rc.firewall revision 17594
115027Sphk############ 215027Sphk# Setup system for firewall service. 317594Sjkh# $Id: rc.firewall,v 1.3 1996/06/22 00:54:36 alex Exp $ 415027Sphk 515027Sphk############ 615027Sphk# 715027Sphk# >>Warning<< 815027Sphk# This file is not very old yet, and have been put together without much 917594Sjkh# testing of the contents. 1015027Sphk 1117594Sjkh# Set this to be the type of firewall you want: open, client, simple or NONE. 1217594Sjkh# ``open'' will allow anyone in, ``client'' will try to protect just one 1317594Sjkh# machine and ``simple'' will try to protect a whole network (entries should 1417594Sjkh# be customized appropriately below). To let no one in, use NONE. 1517594Sjkh 1617594Sjkhfirewall_type= NONE 1717594Sjkh 1817594Sjkh 1915027Sphk############ 2015027Sphk# 2115027Sphk# If you don't know enough about packet filtering, we suggest that you 2215027Sphk# take time to read this book: 2315027Sphk# 2415210Sphk# Building Internet Firewalls 2515210Sphk# Brent Chapman and Elizabeth Zwicky 2615210Sphk# 2715210Sphk# O'Reilly & Associates, Inc 2815210Sphk# ISBN 1-56592-124-0 2915210Sphk# 3015210Sphk# For a more advanced treatment of Internet Security read: 3115210Sphk# 3215027Sphk# Firewalls & Internet Security 3315027Sphk# Repelling the wily hacker 3415027Sphk# William R. Cheswick, Steven M. Bellowin 3515027Sphk# 3615027Sphk# Addison-Wesley 3715027Sphk# ISBN 0-201-6337-4 3815027Sphk# 3915027Sphk 4015027Sphk############ 4116578Salex# Flush out the list before we begin. 4216578Salex/sbin/ipfw flush 4316578Salex 4416578Salex############ 4515027Sphk# If you just configured ipfw in the kernel as a tool to solve network 4615027Sphk# problems or you just want to disallow some particular kinds of traffic 4717594Sjkh# they you will want to change the default policy to open. You can also 4817594Sjkh# do this as your only action by setting the firewall_type to ``open''. 4915027Sphk 5015027Sphk# /sbin/ipfw add 65000 pass all from any to any 5115027Sphk 5215027Sphk############ 5315027Sphk# Only in rare cases do you want to change this rule 5415027Sphk/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 5515027Sphk 5615027Sphk 5717594Sjkh# Prototype setups. 5817594Sjkhif [ "${firewall_type}" = "open" ]; then 5917594Sjkh 6017594Sjkh /sbin/ipfw add 65000 pass all from any to any 6117594Sjkh 6217594Sjkhelif [ "${firewall_type}" = "client" ]; then 6317594Sjkh 6417594Sjkh ############ 6517594Sjkh # This is a prototype setup that will protect your system somewhat against 6617594Sjkh # people from outside your own network. 6717594Sjkh ############ 6817594Sjkh 6915027Sphk # set these to your network and netmask and ip 7015027Sphk net="192.168.4.0" 7115027Sphk mask="255.255.255.0" 7215027Sphk ip="192.168.4.17" 7315027Sphk 7415027Sphk # Allow any traffic to or from my own net. 7515027Sphk /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 7615027Sphk /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 7715027Sphk 7815027Sphk # Allow TCP through if setup succeeded 7915210Sphk /sbin/ipfw add pass tcp from any to any established 8015027Sphk 8115027Sphk # Allow setup of incoming email 8215027Sphk /sbin/ipfw add pass tcp from any to ${ip} 25 setup 8315027Sphk 8415027Sphk # Allow setup of outgoing TCP connections only 8515027Sphk /sbin/ipfw add pass tcp from ${ip} to any setup 8615027Sphk 8715027Sphk # Disallow setup of all other TCP connections 8815027Sphk /sbin/ipfw add deny tcp from any to any setup 8915027Sphk 9015027Sphk # Allow DNS queries out in the world 9115027Sphk /sbin/ipfw add pass udp from any 53 to ${ip} 9215027Sphk /sbin/ipfw add pass udp from ${ip} to any 53 9315027Sphk 9415027Sphk # Allow NTP queries out in the world 9515027Sphk /sbin/ipfw add pass udp from any 123 to ${ip} 9615027Sphk /sbin/ipfw add pass udp from ${ip} to any 123 9715027Sphk 9815027Sphk # Everyting else is denied as default. 9915027Sphk 10017594Sjkhelif [ "${firewall_type}" = "simple" ]; then 10115027Sphk 10217594Sjkh ############ 10317594Sjkh # This is a prototype setup for a simple firewall. Configure this machine 10417594Sjkh # as a named server and ntp server, and point all the machines on the inside 10517594Sjkh # at this machine for those services. 10617594Sjkh ############ 10717594Sjkh 10815027Sphk # set these to your outside interface network and netmask and ip 10915027Sphk oif="ed0" 11015027Sphk onet="192.168.4.0" 11115027Sphk omask="255.255.255.0" 11215027Sphk oip="192.168.4.17" 11315027Sphk 11415027Sphk # set these to your inside interface network and netmask and ip 11515027Sphk iif="ed1" 11615027Sphk inet="192.168.3.0" 11715027Sphk imask="255.255.255.0" 11815027Sphk iip="192.168.3.17" 11915027Sphk 12015027Sphk # Stop spoofing 12115027Sphk /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 12215027Sphk /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 12315027Sphk 12415027Sphk # Stop RFC1918 nets on the outside interface 12515027Sphk /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 12615027Sphk /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 12715027Sphk /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 12815027Sphk 12915027Sphk # Allow TCP through if setup succeeded 13015210Sphk /sbin/ipfw add pass tcp from any to any established 13115027Sphk 13215027Sphk # Allow setup of incoming email 13315027Sphk /sbin/ipfw add pass tcp from any to ${oip} 25 setup 13415027Sphk 13515027Sphk # Allow access to our DNS 13615027Sphk /sbin/ipfw add pass tcp from any to ${oip} 53 setup 13715027Sphk 13815027Sphk # Allow access to our WWW 13915027Sphk /sbin/ipfw add pass tcp from any to ${oip} 80 setup 14015027Sphk 14115027Sphk # Reject&Log all setup of incoming connections from the outside 14215027Sphk /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 14315027Sphk 14415027Sphk # Allow setup of any other TCP connection 14515027Sphk /sbin/ipfw add pass tcp from any to any setup 14615027Sphk 14715027Sphk # Allow DNS queries out in the world 14815027Sphk /sbin/ipfw add pass udp from any 53 to ${oip} 14915027Sphk /sbin/ipfw add pass udp from ${oip} to any 53 15015027Sphk 15115027Sphk # Allow NTP queries out in the world 15215027Sphk /sbin/ipfw add pass udp from any 123 to ${oip} 15315027Sphk /sbin/ipfw add pass udp from ${oip} to any 123 15415027Sphk 15515027Sphk # Everyting else is denied as default. 15615027Sphkfi 15715027Sphk 158