rc.firewall revision 29300
1184588Sdfr############ 2184588Sdfr# Setup system for firewall service. 3184588Sdfr# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $ 4184588Sdfr 5184588Sdfr############ 6184588Sdfr# Define the firewall type in /etc/rc.conf. Valid values are: 7184588Sdfr# open - will allow anyone in 8184588Sdfr# client - will try to protect just this machine 9184588Sdfr# simple - will try to protect a whole network 10184588Sdfr# closed - totally disables IP services except via lo0 interface 11184588Sdfr# UNKNOWN - disables the loading of firewall rules. 12184588Sdfr# filename - will load the rules in the given filename (full path required) 13184588Sdfr# 14184588Sdfr# For ``client'' and ``simple'' the entries below should be customized 15184588Sdfr# appropriately. 16184588Sdfr 17184588Sdfr############ 18184588Sdfr# 19184588Sdfr# If you don't know enough about packet filtering, we suggest that you 20184588Sdfr# take time to read this book: 21184588Sdfr# 22184588Sdfr# Building Internet Firewalls 23184588Sdfr# Brent Chapman and Elizabeth Zwicky 24184588Sdfr# 25184588Sdfr# O'Reilly & Associates, Inc 26184588Sdfr# ISBN 1-56592-124-0 27184588Sdfr# http://www.ora.com/ 28184588Sdfr# 29184588Sdfr# For a more advanced treatment of Internet Security read: 30184588Sdfr# 31184588Sdfr# Firewalls & Internet Security 32184588Sdfr# Repelling the wily hacker 33184588Sdfr# William R. Cheswick, Steven M. Bellowin 34184588Sdfr# 35184588Sdfr# Addison-Wesley 36184588Sdfr# ISBN 0-201-6337-4 37184588Sdfr# http://www.awl.com/ 38184588Sdfr# 39184588Sdfr 40184588Sdfrif [ "x$1" != "x" ]; then 41184588Sdfr firewall_type=$1 42184588Sdfrfi 43184588Sdfr 44184588Sdfr############ 45184588Sdfr# Set quiet mode if requested 46184588Sdfrif [ "x$firewall_quiet" = "xYES" ]; then 47184588Sdfr fwcmd="/sbin/ipfw -q" 48184588Sdfrelse 49184588Sdfr fwcmd="/sbin/ipfw" 50184588Sdfrfi 51184588Sdfr 52184588Sdfr############ 53184588Sdfr# Flush out the list before we begin. 54184588Sdfr$fwcmd -f flush 55184588Sdfr 56184588Sdfr############ 57184588Sdfr# If you just configured ipfw in the kernel as a tool to solve network 58184588Sdfr# problems or you just want to disallow some particular kinds of traffic 59184588Sdfr# they you will want to change the default policy to open. You can also 60184588Sdfr# do this as your only action by setting the firewall_type to ``open''. 61184588Sdfr 62184588Sdfr# $fwcmd add 65000 pass all from any to any 63184588Sdfr 64184588Sdfr############ 65184588Sdfr# Only in rare cases do you want to change this rule 66184588Sdfr$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 67184588Sdfr 68184588Sdfr 69184588Sdfr# Prototype setups. 70184588Sdfrif [ "${firewall_type}" = "open" ]; then 71184588Sdfr 72184588Sdfr $fwcmd add 65000 pass all from any to any 73184588Sdfr 74184588Sdfrelif [ "${firewall_type}" = "simple" ]; then 75184588Sdfr 76184588Sdfr $fwcmd add 65000 pass all from any to any via lo0 77184588Sdfr 78184588Sdfrelif [ "${firewall_type}" = "client" ]; then 79184588Sdfr 80184588Sdfr ############ 81184588Sdfr # This is a prototype setup that will protect your system somewhat against 82184588Sdfr # people from outside your own network. 83184588Sdfr ############ 84184588Sdfr 85184588Sdfr # set these to your network and netmask and ip 86184588Sdfr net="192.168.4.0" 87184588Sdfr mask="255.255.255.0" 88184588Sdfr ip="192.168.4.17" 89184588Sdfr 90184588Sdfr # Allow any traffic to or from my own net. 91184588Sdfr $fwcmd add pass all from ${ip} to ${net}:${mask} 92184588Sdfr $fwcmd add pass all from ${net}:${mask} to ${ip} 93211830Srmacklem 94184588Sdfr # Allow TCP through if setup succeeded 95184588Sdfr $fwcmd add pass tcp from any to any established 96211830Srmacklem 97184588Sdfr # Allow setup of incoming email 98184588Sdfr $fwcmd add pass tcp from any to ${ip} 25 setup 99184588Sdfr 100184588Sdfr # Allow setup of outgoing TCP connections only 101184588Sdfr $fwcmd add pass tcp from ${ip} to any setup 102184588Sdfr 103184588Sdfr # Disallow setup of all other TCP connections 104184588Sdfr $fwcmd add deny tcp from any to any setup 105184588Sdfr 106184588Sdfr # Allow DNS queries out in the world 107184588Sdfr $fwcmd add pass udp from any 53 to ${ip} 108184588Sdfr $fwcmd add pass udp from ${ip} to any 53 109184588Sdfr 110184588Sdfr # Allow NTP queries out in the world 111184588Sdfr $fwcmd add pass udp from any 123 to ${ip} 112184588Sdfr $fwcmd add pass udp from ${ip} to any 123 113184588Sdfr 114184588Sdfr # Everything else is denied as default. 115184588Sdfr 116211853Spjdelif [ "${firewall_type}" = "simple" ]; then 117211853Spjd 118184588Sdfr ############ 119184588Sdfr # This is a prototype setup for a simple firewall. Configure this machine 120211853Spjd # as a named server and ntp server, and point all the machines on the inside 121211853Spjd # at this machine for those services. 122184588Sdfr ############ 123184588Sdfr 124184588Sdfr # set these to your outside interface network and netmask and ip 125184588Sdfr oif="ed0" 126184588Sdfr onet="192.168.4.0" 127184588Sdfr omask="255.255.255.0" 128184588Sdfr oip="192.168.4.17" 129184588Sdfr 130184588Sdfr # set these to your inside interface network and netmask and ip 131184588Sdfr iif="ed1" 132184588Sdfr inet="192.168.3.0" 133184588Sdfr imask="255.255.255.0" 134184588Sdfr iip="192.168.3.17" 135184588Sdfr 136211853Spjd # Stop spoofing 137211853Spjd $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} 138184588Sdfr $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} 139184588Sdfr 140184588Sdfr # Stop RFC1918 nets on the outside interface 141184588Sdfr $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 142184588Sdfr $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 143184588Sdfr $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 144184588Sdfr 145184588Sdfr # Allow TCP through if setup succeeded 146184588Sdfr $fwcmd add pass tcp from any to any established 147184588Sdfr 148184588Sdfr # Allow setup of incoming email 149184588Sdfr $fwcmd add pass tcp from any to ${oip} 25 setup 150184588Sdfr 151184588Sdfr # Allow access to our DNS 152184588Sdfr $fwcmd add pass tcp from any to ${oip} 53 setup 153211853Spjd 154211853Spjd # Allow access to our WWW 155211853Spjd $fwcmd add pass tcp from any to ${oip} 80 setup 156211853Spjd 157211853Spjd # Reject&Log all setup of incoming connections from the outside 158211853Spjd $fwcmd add deny log tcp from any to any in via ${oif} setup 159211853Spjd 160211853Spjd # Allow setup of any other TCP connection 161211853Spjd $fwcmd add pass tcp from any to any setup 162211853Spjd 163211853Spjd # Allow DNS queries out in the world 164211853Spjd $fwcmd add pass udp from any 53 to ${oip} 165211853Spjd $fwcmd add pass udp from ${oip} to any 53 166211853Spjd 167211853Spjd # Allow NTP queries out in the world 168211853Spjd $fwcmd add pass udp from any 123 to ${oip} 169211853Spjd $fwcmd add pass udp from ${oip} to any 123 170211853Spjd 171184588Sdfr # Everything else is denied as default. 172184588Sdfr 173184588Sdfrelif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then 174184588Sdfr $fwcmd ${firewall} 175184588Sdfrfi 176184588Sdfr