rc.firewall revision 25478
115027Sphk############ 215027Sphk# Setup system for firewall service. 325478Sjkh# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $ 415027Sphk 515027Sphk############ 615027Sphk# 715027Sphk# >>Warning<< 815027Sphk# This file is not very old yet, and have been put together without much 917594Sjkh# testing of the contents. 1015027Sphk 1117594Sjkh# Set this to be the type of firewall you want: open, client, simple or NONE. 1217594Sjkh# ``open'' will allow anyone in, ``client'' will try to protect just one 1317594Sjkh# machine and ``simple'' will try to protect a whole network (entries should 1417594Sjkh# be customized appropriately below). To let no one in, use NONE. 1517594Sjkh 1615027Sphk############ 1715027Sphk# 1815027Sphk# If you don't know enough about packet filtering, we suggest that you 1915027Sphk# take time to read this book: 2015027Sphk# 2115210Sphk# Building Internet Firewalls 2215210Sphk# Brent Chapman and Elizabeth Zwicky 2315210Sphk# 2415210Sphk# O'Reilly & Associates, Inc 2515210Sphk# ISBN 1-56592-124-0 2625478Sjkh# http://www.ora.com/ 2715210Sphk# 2815210Sphk# For a more advanced treatment of Internet Security read: 2915210Sphk# 3015027Sphk# Firewalls & Internet Security 3115027Sphk# Repelling the wily hacker 3215027Sphk# William R. Cheswick, Steven M. Bellowin 3315027Sphk# 3415027Sphk# Addison-Wesley 3515027Sphk# ISBN 0-201-6337-4 3625478Sjkh# http://www.awl.com/ 3715027Sphk# 3815027Sphk 3915027Sphk############ 4016578Salex# Flush out the list before we begin. 4118045Sadam/sbin/ipfw -f flush 4216578Salex 4316578Salex############ 4415027Sphk# If you just configured ipfw in the kernel as a tool to solve network 4515027Sphk# problems or you just want to disallow some particular kinds of traffic 4617594Sjkh# they you will want to change the default policy to open. You can also 4717594Sjkh# do this as your only action by setting the firewall_type to ``open''. 4815027Sphk 4915027Sphk# /sbin/ipfw add 65000 pass all from any to any 5015027Sphk 5115027Sphk############ 5215027Sphk# Only in rare cases do you want to change this rule 5315027Sphk/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 5415027Sphk 5515027Sphk 5617594Sjkh# Prototype setups. 5725184Sjkhif [ "${firewall}" = "open" ]; then 5817594Sjkh 5917594Sjkh /sbin/ipfw add 65000 pass all from any to any 6017594Sjkh 6125184Sjkhelif [ "${firewall}" = "client" ]; then 6217594Sjkh 6317594Sjkh ############ 6417594Sjkh # This is a prototype setup that will protect your system somewhat against 6517594Sjkh # people from outside your own network. 6617594Sjkh ############ 6717594Sjkh 6815027Sphk # set these to your network and netmask and ip 6915027Sphk net="192.168.4.0" 7015027Sphk mask="255.255.255.0" 7115027Sphk ip="192.168.4.17" 7215027Sphk 7315027Sphk # Allow any traffic to or from my own net. 7415027Sphk /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 7515027Sphk /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 7615027Sphk 7715027Sphk # Allow TCP through if setup succeeded 7815210Sphk /sbin/ipfw add pass tcp from any to any established 7915027Sphk 8015027Sphk # Allow setup of incoming email 8115027Sphk /sbin/ipfw add pass tcp from any to ${ip} 25 setup 8215027Sphk 8315027Sphk # Allow setup of outgoing TCP connections only 8415027Sphk /sbin/ipfw add pass tcp from ${ip} to any setup 8515027Sphk 8615027Sphk # Disallow setup of all other TCP connections 8715027Sphk /sbin/ipfw add deny tcp from any to any setup 8815027Sphk 8915027Sphk # Allow DNS queries out in the world 9015027Sphk /sbin/ipfw add pass udp from any 53 to ${ip} 9115027Sphk /sbin/ipfw add pass udp from ${ip} to any 53 9215027Sphk 9315027Sphk # Allow NTP queries out in the world 9415027Sphk /sbin/ipfw add pass udp from any 123 to ${ip} 9515027Sphk /sbin/ipfw add pass udp from ${ip} to any 123 9615027Sphk 9725478Sjkh # Everything else is denied as default. 9815027Sphk 9925184Sjkhelif [ "${firewall}" = "simple" ]; then 10015027Sphk 10117594Sjkh ############ 10217594Sjkh # This is a prototype setup for a simple firewall. Configure this machine 10317594Sjkh # as a named server and ntp server, and point all the machines on the inside 10417594Sjkh # at this machine for those services. 10517594Sjkh ############ 10617594Sjkh 10715027Sphk # set these to your outside interface network and netmask and ip 10815027Sphk oif="ed0" 10915027Sphk onet="192.168.4.0" 11015027Sphk omask="255.255.255.0" 11115027Sphk oip="192.168.4.17" 11215027Sphk 11315027Sphk # set these to your inside interface network and netmask and ip 11415027Sphk iif="ed1" 11515027Sphk inet="192.168.3.0" 11615027Sphk imask="255.255.255.0" 11715027Sphk iip="192.168.3.17" 11815027Sphk 11915027Sphk # Stop spoofing 12015027Sphk /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 12115027Sphk /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 12215027Sphk 12315027Sphk # Stop RFC1918 nets on the outside interface 12415027Sphk /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 12515027Sphk /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 12615027Sphk /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 12715027Sphk 12815027Sphk # Allow TCP through if setup succeeded 12915210Sphk /sbin/ipfw add pass tcp from any to any established 13015027Sphk 13115027Sphk # Allow setup of incoming email 13215027Sphk /sbin/ipfw add pass tcp from any to ${oip} 25 setup 13315027Sphk 13415027Sphk # Allow access to our DNS 13515027Sphk /sbin/ipfw add pass tcp from any to ${oip} 53 setup 13615027Sphk 13715027Sphk # Allow access to our WWW 13815027Sphk /sbin/ipfw add pass tcp from any to ${oip} 80 setup 13915027Sphk 14015027Sphk # Reject&Log all setup of incoming connections from the outside 14115027Sphk /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 14215027Sphk 14315027Sphk # Allow setup of any other TCP connection 14415027Sphk /sbin/ipfw add pass tcp from any to any setup 14515027Sphk 14615027Sphk # Allow DNS queries out in the world 14715027Sphk /sbin/ipfw add pass udp from any 53 to ${oip} 14815027Sphk /sbin/ipfw add pass udp from ${oip} to any 53 14915027Sphk 15015027Sphk # Allow NTP queries out in the world 15115027Sphk /sbin/ipfw add pass udp from any 123 to ${oip} 15215027Sphk /sbin/ipfw add pass udp from ${oip} to any 123 15315027Sphk 15425478Sjkh # Everything else is denied as default. 15525478Sjkh 15625478Sjkhelif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then 15725478Sjkh 15825478Sjkh /sbin/ipfw ${firewall} 15915027Sphkfi 160