Update the firewall example to be more secure and use dynamic

firewall rules.

PR:		docs/48366
Reviewed by:	marcs@draenor.org (maintainer)
Approved by:	ceri

en_US.ISO8859-1/articles/dialup-firewall/article.sgml

@@ -63,6 +63,17 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term><literal>options IPFW2</literal></term>
+
+	<listitem>
+	  <para>Enables the new version of IPFW.</para>
+	  <important><para>Only do this if you're running FreeBSD 4.X,
+	  this is the default in newer versions of
+	  FreeBSD.</para></important>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term><literal>options IPFIREWALL_VERBOSE</literal></term>
 
@@ -187,13 +198,7 @@ ppp_profile="<replaceable>profile</replaceable>"</programlisting>
     <para>Now, let's look at a sample firewall file, that is commented
       nicely.</para>
 
-    <programlisting># Firewall rules
-# Written by Marc Silver (marcs@draenor.org)
-# http://draenor.org/ipfw
-# Freely distributable
-
-
-# Define the firewall command (as in /etc/rc.firewall) for easy
+    <programlisting># Define the firewall command (as in /etc/rc.firewall) for easy
 # reference.  Helps to make it easier to read.
 fwcmd="/sbin/ipfw"
 
@@ -203,41 +208,35 @@ $fwcmd -f flush
 # Divert all packets through the tunnel interface.
 $fwcmd add divert natd all from any to any via tun0
 
-# Allow all data from my network card and localhost.  Make sure you
-# change your network card (mine was fxp0) before you reboot.  :)
-$fwcmd add allow ip from any to any via lo0
-$fwcmd add allow ip from any to any via fxp0
+# Allow all connections that have dynamic rules built for them,
+# but deny established connections that don't have a dynamic rule.
+# See ipfw(8) for details.
+$fwcmd add check-state
+$fwcmd add deny tcp from any to any established
 
-# Allow all connections that I initiate.
-$fwcmd add allow tcp from any to any out xmit tun0 setup
+# Allow all localhost connections
+$fwcmd add allow tcp from me to any out via lo0 setup keep-state
+$fwcmd add deny  tcp from me to any out via lo0
+$fwcmd add allow ip  from me to any out via lo0 keep-state
 
-# Once connections are made, allow them to stay open.
-$fwcmd add allow tcp from any to any via tun0 established
+# Allow all connections from my network card that I initiate
+$fwcmd add allow tcp from me to any out xmit any setup keep-state
+$fwcmd add deny  tcp from me to any
+$fwcmd add allow ip from me to any out xmit any keep-state
 
-# Everyone on the internet is allowed to connect to the following
+# Everyone on the Internet is allowed to connect to the following
 # services on the machine.  This example specifically allows connections
-# to ssh and apache.
-$fwcmd add allow tcp from any to any 80 setup
-$fwcmd add allow tcp from any to any 22 setup
+# to sshd and a webserver.
+$fwcmd add allow tcp from any to me dst-port 22,80 in recv any setup keep-state
 
 # This sends a RESET to all ident packets.
-$fwcmd add reset log tcp from any to any 113 in recv tun0
-
-# Allow outgoing DNS queries ONLY to the specified servers.
-$fwcmd add allow udp from any to <replaceable>x.x.x.x</replaceable> 53 out xmit tun0
-
-# Allow them back in with the answers...  :)
-$fwcmd add allow udp from <replaceable>x.x.x.x</replaceable> 53 to any in recv tun0
-
-# Allow ICMP (for ping and traceroute to work).  You may wish to
-# disallow this, but I feel it suits my needs to keep them in.
-$fwcmd add allow icmp from any to any
+$fwcmd add reset log tcp from any to me 113 in recv any
 
 # Deny all the rest.
 $fwcmd add deny log ip from any to any</programlisting>
 
     <para>You now have a fully functional firewall that will allow on
-      connections to ports 80 and 22 and will log any other connection
+      connections to ports 22 and 80 and will log any other connection
       attempts. Now, you should be able to safely reboot and your firewall
       should come up fine. If you find this incorrect in anyway or experience
       any problems, or have any suggestions to improve this page, please