rc.firewall revision 15027
1############ 2# Setup system for firewall service. 3# $Id$ 4 5############ 6# 7# >>Warning<< 8# This file is not very old yet, and have been put together without much 9# test of the contents. 10 11############ 12# 13# If you don't know enough about packet filtering, we suggest that you 14# take time to read this book: 15# 16# Firewalls & Internet Security 17# Repelling the wily hacker 18# William R. Cheswick, Steven M. Bellowin 19# 20# Addison-Wesley 21# ISBN 0-201-6337-4 22# 23 24############ 25# If you just configured ipfw in the kernel as a tool to solve network 26# problems or you just want to disallow some particular kinds of traffic 27# they you will want to change the default policy to open. 28 29# /sbin/ipfw add 65000 pass all from any to any 30 31############ 32# Only in rare cases do you want to change this rule 33/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 34 35############ 36# This is a prototype setup that will protect your system somewhat against 37# people from outside your own network. 38# 39# To enable simply change "false" to "true" in the if line and set the 40# variables to your network parameters 41 42if false ; then 43 # set these to your network and netmask and ip 44 net="192.168.4.0" 45 mask="255.255.255.0" 46 ip="192.168.4.17" 47 48 # Allow any traffic to or from my own net. 49 /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 50 /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 51 52 # Allow TCP through if setup succeeded 53 /sbin/ipfw add deny tcp from any to any established 54 55 # Allow setup of incoming email 56 /sbin/ipfw add pass tcp from any to ${ip} 25 setup 57 58 # Allow setup of outgoing TCP connections only 59 /sbin/ipfw add pass tcp from ${ip} to any setup 60 61 # Disallow setup of all other TCP connections 62 /sbin/ipfw add deny tcp from any to any setup 63 64 # Allow DNS queries out in the world 65 /sbin/ipfw add pass udp from any 53 to ${ip} 66 /sbin/ipfw add pass udp from ${ip} to any 53 67 68 # Allow NTP queries out in the world 69 /sbin/ipfw add pass udp from any 123 to ${ip} 70 /sbin/ipfw add pass udp from ${ip} to any 123 71 72 # Everyting else is denied as default. 73fi 74 75############ 76# This is a prototype setup for a simple firewall. Configure this machine 77# as a named server and ntp server, and point all the machines on the inside 78# at this machine for those services. 79# 80# To enable simply change "false" to "true" in the if line and set the 81# variables to your network parameters 82 83if false ; then 84 # set these to your outside interface network and netmask and ip 85 oif="ed0" 86 onet="192.168.4.0" 87 omask="255.255.255.0" 88 oip="192.168.4.17" 89 90 # set these to your inside interface network and netmask and ip 91 iif="ed1" 92 inet="192.168.3.0" 93 imask="255.255.255.0" 94 iip="192.168.3.17" 95 96 # Stop spoofing 97 /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 98 /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 99 100 # Stop RFC1918 nets on the outside interface 101 /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 102 /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 103 /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 104 105 # Allow TCP through if setup succeeded 106 /sbin/ipfw add deny tcp from any to any established 107 108 # Allow setup of incoming email 109 /sbin/ipfw add pass tcp from any to ${oip} 25 setup 110 111 # Allow access to our DNS 112 /sbin/ipfw add pass tcp from any to ${oip} 53 setup 113 114 # Allow access to our WWW 115 /sbin/ipfw add pass tcp from any to ${oip} 80 setup 116 117 # Reject&Log all setup of incoming connections from the outside 118 /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 119 120 # Allow setup of any other TCP connection 121 /sbin/ipfw add pass tcp from any to any setup 122 123 # Allow DNS queries out in the world 124 /sbin/ipfw add pass udp from any 53 to ${oip} 125 /sbin/ipfw add pass udp from ${oip} to any 53 126 127 # Allow NTP queries out in the world 128 /sbin/ipfw add pass udp from any 123 to ${oip} 129 /sbin/ipfw add pass udp from ${oip} to any 123 130 131 # Everyting else is denied as default. 132fi 133 134