MFen: 1.34 doc/en_US.ISO8859-1/articles/dialup-firewall/article.sgml

svn path=/head/; revision=32780

el_GR.ISO8859-7/articles/dialup-firewall/article.sgml

@@ -3,7 +3,7 @@
   The FreeBSD Greek Documentation Project
 
   %SOURCE%	en_US.ISO8859-1/articles/dialup-firewall/article.sgml
-  %SRCID%	1.33
+  %SRCID%	1.34
 
 -->
 
@@ -84,7 +84,8 @@
 	    ôüôå èá ðñÝðåé íá åíåñãïðïéÞóåôå ôçí åðéëïãÞ
 	    <emphasis>IPFW2</emphasis> êáé íá äéáâÜóåôå ôç óåëßäá âïÞèåéáò
 	    &man.ipfw.8; ãéá ðåñéóóüôåñåò ðëçñïöïñßåò ó÷åôéêÜ ìå ôçí åðéëïãÞ
-	    IPFW2.</para>
+	    IPFW2.  ÐñïóÝîôå éäéáßôåñá ôï
+	    ôìÞìá <emphasis>USING IPFW2 IN FreeBSD-STABLE</emphasis>.</para>
 	  </note>
         </listitem>
       </varlistentry>
@@ -212,18 +213,36 @@ fwcmd="/sbin/ipfw"
 # defaults to tun0.
 oif="tun0"
 
+# Define our inside interface.  This is usually your network
+# card.  Be sure to change this to match your own network 
+# interface.
+iif="fxp0"
+
 # Force a flushing of the current rules before we reload.
 $fwcmd -f flush
 
 # Divert all packets through the tunnel interface.
 $fwcmd add divert natd all from any to any via tun0
 
+# Check the state of all packets.
+$fwcmd add check-state
+
+# Stop spoofing on the outside interface.
+$fwcmd add deny ip from any to any in via $oif not verrevpath
+
 # Allow all connections that we initiate, and keep their state,
 # but deny established connections that don't have a dynamic rule.
-$fwcmd add check-state
 $fwcmd add allow ip from me to any out via $oif keep-state
 $fwcmd add deny tcp from any to any established in via $oif
 
+# Allow all connections within our network.
+$fwcmd add allow ip from any to any via $iif
+
+# Allow all local traffic.
+$fwcmd add allow all from any to any via lo0
+$fwcmd add deny all from any to 127.0.0.0/8
+$fwcmd add deny ip from 127.0.0.0/8 to any
+
 # Allow internet users to connect to the port 22 and 80.
 # This example specifically allows connections to the sshd and a
 # webserver.