rc.firewall revision 35267
1251886Speter############ 2251886Speter# Setup system for firewall service. 3299742Sdim# $Id: rc.firewall,v 1.17 1998/04/15 16:41:14 phk Exp $ 4299742Sdim 5299742Sdimif [ -f /etc/rc.conf ]; then 6289252Sbdrewery . /etc/rc.conf 7251886Speterfi 8251886Speter 9############ 10# Define the firewall type in /etc/rc.conf. Valid values are: 11# open - will allow anyone in 12# client - will try to protect just this machine 13# simple - will try to protect a whole network 14# closed - totally disables IP services except via lo0 interface 15# UNKNOWN - disables the loading of firewall rules. 16# filename - will load the rules in the given filename (full path required) 17# 18# For ``client'' and ``simple'' the entries below should be customized 19# appropriately. 20 21############ 22# 23# If you don't know enough about packet filtering, we suggest that you 24# take time to read this book: 25# 26# Building Internet Firewalls 27# Brent Chapman and Elizabeth Zwicky 28# 29# O'Reilly & Associates, Inc 30# ISBN 1-56592-124-0 31# http://www.ora.com/ 32# 33# For a more advanced treatment of Internet Security read: 34# 35# Firewalls & Internet Security 36# Repelling the wily hacker 37# William R. Cheswick, Steven M. Bellowin 38# 39# Addison-Wesley 40# ISBN 0-201-6337-4 41# http://www.awl.com/ 42# 43 44if [ "x$1" != "x" ]; then 45 firewall_type=$1 46fi 47 48############ 49# Set quiet mode if requested 50if [ "x$firewall_quiet" = "xYES" ]; then 51 fwcmd="/sbin/ipfw -q" 52else 53 fwcmd="/sbin/ipfw" 54fi 55 56############ 57# Flush out the list before we begin. 58$fwcmd -f flush 59 60############ 61# These rules are required for using natd. All packets are passed to 62# natd before they encounter your remaining rules. The firewall rules 63# will then be run again on each packet after translation by natd, 64# minus any divert rules (see natd(8)). 65if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then 66 $fwcmd add divert natd all from any to any via ${natd_interface} 67fi 68 69############ 70# If you just configured ipfw in the kernel as a tool to solve network 71# problems or you just want to disallow some particular kinds of traffic 72# they you will want to change the default policy to open. You can also 73# do this as your only action by setting the firewall_type to ``open''. 74 75# $fwcmd add 65000 pass all from any to any 76 77############ 78# Only in rare cases do you want to change these rules 79$fwcmd add 1000 pass all from any to any via lo0 80$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 81 82 83# Prototype setups. 84if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then 85 86 $fwcmd add 65000 pass all from any to any 87 88elif [ "${firewall_type}" = "client" ]; then 89 90 ############ 91 # This is a prototype setup that will protect your system somewhat against 92 # people from outside your own network. 93 ############ 94 95 # set these to your network and netmask and ip 96 net="192.168.4.0" 97 mask="255.255.255.0" 98 ip="192.168.4.17" 99 100 # Allow any traffic to or from my own net. 101 $fwcmd add pass all from ${ip} to ${net}:${mask} 102 $fwcmd add pass all from ${net}:${mask} to ${ip} 103 104 # Allow TCP through if setup succeeded 105 $fwcmd add pass tcp from any to any established 106 107 # Allow setup of incoming email 108 $fwcmd add pass tcp from any to ${ip} 25 setup 109 110 # Allow setup of outgoing TCP connections only 111 $fwcmd add pass tcp from ${ip} to any setup 112 113 # Disallow setup of all other TCP connections 114 $fwcmd add deny tcp from any to any setup 115 116 # Allow DNS queries out in the world 117 $fwcmd add pass udp from any 53 to ${ip} 118 $fwcmd add pass udp from ${ip} to any 53 119 120 # Allow NTP queries out in the world 121 $fwcmd add pass udp from any 123 to ${ip} 122 $fwcmd add pass udp from ${ip} to any 123 123 124 # Everything else is denied as default. 125 126elif [ "${firewall_type}" = "simple" ]; then 127 128 ############ 129 # This is a prototype setup for a simple firewall. Configure this machine 130 # as a named server and ntp server, and point all the machines on the inside 131 # at this machine for those services. 132 ############ 133 134 # set these to your outside interface network and netmask and ip 135 oif="ed0" 136 onet="192.168.4.0" 137 omask="255.255.255.0" 138 oip="192.168.4.17" 139 140 # set these to your inside interface network and netmask and ip 141 iif="ed1" 142 inet="192.168.3.0" 143 imask="255.255.255.0" 144 iip="192.168.3.17" 145 146 # Stop spoofing 147 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} 148 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} 149 150 # Stop RFC1918 nets on the outside interface 151 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 152 $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} 153 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 154 $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} 155 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 156 $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} 157 158 # Allow TCP through if setup succeeded 159 $fwcmd add pass tcp from any to any established 160 161 # Allow setup of incoming email 162 $fwcmd add pass tcp from any to ${oip} 25 setup 163 164 # Allow access to our DNS 165 $fwcmd add pass tcp from any to ${oip} 53 setup 166 167 # Allow access to our WWW 168 $fwcmd add pass tcp from any to ${oip} 80 setup 169 170 # Reject&Log all setup of incoming connections from the outside 171 $fwcmd add deny log tcp from any to any in via ${oif} setup 172 173 # Allow setup of any other TCP connection 174 $fwcmd add pass tcp from any to any setup 175 176 # Allow DNS queries out in the world 177 $fwcmd add pass udp from any 53 to ${oip} 178 $fwcmd add pass udp from ${oip} to any 53 179 180 # Allow NTP queries out in the world 181 $fwcmd add pass udp from any 123 to ${oip} 182 $fwcmd add pass udp from ${oip} to any 123 183 184 # Everything else is denied as default. 185 186elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then 187 $fwcmd ${firewall_type} 188fi 189