rc.firewall revision 15210
115027Sphk############ 215027Sphk# Setup system for firewall service. 315210Sphk# $Id: rc.firewall,v 1.1 1996/04/03 17:13:58 phk Exp $ 415027Sphk 515027Sphk############ 615027Sphk# 715027Sphk# >>Warning<< 815027Sphk# This file is not very old yet, and have been put together without much 915027Sphk# test of the contents. 1015027Sphk 1115027Sphk############ 1215027Sphk# 1315027Sphk# If you don't know enough about packet filtering, we suggest that you 1415027Sphk# take time to read this book: 1515027Sphk# 1615210Sphk# Building Internet Firewalls 1715210Sphk# Brent Chapman and Elizabeth Zwicky 1815210Sphk# 1915210Sphk# O'Reilly & Associates, Inc 2015210Sphk# ISBN 1-56592-124-0 2115210Sphk# 2215210Sphk# For a more advanced treatment of Internet Security read: 2315210Sphk# 2415027Sphk# Firewalls & Internet Security 2515027Sphk# Repelling the wily hacker 2615027Sphk# William R. Cheswick, Steven M. Bellowin 2715027Sphk# 2815027Sphk# Addison-Wesley 2915027Sphk# ISBN 0-201-6337-4 3015027Sphk# 3115027Sphk 3215027Sphk############ 3315027Sphk# If you just configured ipfw in the kernel as a tool to solve network 3415027Sphk# problems or you just want to disallow some particular kinds of traffic 3515027Sphk# they you will want to change the default policy to open. 3615027Sphk 3715027Sphk# /sbin/ipfw add 65000 pass all from any to any 3815027Sphk 3915027Sphk############ 4015027Sphk# Only in rare cases do you want to change this rule 4115027Sphk/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 4215027Sphk 4315027Sphk############ 4415027Sphk# This is a prototype setup that will protect your system somewhat against 4515027Sphk# people from outside your own network. 4615027Sphk# 4715027Sphk# To enable simply change "false" to "true" in the if line and set the 4815027Sphk# variables to your network parameters 4915027Sphk 5015027Sphkif false ; then 5115027Sphk # set these to your network and netmask and ip 5215027Sphk net="192.168.4.0" 5315027Sphk mask="255.255.255.0" 5415027Sphk ip="192.168.4.17" 5515027Sphk 5615027Sphk # Allow any traffic to or from my own net. 5715027Sphk /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 5815027Sphk /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 5915027Sphk 6015027Sphk # Allow TCP through if setup succeeded 6115210Sphk /sbin/ipfw add pass tcp from any to any established 6215027Sphk 6315027Sphk # Allow setup of incoming email 6415027Sphk /sbin/ipfw add pass tcp from any to ${ip} 25 setup 6515027Sphk 6615027Sphk # Allow setup of outgoing TCP connections only 6715027Sphk /sbin/ipfw add pass tcp from ${ip} to any setup 6815027Sphk 6915027Sphk # Disallow setup of all other TCP connections 7015027Sphk /sbin/ipfw add deny tcp from any to any setup 7115027Sphk 7215027Sphk # Allow DNS queries out in the world 7315027Sphk /sbin/ipfw add pass udp from any 53 to ${ip} 7415027Sphk /sbin/ipfw add pass udp from ${ip} to any 53 7515027Sphk 7615027Sphk # Allow NTP queries out in the world 7715027Sphk /sbin/ipfw add pass udp from any 123 to ${ip} 7815027Sphk /sbin/ipfw add pass udp from ${ip} to any 123 7915027Sphk 8015027Sphk # Everyting else is denied as default. 8115027Sphkfi 8215027Sphk 8315027Sphk############ 8415027Sphk# This is a prototype setup for a simple firewall. Configure this machine 8515027Sphk# as a named server and ntp server, and point all the machines on the inside 8615027Sphk# at this machine for those services. 8715027Sphk# 8815027Sphk# To enable simply change "false" to "true" in the if line and set the 8915027Sphk# variables to your network parameters 9015027Sphk 9115027Sphkif false ; then 9215027Sphk # set these to your outside interface network and netmask and ip 9315027Sphk oif="ed0" 9415027Sphk onet="192.168.4.0" 9515027Sphk omask="255.255.255.0" 9615027Sphk oip="192.168.4.17" 9715027Sphk 9815027Sphk # set these to your inside interface network and netmask and ip 9915027Sphk iif="ed1" 10015027Sphk inet="192.168.3.0" 10115027Sphk imask="255.255.255.0" 10215027Sphk iip="192.168.3.17" 10315027Sphk 10415027Sphk # Stop spoofing 10515027Sphk /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 10615027Sphk /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 10715027Sphk 10815027Sphk # Stop RFC1918 nets on the outside interface 10915027Sphk /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 11015027Sphk /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 11115027Sphk /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 11215027Sphk 11315027Sphk # Allow TCP through if setup succeeded 11415210Sphk /sbin/ipfw add pass tcp from any to any established 11515027Sphk 11615027Sphk # Allow setup of incoming email 11715027Sphk /sbin/ipfw add pass tcp from any to ${oip} 25 setup 11815027Sphk 11915027Sphk # Allow access to our DNS 12015027Sphk /sbin/ipfw add pass tcp from any to ${oip} 53 setup 12115027Sphk 12215027Sphk # Allow access to our WWW 12315027Sphk /sbin/ipfw add pass tcp from any to ${oip} 80 setup 12415027Sphk 12515027Sphk # Reject&Log all setup of incoming connections from the outside 12615027Sphk /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 12715027Sphk 12815027Sphk # Allow setup of any other TCP connection 12915027Sphk /sbin/ipfw add pass tcp from any to any setup 13015027Sphk 13115027Sphk # Allow DNS queries out in the world 13215027Sphk /sbin/ipfw add pass udp from any 53 to ${oip} 13315027Sphk /sbin/ipfw add pass udp from ${oip} to any 53 13415027Sphk 13515027Sphk # Allow NTP queries out in the world 13615027Sphk /sbin/ipfw add pass udp from any 123 to ${oip} 13715027Sphk /sbin/ipfw add pass udp from ${oip} to any 123 13815027Sphk 13915027Sphk # Everyting else is denied as default. 14015027Sphkfi 14115027Sphk 142