rc.firewall revision 16578
115027Sphk############ 215027Sphk# Setup system for firewall service. 316578Salex# $Id: rc.firewall,v 1.2 1996/04/12 09:16:42 phk Exp $ 415027Sphk 515027Sphk############ 615027Sphk# 715027Sphk# >>Warning<< 815027Sphk# This file is not very old yet, and have been put together without much 915027Sphk# test of the contents. 1015027Sphk 1115027Sphk############ 1215027Sphk# 1315027Sphk# If you don't know enough about packet filtering, we suggest that you 1415027Sphk# take time to read this book: 1515027Sphk# 1615210Sphk# Building Internet Firewalls 1715210Sphk# Brent Chapman and Elizabeth Zwicky 1815210Sphk# 1915210Sphk# O'Reilly & Associates, Inc 2015210Sphk# ISBN 1-56592-124-0 2115210Sphk# 2215210Sphk# For a more advanced treatment of Internet Security read: 2315210Sphk# 2415027Sphk# Firewalls & Internet Security 2515027Sphk# Repelling the wily hacker 2615027Sphk# William R. Cheswick, Steven M. Bellowin 2715027Sphk# 2815027Sphk# Addison-Wesley 2915027Sphk# ISBN 0-201-6337-4 3015027Sphk# 3115027Sphk 3215027Sphk############ 3316578Salex# Flush out the list before we begin. 3416578Salex/sbin/ipfw flush 3516578Salex 3616578Salex############ 3715027Sphk# If you just configured ipfw in the kernel as a tool to solve network 3815027Sphk# problems or you just want to disallow some particular kinds of traffic 3915027Sphk# they you will want to change the default policy to open. 4015027Sphk 4115027Sphk# /sbin/ipfw add 65000 pass all from any to any 4215027Sphk 4315027Sphk############ 4415027Sphk# Only in rare cases do you want to change this rule 4515027Sphk/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 4615027Sphk 4715027Sphk############ 4815027Sphk# This is a prototype setup that will protect your system somewhat against 4915027Sphk# people from outside your own network. 5015027Sphk# 5115027Sphk# To enable simply change "false" to "true" in the if line and set the 5215027Sphk# variables to your network parameters 5315027Sphk 5415027Sphkif false ; then 5515027Sphk # set these to your network and netmask and ip 5615027Sphk net="192.168.4.0" 5715027Sphk mask="255.255.255.0" 5815027Sphk ip="192.168.4.17" 5915027Sphk 6015027Sphk # Allow any traffic to or from my own net. 6115027Sphk /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 6215027Sphk /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 6315027Sphk 6415027Sphk # Allow TCP through if setup succeeded 6515210Sphk /sbin/ipfw add pass tcp from any to any established 6615027Sphk 6715027Sphk # Allow setup of incoming email 6815027Sphk /sbin/ipfw add pass tcp from any to ${ip} 25 setup 6915027Sphk 7015027Sphk # Allow setup of outgoing TCP connections only 7115027Sphk /sbin/ipfw add pass tcp from ${ip} to any setup 7215027Sphk 7315027Sphk # Disallow setup of all other TCP connections 7415027Sphk /sbin/ipfw add deny tcp from any to any setup 7515027Sphk 7615027Sphk # Allow DNS queries out in the world 7715027Sphk /sbin/ipfw add pass udp from any 53 to ${ip} 7815027Sphk /sbin/ipfw add pass udp from ${ip} to any 53 7915027Sphk 8015027Sphk # Allow NTP queries out in the world 8115027Sphk /sbin/ipfw add pass udp from any 123 to ${ip} 8215027Sphk /sbin/ipfw add pass udp from ${ip} to any 123 8315027Sphk 8415027Sphk # Everyting else is denied as default. 8515027Sphkfi 8615027Sphk 8715027Sphk############ 8815027Sphk# This is a prototype setup for a simple firewall. Configure this machine 8915027Sphk# as a named server and ntp server, and point all the machines on the inside 9015027Sphk# at this machine for those services. 9115027Sphk# 9215027Sphk# To enable simply change "false" to "true" in the if line and set the 9315027Sphk# variables to your network parameters 9415027Sphk 9515027Sphkif false ; then 9615027Sphk # set these to your outside interface network and netmask and ip 9715027Sphk oif="ed0" 9815027Sphk onet="192.168.4.0" 9915027Sphk omask="255.255.255.0" 10015027Sphk oip="192.168.4.17" 10115027Sphk 10215027Sphk # set these to your inside interface network and netmask and ip 10315027Sphk iif="ed1" 10415027Sphk inet="192.168.3.0" 10515027Sphk imask="255.255.255.0" 10615027Sphk iip="192.168.3.17" 10715027Sphk 10815027Sphk # Stop spoofing 10915027Sphk /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 11015027Sphk /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 11115027Sphk 11215027Sphk # Stop RFC1918 nets on the outside interface 11315027Sphk /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 11415027Sphk /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 11515027Sphk /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 11615027Sphk 11715027Sphk # Allow TCP through if setup succeeded 11815210Sphk /sbin/ipfw add pass tcp from any to any established 11915027Sphk 12015027Sphk # Allow setup of incoming email 12115027Sphk /sbin/ipfw add pass tcp from any to ${oip} 25 setup 12215027Sphk 12315027Sphk # Allow access to our DNS 12415027Sphk /sbin/ipfw add pass tcp from any to ${oip} 53 setup 12515027Sphk 12615027Sphk # Allow access to our WWW 12715027Sphk /sbin/ipfw add pass tcp from any to ${oip} 80 setup 12815027Sphk 12915027Sphk # Reject&Log all setup of incoming connections from the outside 13015027Sphk /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 13115027Sphk 13215027Sphk # Allow setup of any other TCP connection 13315027Sphk /sbin/ipfw add pass tcp from any to any setup 13415027Sphk 13515027Sphk # Allow DNS queries out in the world 13615027Sphk /sbin/ipfw add pass udp from any 53 to ${oip} 13715027Sphk /sbin/ipfw add pass udp from ${oip} to any 53 13815027Sphk 13915027Sphk # Allow NTP queries out in the world 14015027Sphk /sbin/ipfw add pass udp from any 123 to ${oip} 14115027Sphk /sbin/ipfw add pass udp from ${oip} to any 123 14215027Sphk 14315027Sphk # Everyting else is denied as default. 14415027Sphkfi 14515027Sphk 146