rc.firewall (64028) | rc.firewall (64244) |
---|---|
1############ 2# Setup system for firewall service. | 1############ 2# Setup system for firewall service. |
3# $FreeBSD: head/etc/rc.firewall 64028 2000-07-30 19:28:05Z obrien $ | 3# $FreeBSD: head/etc/rc.firewall 64244 2000-08-04 14:02:11Z ru $ |
4 5# Suck in the configuration variables. 6if [ -r /etc/defaults/rc.conf ]; then 7 . /etc/defaults/rc.conf 8 source_rc_confs 9elif [ -r /etc/rc.conf ]; then 10 . /etc/rc.conf 11fi --- 50 unchanged lines hidden (view full) --- 62esac 63 64############ 65# Flush out the list before we begin. 66# 67${fwcmd} -f flush 68 69############ | 4 5# Suck in the configuration variables. 6if [ -r /etc/defaults/rc.conf ]; then 7 . /etc/defaults/rc.conf 8 source_rc_confs 9elif [ -r /etc/rc.conf ]; then 10 . /etc/rc.conf 11fi --- 50 unchanged lines hidden (view full) --- 62esac 63 64############ 65# Flush out the list before we begin. 66# 67${fwcmd} -f flush 68 69############ |
70# These rules are required for using natd. All packets are passed to 71# natd before they encounter your remaining rules. The firewall rules 72# will then be run again on each packet after translation by natd, 73# minus any divert rules (see natd(8)). | 70# Network Address Translation. All packets are passed to natd(8) 71# before they encounter your remaining rules. The firewall rules 72# will then be run again on each packet after translation by natd 73# starting at the rule number following the divert rule. |
74# | 74# |
75case ${natd_enable} in 76[Yy][Ee][Ss]) 77 if [ -n "${natd_interface}" ]; then 78 ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} 79 fi | 75# For ``simple'' firewall type the divert rule should be put to a 76# different place to not interfere with address-checking rules. 77# 78case ${firewall_type} in 79[Ss][Ii][Mm][Pp][Ll][Ee]) |
80 ;; | 80 ;; |
81*) 82 case ${natd_enable} in 83 [Yy][Ee][Ss]) 84 if [ -n "${natd_interface}" ]; then 85 ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} 86 fi 87 ;; 88 esac |
|
81esac 82 83############ 84# If you just configured ipfw in the kernel as a tool to solve network 85# problems or you just want to disallow some particular kinds of traffic 86# then you will want to change the default policy to open. You can also 87# do this as your only action by setting the firewall_type to ``open''. 88# --- 77 unchanged lines hidden (view full) --- 166 imask="255.255.255.240" 167 iip="192.0.2.17" 168 169 # Stop spoofing 170 ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 171 ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 172 173 # Stop RFC1918 nets on the outside interface | 89esac 90 91############ 92# If you just configured ipfw in the kernel as a tool to solve network 93# problems or you just want to disallow some particular kinds of traffic 94# then you will want to change the default policy to open. You can also 95# do this as your only action by setting the firewall_type to ``open''. 96# --- 77 unchanged lines hidden (view full) --- 174 imask="255.255.255.240" 175 iip="192.0.2.17" 176 177 # Stop spoofing 178 ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 179 ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 180 181 # Stop RFC1918 nets on the outside interface |
174 ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} | |
175 ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} | 182 ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} |
176 ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} | |
177 ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} | 183 ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} |
178 ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} | |
179 ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 180 181 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 182 # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 183 # on the outside interface | 184 ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 185 186 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 187 # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 188 # on the outside interface |
184 ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} | |
185 ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} | 189 ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} |
186 ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} | |
187 ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} | 190 ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} |
188 ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} | |
189 ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} | 191 ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} |
190 ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} | |
191 ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} | 192 ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} |
192 ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} | |
193 ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 194 | 193 ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 194 |
195 # Network Address Translation. This rule is placed here deliberately 196 # so that it does not interfere with the surrounding address-checking 197 # rules. If for example one of your internal LAN machines had its IP 198 # address set to 192.0.2.1 then an incoming packet for it after being 199 # translated by natd(8) would match the `deny' rule above. Similarly 200 # an outgoing packet originated from it before being translated would 201 # match the `deny' rule below. 202 case ${natd_enable} in 203 [Yy][Ee][Ss]) 204 if [ -n "${natd_interface}" ]; then 205 ${fwcmd} add divert natd all from any to any via ${natd_interface} 206 fi 207 ;; 208 esac 209 210 # Stop RFC1918 nets on the outside interface 211 ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 212 ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 213 ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 214 215 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 216 # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 217 # on the outside interface 218 ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 219 ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 220 ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 221 ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 222 ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 223 |
|
195 # Allow TCP through if setup succeeded 196 ${fwcmd} add pass tcp from any to any established 197 198 # Allow IP fragments to pass through 199 ${fwcmd} add pass all from any to any frag 200 201 # Allow setup of incoming email 202 ${fwcmd} add pass tcp from any to ${oip} 25 setup --- 36 unchanged lines hidden --- | 224 # Allow TCP through if setup succeeded 225 ${fwcmd} add pass tcp from any to any established 226 227 # Allow IP fragments to pass through 228 ${fwcmd} add pass all from any to any frag 229 230 # Allow setup of incoming email 231 ${fwcmd} add pass tcp from any to ${oip} 25 setup --- 36 unchanged lines hidden --- |