rc.firewall revision 15210
1############ 2# Setup system for firewall service. 3# $Id: rc.firewall,v 1.1 1996/04/03 17:13:58 phk Exp $ 4 5############ 6# 7# >>Warning<< 8# This file is not very old yet, and have been put together without much 9# test of the contents. 10 11############ 12# 13# If you don't know enough about packet filtering, we suggest that you 14# take time to read this book: 15# 16# Building Internet Firewalls 17# Brent Chapman and Elizabeth Zwicky 18# 19# O'Reilly & Associates, Inc 20# ISBN 1-56592-124-0 21# 22# For a more advanced treatment of Internet Security read: 23# 24# Firewalls & Internet Security 25# Repelling the wily hacker 26# William R. Cheswick, Steven M. Bellowin 27# 28# Addison-Wesley 29# ISBN 0-201-6337-4 30# 31 32############ 33# If you just configured ipfw in the kernel as a tool to solve network 34# problems or you just want to disallow some particular kinds of traffic 35# they you will want to change the default policy to open. 36 37# /sbin/ipfw add 65000 pass all from any to any 38 39############ 40# Only in rare cases do you want to change this rule 41/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 42 43############ 44# This is a prototype setup that will protect your system somewhat against 45# people from outside your own network. 46# 47# To enable simply change "false" to "true" in the if line and set the 48# variables to your network parameters 49 50if false ; then 51 # set these to your network and netmask and ip 52 net="192.168.4.0" 53 mask="255.255.255.0" 54 ip="192.168.4.17" 55 56 # Allow any traffic to or from my own net. 57 /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 58 /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 59 60 # Allow TCP through if setup succeeded 61 /sbin/ipfw add pass tcp from any to any established 62 63 # Allow setup of incoming email 64 /sbin/ipfw add pass tcp from any to ${ip} 25 setup 65 66 # Allow setup of outgoing TCP connections only 67 /sbin/ipfw add pass tcp from ${ip} to any setup 68 69 # Disallow setup of all other TCP connections 70 /sbin/ipfw add deny tcp from any to any setup 71 72 # Allow DNS queries out in the world 73 /sbin/ipfw add pass udp from any 53 to ${ip} 74 /sbin/ipfw add pass udp from ${ip} to any 53 75 76 # Allow NTP queries out in the world 77 /sbin/ipfw add pass udp from any 123 to ${ip} 78 /sbin/ipfw add pass udp from ${ip} to any 123 79 80 # Everyting else is denied as default. 81fi 82 83############ 84# This is a prototype setup for a simple firewall. Configure this machine 85# as a named server and ntp server, and point all the machines on the inside 86# at this machine for those services. 87# 88# To enable simply change "false" to "true" in the if line and set the 89# variables to your network parameters 90 91if false ; then 92 # set these to your outside interface network and netmask and ip 93 oif="ed0" 94 onet="192.168.4.0" 95 omask="255.255.255.0" 96 oip="192.168.4.17" 97 98 # set these to your inside interface network and netmask and ip 99 iif="ed1" 100 inet="192.168.3.0" 101 imask="255.255.255.0" 102 iip="192.168.3.17" 103 104 # Stop spoofing 105 /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 106 /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 107 108 # Stop RFC1918 nets on the outside interface 109 /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 110 /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 111 /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 112 113 # Allow TCP through if setup succeeded 114 /sbin/ipfw add pass tcp from any to any established 115 116 # Allow setup of incoming email 117 /sbin/ipfw add pass tcp from any to ${oip} 25 setup 118 119 # Allow access to our DNS 120 /sbin/ipfw add pass tcp from any to ${oip} 53 setup 121 122 # Allow access to our WWW 123 /sbin/ipfw add pass tcp from any to ${oip} 80 setup 124 125 # Reject&Log all setup of incoming connections from the outside 126 /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 127 128 # Allow setup of any other TCP connection 129 /sbin/ipfw add pass tcp from any to any setup 130 131 # Allow DNS queries out in the world 132 /sbin/ipfw add pass udp from any 53 to ${oip} 133 /sbin/ipfw add pass udp from ${oip} to any 53 134 135 # Allow NTP queries out in the world 136 /sbin/ipfw add pass udp from any 123 to ${oip} 137 /sbin/ipfw add pass udp from ${oip} to any 123 138 139 # Everyting else is denied as default. 140fi 141 142