]} - intf=${interfaces[$index]} - - # Allow DHCP packets in and out, including broadcast. Since we don't have - # an address yet, we can't use "me" as a target here. - $IPFW add 6000 set 6 allow $logall udp \ - from any 67-68 to any 67-68 out via $intf keep-state - - # Allow certain types of ICMP packets on known interfaces, which might be - # necessary for proper operation - $IPFW add 6100 set 6 allow $logall icmp from me to $netw \ - icmptypes 0,3,4,11,12,13,14 out via $intf keep-state - $IPFW add 6110 set 6 allow $logall icmp from $netw to me \ - icmptypes 0,3,4,11,12,13,14 in via $intf keep-state -done +# Allow DHCP packets in and out, including broadcast. Since we don't have +# an address yet, we can't use "me" as a target here. +$IPFW add 6000 set 6 allow $logall udp \ + from any 67-68 to any 67-68 keep-state + +# Allow certain types of ICMP packets on known interfaces, which might be +# necessary for proper operation +$IPFW add 6100 set 6 allow $logall icmp from any to any \ + icmptypes 0,3,4,11,12,13,14 keep-state ############################################################################## # rc.firewall 57b08f6d01671336dca7474ca4f38e84fab583cd John Wiegley johnw@newartisans.com http://github.com/jwiegley/jw.firewall/commit/2f270493526a324b168ac32999fa3a2bbd13cf7f 2f270493526a324b168ac32999fa3a2bbd13cf7f 2009-03-23T18:33:20-07:00 2009-03-23T18:33:20-07:00 Simplified filtering of DHCP packets 384a4c701797b0fe5b02f51923801800a5e07233 John Wiegley johnw@newartisans.com