rc.firewall revision 59669
115027Sphk############ 215027Sphk# Setup system for firewall service. 350472Speter# $FreeBSD: head/etc/rc.firewall 59669 2000-04-27 00:48:59Z bsd $ 415027Sphk 543849Sjkh# Suck in the configuration variables. 651231Ssheldonhif [ -r /etc/defaults/rc.conf ]; then 743849Sjkh . /etc/defaults/rc.conf 851231Ssheldonhelif [ -r /etc/rc.conf ]; then 933203Sadam . /etc/rc.conf 1033203Sadamfi 1133203Sadam 1215027Sphk############ 1329300Sdanny# Define the firewall type in /etc/rc.conf. Valid values are: 1429300Sdanny# open - will allow anyone in 1529300Sdanny# client - will try to protect just this machine 1629300Sdanny# simple - will try to protect a whole network 1729300Sdanny# closed - totally disables IP services except via lo0 interface 1829300Sdanny# UNKNOWN - disables the loading of firewall rules. 1929300Sdanny# filename - will load the rules in the given filename (full path required) 2015027Sphk# 2151231Ssheldonh# For ``client'' and ``simple'' the entries below should be customized 2229300Sdanny# appropriately. 2315027Sphk 2415027Sphk############ 2515027Sphk# 2615027Sphk# If you don't know enough about packet filtering, we suggest that you 2715027Sphk# take time to read this book: 2815027Sphk# 2915210Sphk# Building Internet Firewalls 3015210Sphk# Brent Chapman and Elizabeth Zwicky 3115210Sphk# 3215210Sphk# O'Reilly & Associates, Inc 3315210Sphk# ISBN 1-56592-124-0 3425478Sjkh# http://www.ora.com/ 3515210Sphk# 3615210Sphk# For a more advanced treatment of Internet Security read: 3715210Sphk# 3815027Sphk# Firewalls & Internet Security 3915027Sphk# Repelling the wily hacker 4015027Sphk# William R. Cheswick, Steven M. Bellowin 4115027Sphk# 4215027Sphk# Addison-Wesley 4315027Sphk# ISBN 0-201-6337-4 4425478Sjkh# http://www.awl.com/ 4515027Sphk# 4615027Sphk 4751231Ssheldonhif [ -n "${1}" ]; then 4851231Ssheldonh firewall_type="${1}" 4929300Sdannyfi 5029300Sdanny 5115027Sphk############ 5229300Sdanny# Set quiet mode if requested 5351231Ssheldonh# 5451231Ssheldonhcase ${firewall_quiet} in 5551231Ssheldonh[Yy][Ee][Ss]) 5629300Sdanny fwcmd="/sbin/ipfw -q" 5751231Ssheldonh ;; 5851231Ssheldonh*) 5929300Sdanny fwcmd="/sbin/ipfw" 6051231Ssheldonh ;; 6151231Ssheldonhesac 6229300Sdanny 6329300Sdanny############ 6416578Salex# Flush out the list before we begin. 6551231Ssheldonh# 6650357Ssheldonh${fwcmd} -f flush 6716578Salex 6816578Salex############ 6935267Sbrian# These rules are required for using natd. All packets are passed to 7035267Sbrian# natd before they encounter your remaining rules. The firewall rules 7135267Sbrian# will then be run again on each packet after translation by natd, 7235267Sbrian# minus any divert rules (see natd(8)). 7351231Ssheldonh# 7451231Ssheldonhcase ${natd_enable} in 7551231Ssheldonh[Yy][Ee][Ss]) 7651231Ssheldonh if [ -n "${natd_interface}" ]; then 7751231Ssheldonh ${fwcmd} add divert natd all from any to any via ${natd_interface} 7851231Ssheldonh fi 7951231Ssheldonh ;; 8051231Ssheldonhesac 8135267Sbrian 8235267Sbrian############ 8315027Sphk# If you just configured ipfw in the kernel as a tool to solve network 8415027Sphk# problems or you just want to disallow some particular kinds of traffic 8551805Smpp# then you will want to change the default policy to open. You can also 8617594Sjkh# do this as your only action by setting the firewall_type to ``open''. 8751231Ssheldonh# 8850357Ssheldonh# ${fwcmd} add 65000 pass all from any to any 8915027Sphk 9015027Sphk############ 9130617Sdanny# Only in rare cases do you want to change these rules 9251231Ssheldonh# 9350357Ssheldonh${fwcmd} add 100 pass all from any to any via lo0 9450357Ssheldonh${fwcmd} add 200 deny all from any to 127.0.0.0/8 9552449Snsayer# If you're using 'options BRIDGE', uncomment the following line to pass ARP 9652449Snsayer#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 9715027Sphk 9815027Sphk 9917594Sjkh# Prototype setups. 10051231Ssheldonh# 10151231Ssheldonhcase ${firewall_type} in 10251231Ssheldonh[Oo][Pp][Ee][Nn]) 10350357Ssheldonh ${fwcmd} add 65000 pass all from any to any 10451231Ssheldonh ;; 10554108Sobrien 10651231Ssheldonh[Cc][Ll][Ii][Ee][Nn][Tt]) 10751231Ssheldonh ############ 10851231Ssheldonh # This is a prototype setup that will protect your system somewhat 10951231Ssheldonh # against people from outside your own network. 11051231Ssheldonh ############ 11129300Sdanny 11251231Ssheldonh # set these to your network and netmask and ip 11356736Srgrimes net="192.0.2.0" 11451231Ssheldonh mask="255.255.255.0" 11556736Srgrimes ip="192.0.2.1" 11617594Sjkh 11751231Ssheldonh # Allow any traffic to or from my own net. 11851231Ssheldonh ${fwcmd} add pass all from ${ip} to ${net}:${mask} 11951231Ssheldonh ${fwcmd} add pass all from ${net}:${mask} to ${ip} 12015027Sphk 12151231Ssheldonh # Allow TCP through if setup succeeded 12251231Ssheldonh ${fwcmd} add pass tcp from any to any established 12315027Sphk 12452873Sru # Allow IP fragments to pass through 12552873Sru ${fwcmd} add pass all from any to any frag 12652873Sru 12751231Ssheldonh # Allow setup of incoming email 12851231Ssheldonh ${fwcmd} add pass tcp from any to ${ip} 25 setup 12915027Sphk 13051231Ssheldonh # Allow setup of outgoing TCP connections only 13151231Ssheldonh ${fwcmd} add pass tcp from ${ip} to any setup 13215027Sphk 13351231Ssheldonh # Disallow setup of all other TCP connections 13451231Ssheldonh ${fwcmd} add deny tcp from any to any setup 13515027Sphk 13651231Ssheldonh # Allow DNS queries out in the world 13751231Ssheldonh ${fwcmd} add pass udp from any 53 to ${ip} 13851231Ssheldonh ${fwcmd} add pass udp from ${ip} to any 53 13915027Sphk 14051231Ssheldonh # Allow NTP queries out in the world 14151231Ssheldonh ${fwcmd} add pass udp from any 123 to ${ip} 14251231Ssheldonh ${fwcmd} add pass udp from ${ip} to any 123 14315027Sphk 14451231Ssheldonh # Everything else is denied by default, unless the 14551231Ssheldonh # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 14651231Ssheldonh # config file. 14751231Ssheldonh ;; 14815027Sphk 14951231Ssheldonh[Ss][Ii][Mm][Pp][Ll][Ee]) 15051231Ssheldonh ############ 15151231Ssheldonh # This is a prototype setup for a simple firewall. Configure this 15251231Ssheldonh # machine as a named server and ntp server, and point all the machines 15351231Ssheldonh # on the inside at this machine for those services. 15451231Ssheldonh ############ 15515027Sphk 15651231Ssheldonh # set these to your outside interface network and netmask and ip 15751231Ssheldonh oif="ed0" 15856736Srgrimes onet="192.0.2.0" 15956736Srgrimes omask="255.255.255.240" 16056736Srgrimes oip="192.0.2.1" 16117594Sjkh 16251231Ssheldonh # set these to your inside interface network and netmask and ip 16351231Ssheldonh iif="ed1" 16456736Srgrimes inet="192.0.2.16" 16556736Srgrimes imask="255.255.255.240" 16656736Srgrimes iip="192.0.2.17" 16715027Sphk 16851231Ssheldonh # Stop spoofing 16951231Ssheldonh ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 17051231Ssheldonh ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 17115027Sphk 17251231Ssheldonh # Stop RFC1918 nets on the outside interface 17356736Srgrimes ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 17456736Srgrimes ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 17556736Srgrimes ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 17656736Srgrimes ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 17756736Srgrimes ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 17856736Srgrimes ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 17915027Sphk 18056736Srgrimes # Stop draft-manning-dsua-01.txt nets on the outside interface 18156736Srgrimes ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 18256736Srgrimes ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} 18356736Srgrimes ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 18456736Srgrimes ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} 18556736Srgrimes ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 18656736Srgrimes ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} 18756736Srgrimes ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 18856736Srgrimes ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} 18956736Srgrimes ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 19056736Srgrimes ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 19156736Srgrimes 19251231Ssheldonh # Allow TCP through if setup succeeded 19351231Ssheldonh ${fwcmd} add pass tcp from any to any established 19415027Sphk 19552873Sru # Allow IP fragments to pass through 19652873Sru ${fwcmd} add pass all from any to any frag 19752873Sru 19851231Ssheldonh # Allow setup of incoming email 19951231Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 25 setup 20015027Sphk 20151231Ssheldonh # Allow access to our DNS 20251231Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 53 setup 20352404Sru ${fwcmd} add pass udp from any to ${oip} 53 20452404Sru ${fwcmd} add pass udp from ${oip} 53 to any 20515027Sphk 20651231Ssheldonh # Allow access to our WWW 20751231Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 80 setup 20815027Sphk 20951231Ssheldonh # Reject&Log all setup of incoming connections from the outside 21051231Ssheldonh ${fwcmd} add deny log tcp from any to any in via ${oif} setup 21115027Sphk 21251231Ssheldonh # Allow setup of any other TCP connection 21351231Ssheldonh ${fwcmd} add pass tcp from any to any setup 21415027Sphk 21551231Ssheldonh # Allow DNS queries out in the world 21651231Ssheldonh ${fwcmd} add pass udp from any 53 to ${oip} 21751231Ssheldonh ${fwcmd} add pass udp from ${oip} to any 53 21815027Sphk 21951231Ssheldonh # Allow NTP queries out in the world 22051231Ssheldonh ${fwcmd} add pass udp from any 123 to ${oip} 22151231Ssheldonh ${fwcmd} add pass udp from ${oip} to any 123 22215027Sphk 22351231Ssheldonh # Everything else is denied by default, unless the 22451231Ssheldonh # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 22551231Ssheldonh # config file. 22651231Ssheldonh ;; 22715027Sphk 22851231Ssheldonh[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 22951231Ssheldonh ;; 23051231Ssheldonh*) 23159669Sbsd if [ -r "${firewall_type}" ]; then 23257014Spaul ${fwcmd} ${firewall_flags} ${firewall_type} 23351231Ssheldonh fi 23451231Ssheldonh ;; 23551231Ssheldonhesac 236