From 29d94e46206a222cec93acf00e8450b5635d5887 Mon Sep 17 00:00:00 2001
From: Josef El-Rayes <josef@FreeBSD.org>
Date: Sun, 25 Jan 2004 21:53:44 +0000
Subject: [PATCH] Add some additional sample rules and add a note for 4.X
 users. Approved by:    simon(mentor) PR:             docs/61873 Submitted by:
   Marc Silver <marcs@draenor.org>

---
 .../articles/dialup-firewall/article.sgml     | 26 ++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
index 5caefcce52..3e1e488ef2 100644
--- a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
+++ b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
@@ -79,7 +79,9 @@
 	    recompile their kernels with <emphasis>IPFW2</emphasis>
 	    support.  &os; 4.X users should consult the &man.ipfw.8;
 	    manual page for more information on using IPFW2 on their
-	    systems.</para></note>
+	    systems, and should pay particular attention to the
+	    <emphasis>USING IPFW2 IN FreeBSD-STABLE</emphasis> 
+	    section.</para></note>
 	</listitem>
       </varlistentry>
 
@@ -183,15 +185,33 @@ fwcmd="/sbin/ipfw"
 # defaults to tun0.
 oif="tun0"
 
+# Define our inside interface.  This is usually your network
+# card.  Be sure to change this to match your own network 
+# interface.
+iif="fxp0"
+
 # Force a flushing of the current rules before we reload.
 $fwcmd -f flush
 
-# Allow all connections that we initiate, and keep their state,
-# but deny established connections that don't have a dynamic rule.
+# Check the state of all packets.
 $fwcmd add check-state
+
+# Stop spoofing on the outside interface.
+$fwcmd add deny ip from any to any in via $oif not verrevpath
+
+# Allow all connections that we initiate, and keep their state.
+# but deny established connections that don't have a dynamic rule.
 $fwcmd add allow ip from me to any out via $oif keep-state
 $fwcmd add deny tcp from any to any established in via $oif
 
+# Allow all connections within our network.
+$fwcmd add allow ip from any to any via $iif
+
+# Allow all local traffic.
+$fwcmd add allow all from any to any via lo0
+$fwcmd add deny all from any to 127.0.0.0/8
+$fwcmd add deny ip from 127.0.0.0/8 to any
+
 # Allow internet users to connect to the port 22 and 80.
 # This example specifically allows connections to the sshd and a
 # webserver.