rc.firewall revision 64244
115027Sphk############ 215027Sphk# Setup system for firewall service. 350472Speter# $FreeBSD: head/etc/rc.firewall 64244 2000-08-04 14:02:11Z ru $ 415027Sphk 543849Sjkh# Suck in the configuration variables. 651231Ssheldonhif [ -r /etc/defaults/rc.conf ]; then 743849Sjkh . /etc/defaults/rc.conf 859674Ssheldonh source_rc_confs 951231Ssheldonhelif [ -r /etc/rc.conf ]; then 1033203Sadam . /etc/rc.conf 1133203Sadamfi 1233203Sadam 1315027Sphk############ 1429300Sdanny# Define the firewall type in /etc/rc.conf. Valid values are: 1529300Sdanny# open - will allow anyone in 1629300Sdanny# client - will try to protect just this machine 1729300Sdanny# simple - will try to protect a whole network 1829300Sdanny# closed - totally disables IP services except via lo0 interface 1929300Sdanny# UNKNOWN - disables the loading of firewall rules. 2029300Sdanny# filename - will load the rules in the given filename (full path required) 2115027Sphk# 2251231Ssheldonh# For ``client'' and ``simple'' the entries below should be customized 2329300Sdanny# appropriately. 2415027Sphk 2515027Sphk############ 2615027Sphk# 2715027Sphk# If you don't know enough about packet filtering, we suggest that you 2815027Sphk# take time to read this book: 2915027Sphk# 3015210Sphk# Building Internet Firewalls 3115210Sphk# Brent Chapman and Elizabeth Zwicky 3215210Sphk# 3315210Sphk# O'Reilly & Associates, Inc 3415210Sphk# ISBN 1-56592-124-0 3525478Sjkh# http://www.ora.com/ 3615210Sphk# 3715210Sphk# For a more advanced treatment of Internet Security read: 3815210Sphk# 3915027Sphk# Firewalls & Internet Security 4015027Sphk# Repelling the wily hacker 4115027Sphk# William R. Cheswick, Steven M. Bellowin 4215027Sphk# 4315027Sphk# Addison-Wesley 4415027Sphk# ISBN 0-201-6337-4 4525478Sjkh# http://www.awl.com/ 4615027Sphk# 4715027Sphk 4851231Ssheldonhif [ -n "${1}" ]; then 4951231Ssheldonh firewall_type="${1}" 5029300Sdannyfi 5129300Sdanny 5215027Sphk############ 5329300Sdanny# Set quiet mode if requested 5451231Ssheldonh# 5551231Ssheldonhcase ${firewall_quiet} in 5651231Ssheldonh[Yy][Ee][Ss]) 5729300Sdanny fwcmd="/sbin/ipfw -q" 5851231Ssheldonh ;; 5951231Ssheldonh*) 6029300Sdanny fwcmd="/sbin/ipfw" 6151231Ssheldonh ;; 6251231Ssheldonhesac 6329300Sdanny 6429300Sdanny############ 6516578Salex# Flush out the list before we begin. 6651231Ssheldonh# 6750357Ssheldonh${fwcmd} -f flush 6816578Salex 6916578Salex############ 7064244Sru# Network Address Translation. All packets are passed to natd(8) 7164244Sru# before they encounter your remaining rules. The firewall rules 7264244Sru# will then be run again on each packet after translation by natd 7364244Sru# starting at the rule number following the divert rule. 7451231Ssheldonh# 7564244Sru# For ``simple'' firewall type the divert rule should be put to a 7664244Sru# different place to not interfere with address-checking rules. 7764244Sru# 7864244Srucase ${firewall_type} in 7964244Sru[Ss][Ii][Mm][Pp][Ll][Ee]) 8051231Ssheldonh ;; 8164244Sru*) 8264244Sru case ${natd_enable} in 8364244Sru [Yy][Ee][Ss]) 8464244Sru if [ -n "${natd_interface}" ]; then 8564244Sru ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} 8664244Sru fi 8764244Sru ;; 8864244Sru esac 8951231Ssheldonhesac 9035267Sbrian 9135267Sbrian############ 9215027Sphk# If you just configured ipfw in the kernel as a tool to solve network 9315027Sphk# problems or you just want to disallow some particular kinds of traffic 9451805Smpp# then you will want to change the default policy to open. You can also 9517594Sjkh# do this as your only action by setting the firewall_type to ``open''. 9651231Ssheldonh# 9750357Ssheldonh# ${fwcmd} add 65000 pass all from any to any 9815027Sphk 9915027Sphk############ 10030617Sdanny# Only in rare cases do you want to change these rules 10151231Ssheldonh# 10250357Ssheldonh${fwcmd} add 100 pass all from any to any via lo0 10350357Ssheldonh${fwcmd} add 200 deny all from any to 127.0.0.0/8 10452449Snsayer# If you're using 'options BRIDGE', uncomment the following line to pass ARP 10552449Snsayer#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 10615027Sphk 10715027Sphk 10817594Sjkh# Prototype setups. 10951231Ssheldonh# 11051231Ssheldonhcase ${firewall_type} in 11151231Ssheldonh[Oo][Pp][Ee][Nn]) 11250357Ssheldonh ${fwcmd} add 65000 pass all from any to any 11351231Ssheldonh ;; 11454108Sobrien 11551231Ssheldonh[Cc][Ll][Ii][Ee][Nn][Tt]) 11651231Ssheldonh ############ 11751231Ssheldonh # This is a prototype setup that will protect your system somewhat 11851231Ssheldonh # against people from outside your own network. 11951231Ssheldonh ############ 12029300Sdanny 12151231Ssheldonh # set these to your network and netmask and ip 12256736Srgrimes net="192.0.2.0" 12351231Ssheldonh mask="255.255.255.0" 12456736Srgrimes ip="192.0.2.1" 12517594Sjkh 12651231Ssheldonh # Allow any traffic to or from my own net. 12751231Ssheldonh ${fwcmd} add pass all from ${ip} to ${net}:${mask} 12851231Ssheldonh ${fwcmd} add pass all from ${net}:${mask} to ${ip} 12915027Sphk 13051231Ssheldonh # Allow TCP through if setup succeeded 13151231Ssheldonh ${fwcmd} add pass tcp from any to any established 13215027Sphk 13352873Sru # Allow IP fragments to pass through 13452873Sru ${fwcmd} add pass all from any to any frag 13552873Sru 13651231Ssheldonh # Allow setup of incoming email 13751231Ssheldonh ${fwcmd} add pass tcp from any to ${ip} 25 setup 13815027Sphk 13951231Ssheldonh # Allow setup of outgoing TCP connections only 14051231Ssheldonh ${fwcmd} add pass tcp from ${ip} to any setup 14115027Sphk 14251231Ssheldonh # Disallow setup of all other TCP connections 14351231Ssheldonh ${fwcmd} add deny tcp from any to any setup 14415027Sphk 14551231Ssheldonh # Allow DNS queries out in the world 14651231Ssheldonh ${fwcmd} add pass udp from any 53 to ${ip} 14751231Ssheldonh ${fwcmd} add pass udp from ${ip} to any 53 14815027Sphk 14951231Ssheldonh # Allow NTP queries out in the world 15051231Ssheldonh ${fwcmd} add pass udp from any 123 to ${ip} 15151231Ssheldonh ${fwcmd} add pass udp from ${ip} to any 123 15215027Sphk 15351231Ssheldonh # Everything else is denied by default, unless the 15451231Ssheldonh # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 15551231Ssheldonh # config file. 15651231Ssheldonh ;; 15715027Sphk 15851231Ssheldonh[Ss][Ii][Mm][Pp][Ll][Ee]) 15951231Ssheldonh ############ 16051231Ssheldonh # This is a prototype setup for a simple firewall. Configure this 16151231Ssheldonh # machine as a named server and ntp server, and point all the machines 16251231Ssheldonh # on the inside at this machine for those services. 16351231Ssheldonh ############ 16415027Sphk 16551231Ssheldonh # set these to your outside interface network and netmask and ip 16651231Ssheldonh oif="ed0" 16756736Srgrimes onet="192.0.2.0" 16856736Srgrimes omask="255.255.255.240" 16956736Srgrimes oip="192.0.2.1" 17017594Sjkh 17151231Ssheldonh # set these to your inside interface network and netmask and ip 17251231Ssheldonh iif="ed1" 17356736Srgrimes inet="192.0.2.16" 17456736Srgrimes imask="255.255.255.240" 17556736Srgrimes iip="192.0.2.17" 17615027Sphk 17751231Ssheldonh # Stop spoofing 17851231Ssheldonh ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 17951231Ssheldonh ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 18015027Sphk 18151231Ssheldonh # Stop RFC1918 nets on the outside interface 18256736Srgrimes ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 18356736Srgrimes ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 18456736Srgrimes ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 18515027Sphk 18664028Sobrien # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 18764028Sobrien # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 18864028Sobrien # on the outside interface 18956736Srgrimes ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} 19056736Srgrimes ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} 19156736Srgrimes ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} 19256736Srgrimes ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} 19356736Srgrimes ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 19456736Srgrimes 19564244Sru # Network Address Translation. This rule is placed here deliberately 19664244Sru # so that it does not interfere with the surrounding address-checking 19764244Sru # rules. If for example one of your internal LAN machines had its IP 19864244Sru # address set to 192.0.2.1 then an incoming packet for it after being 19964244Sru # translated by natd(8) would match the `deny' rule above. Similarly 20064244Sru # an outgoing packet originated from it before being translated would 20164244Sru # match the `deny' rule below. 20264244Sru case ${natd_enable} in 20364244Sru [Yy][Ee][Ss]) 20464244Sru if [ -n "${natd_interface}" ]; then 20564244Sru ${fwcmd} add divert natd all from any to any via ${natd_interface} 20664244Sru fi 20764244Sru ;; 20864244Sru esac 20964244Sru 21064244Sru # Stop RFC1918 nets on the outside interface 21164244Sru ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 21264244Sru ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 21364244Sru ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 21464244Sru 21564244Sru # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 21664244Sru # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 21764244Sru # on the outside interface 21864244Sru ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 21964244Sru ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 22064244Sru ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 22164244Sru ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 22264244Sru ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 22364244Sru 22451231Ssheldonh # Allow TCP through if setup succeeded 22551231Ssheldonh ${fwcmd} add pass tcp from any to any established 22615027Sphk 22752873Sru # Allow IP fragments to pass through 22852873Sru ${fwcmd} add pass all from any to any frag 22952873Sru 23051231Ssheldonh # Allow setup of incoming email 23151231Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 25 setup 23215027Sphk 23351231Ssheldonh # Allow access to our DNS 23451231Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 53 setup 23552404Sru ${fwcmd} add pass udp from any to ${oip} 53 23652404Sru ${fwcmd} add pass udp from ${oip} 53 to any 23715027Sphk 23851231Ssheldonh # Allow access to our WWW 23951231Ssheldonh ${fwcmd} add pass tcp from any to ${oip} 80 setup 24015027Sphk 24151231Ssheldonh # Reject&Log all setup of incoming connections from the outside 24251231Ssheldonh ${fwcmd} add deny log tcp from any to any in via ${oif} setup 24315027Sphk 24451231Ssheldonh # Allow setup of any other TCP connection 24551231Ssheldonh ${fwcmd} add pass tcp from any to any setup 24615027Sphk 24751231Ssheldonh # Allow DNS queries out in the world 24851231Ssheldonh ${fwcmd} add pass udp from any 53 to ${oip} 24951231Ssheldonh ${fwcmd} add pass udp from ${oip} to any 53 25015027Sphk 25151231Ssheldonh # Allow NTP queries out in the world 25251231Ssheldonh ${fwcmd} add pass udp from any 123 to ${oip} 25351231Ssheldonh ${fwcmd} add pass udp from ${oip} to any 123 25415027Sphk 25551231Ssheldonh # Everything else is denied by default, unless the 25651231Ssheldonh # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 25751231Ssheldonh # config file. 25851231Ssheldonh ;; 25915027Sphk 26051231Ssheldonh[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 26151231Ssheldonh ;; 26251231Ssheldonh*) 26359669Sbsd if [ -r "${firewall_type}" ]; then 26457014Spaul ${fwcmd} ${firewall_flags} ${firewall_type} 26551231Ssheldonh fi 26651231Ssheldonh ;; 26751231Ssheldonhesac 268