rc.firewall revision 50357
115027Sphk############ 215027Sphk# Setup system for firewall service. 350357Ssheldonh# $Id: rc.firewall,v 1.20 1999/02/10 18:08:16 jkh Exp $ 415027Sphk 543849Sjkh# Suck in the configuration variables. 643849Sjkhif [ -f /etc/defaults/rc.conf ]; then 743849Sjkh . /etc/defaults/rc.conf 843849Sjkhelif [ -f /etc/rc.conf ]; then 933203Sadam . /etc/rc.conf 1033203Sadamfi 1133203Sadam 1215027Sphk############ 1329300Sdanny# Define the firewall type in /etc/rc.conf. Valid values are: 1429300Sdanny# open - will allow anyone in 1529300Sdanny# client - will try to protect just this machine 1629300Sdanny# simple - will try to protect a whole network 1729300Sdanny# closed - totally disables IP services except via lo0 interface 1829300Sdanny# UNKNOWN - disables the loading of firewall rules. 1929300Sdanny# filename - will load the rules in the given filename (full path required) 2015027Sphk# 2129300Sdanny# For ``client'' and ``simple'' the entries below should be customized 2229300Sdanny# appropriately. 2315027Sphk 2415027Sphk############ 2515027Sphk# 2615027Sphk# If you don't know enough about packet filtering, we suggest that you 2715027Sphk# take time to read this book: 2815027Sphk# 2915210Sphk# Building Internet Firewalls 3015210Sphk# Brent Chapman and Elizabeth Zwicky 3115210Sphk# 3215210Sphk# O'Reilly & Associates, Inc 3315210Sphk# ISBN 1-56592-124-0 3425478Sjkh# http://www.ora.com/ 3515210Sphk# 3615210Sphk# For a more advanced treatment of Internet Security read: 3715210Sphk# 3815027Sphk# Firewalls & Internet Security 3915027Sphk# Repelling the wily hacker 4015027Sphk# William R. Cheswick, Steven M. Bellowin 4115027Sphk# 4215027Sphk# Addison-Wesley 4315027Sphk# ISBN 0-201-6337-4 4425478Sjkh# http://www.awl.com/ 4515027Sphk# 4615027Sphk 4750357Ssheldonhif [ -n "$1" ]; then 4829300Sdanny firewall_type=$1 4929300Sdannyfi 5029300Sdanny 5115027Sphk############ 5229300Sdanny# Set quiet mode if requested 5350357Ssheldonhif [ "${firewall_quiet}" = "YES" ]; then 5429300Sdanny fwcmd="/sbin/ipfw -q" 5529300Sdannyelse 5629300Sdanny fwcmd="/sbin/ipfw" 5729300Sdannyfi 5829300Sdanny 5929300Sdanny############ 6016578Salex# Flush out the list before we begin. 6150357Ssheldonh${fwcmd} -f flush 6216578Salex 6316578Salex############ 6435267Sbrian# These rules are required for using natd. All packets are passed to 6535267Sbrian# natd before they encounter your remaining rules. The firewall rules 6635267Sbrian# will then be run again on each packet after translation by natd, 6735267Sbrian# minus any divert rules (see natd(8)). 6850357Ssheldonhif [ "${natd_enable}" = "YES" -a "${natd_interface}" != "X" ]; then 6950357Ssheldonh ${fwcmd} add divert natd all from any to any via ${natd_interface} 7035267Sbrianfi 7135267Sbrian 7235267Sbrian############ 7315027Sphk# If you just configured ipfw in the kernel as a tool to solve network 7415027Sphk# problems or you just want to disallow some particular kinds of traffic 7517594Sjkh# they you will want to change the default policy to open. You can also 7617594Sjkh# do this as your only action by setting the firewall_type to ``open''. 7715027Sphk 7850357Ssheldonh# ${fwcmd} add 65000 pass all from any to any 7915027Sphk 8015027Sphk############ 8130617Sdanny# Only in rare cases do you want to change these rules 8250357Ssheldonh${fwcmd} add 100 pass all from any to any via lo0 8350357Ssheldonh${fwcmd} add 200 deny all from any to 127.0.0.0/8 8415027Sphk 8515027Sphk 8617594Sjkh# Prototype setups. 8730617Sdannyif [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then 8817594Sjkh 8950357Ssheldonh ${fwcmd} add 65000 pass all from any to any 9017594Sjkh 9129300Sdannyelif [ "${firewall_type}" = "client" ]; then 9229300Sdanny 9317594Sjkh ############ 9417594Sjkh # This is a prototype setup that will protect your system somewhat against 9517594Sjkh # people from outside your own network. 9617594Sjkh ############ 9717594Sjkh 9815027Sphk # set these to your network and netmask and ip 9915027Sphk net="192.168.4.0" 10015027Sphk mask="255.255.255.0" 10115027Sphk ip="192.168.4.17" 10215027Sphk 10315027Sphk # Allow any traffic to or from my own net. 10450357Ssheldonh ${fwcmd} add pass all from ${ip} to ${net}:${mask} 10550357Ssheldonh ${fwcmd} add pass all from ${net}:${mask} to ${ip} 10615027Sphk 10715027Sphk # Allow TCP through if setup succeeded 10850357Ssheldonh ${fwcmd} add pass tcp from any to any established 10915027Sphk 11015027Sphk # Allow setup of incoming email 11150357Ssheldonh ${fwcmd} add pass tcp from any to ${ip} 25 setup 11215027Sphk 11315027Sphk # Allow setup of outgoing TCP connections only 11450357Ssheldonh ${fwcmd} add pass tcp from ${ip} to any setup 11515027Sphk 11615027Sphk # Disallow setup of all other TCP connections 11750357Ssheldonh ${fwcmd} add deny tcp from any to any setup 11815027Sphk 11915027Sphk # Allow DNS queries out in the world 12050357Ssheldonh ${fwcmd} add pass udp from any 53 to ${ip} 12150357Ssheldonh ${fwcmd} add pass udp from ${ip} to any 53 12215027Sphk 12315027Sphk # Allow NTP queries out in the world 12450357Ssheldonh ${fwcmd} add pass udp from any 123 to ${ip} 12550357Ssheldonh ${fwcmd} add pass udp from ${ip} to any 123 12615027Sphk 12725478Sjkh # Everything else is denied as default. 12815027Sphk 12929300Sdannyelif [ "${firewall_type}" = "simple" ]; then 13015027Sphk 13117594Sjkh ############ 13217594Sjkh # This is a prototype setup for a simple firewall. Configure this machine 13317594Sjkh # as a named server and ntp server, and point all the machines on the inside 13417594Sjkh # at this machine for those services. 13517594Sjkh ############ 13617594Sjkh 13715027Sphk # set these to your outside interface network and netmask and ip 13815027Sphk oif="ed0" 13915027Sphk onet="192.168.4.0" 14015027Sphk omask="255.255.255.0" 14115027Sphk oip="192.168.4.17" 14215027Sphk 14315027Sphk # set these to your inside interface network and netmask and ip 14415027Sphk iif="ed1" 14515027Sphk inet="192.168.3.0" 14615027Sphk imask="255.255.255.0" 14715027Sphk iip="192.168.3.17" 14815027Sphk 14915027Sphk # Stop spoofing 15050357Ssheldonh ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 15150357Ssheldonh ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 15215027Sphk 15315027Sphk # Stop RFC1918 nets on the outside interface 15450357Ssheldonh ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 15550357Ssheldonh ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} 15650357Ssheldonh ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 15750357Ssheldonh ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} 15850357Ssheldonh ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 15950357Ssheldonh ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} 16015027Sphk 16115027Sphk # Allow TCP through if setup succeeded 16250357Ssheldonh ${fwcmd} add pass tcp from any to any established 16315027Sphk 16415027Sphk # Allow setup of incoming email 16550357Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 25 setup 16615027Sphk 16715027Sphk # Allow access to our DNS 16850357Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 53 setup 16915027Sphk 17015027Sphk # Allow access to our WWW 17150357Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 80 setup 17215027Sphk 17315027Sphk # Reject&Log all setup of incoming connections from the outside 17450357Ssheldonh ${fwcmd} add deny log tcp from any to any in via ${oif} setup 17515027Sphk 17615027Sphk # Allow setup of any other TCP connection 17750357Ssheldonh ${fwcmd} add pass tcp from any to any setup 17815027Sphk 17915027Sphk # Allow DNS queries out in the world 18050357Ssheldonh ${fwcmd} add pass udp from any 53 to ${oip} 18150357Ssheldonh ${fwcmd} add pass udp from ${oip} to any 53 18215027Sphk 18315027Sphk # Allow NTP queries out in the world 18450357Ssheldonh ${fwcmd} add pass udp from any 123 to ${oip} 18550357Ssheldonh ${fwcmd} add pass udp from ${oip} to any 123 18615027Sphk 18725478Sjkh # Everything else is denied as default. 18825478Sjkh 18930617Sdannyelif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then 19050357Ssheldonh ${fwcmd} ${firewall_type} 19115027Sphkfi 192