rc.firewall revision 25478
1############ 2# Setup system for firewall service. 3# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $ 4 5############ 6# 7# >>Warning<< 8# This file is not very old yet, and have been put together without much 9# testing of the contents. 10 11# Set this to be the type of firewall you want: open, client, simple or NONE. 12# ``open'' will allow anyone in, ``client'' will try to protect just one 13# machine and ``simple'' will try to protect a whole network (entries should 14# be customized appropriately below). To let no one in, use NONE. 15 16############ 17# 18# If you don't know enough about packet filtering, we suggest that you 19# take time to read this book: 20# 21# Building Internet Firewalls 22# Brent Chapman and Elizabeth Zwicky 23# 24# O'Reilly & Associates, Inc 25# ISBN 1-56592-124-0 26# http://www.ora.com/ 27# 28# For a more advanced treatment of Internet Security read: 29# 30# Firewalls & Internet Security 31# Repelling the wily hacker 32# William R. Cheswick, Steven M. Bellowin 33# 34# Addison-Wesley 35# ISBN 0-201-6337-4 36# http://www.awl.com/ 37# 38 39############ 40# Flush out the list before we begin. 41/sbin/ipfw -f flush 42 43############ 44# If you just configured ipfw in the kernel as a tool to solve network 45# problems or you just want to disallow some particular kinds of traffic 46# they you will want to change the default policy to open. You can also 47# do this as your only action by setting the firewall_type to ``open''. 48 49# /sbin/ipfw add 65000 pass all from any to any 50 51############ 52# Only in rare cases do you want to change this rule 53/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 54 55 56# Prototype setups. 57if [ "${firewall}" = "open" ]; then 58 59 /sbin/ipfw add 65000 pass all from any to any 60 61elif [ "${firewall}" = "client" ]; then 62 63 ############ 64 # This is a prototype setup that will protect your system somewhat against 65 # people from outside your own network. 66 ############ 67 68 # set these to your network and netmask and ip 69 net="192.168.4.0" 70 mask="255.255.255.0" 71 ip="192.168.4.17" 72 73 # Allow any traffic to or from my own net. 74 /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 75 /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 76 77 # Allow TCP through if setup succeeded 78 /sbin/ipfw add pass tcp from any to any established 79 80 # Allow setup of incoming email 81 /sbin/ipfw add pass tcp from any to ${ip} 25 setup 82 83 # Allow setup of outgoing TCP connections only 84 /sbin/ipfw add pass tcp from ${ip} to any setup 85 86 # Disallow setup of all other TCP connections 87 /sbin/ipfw add deny tcp from any to any setup 88 89 # Allow DNS queries out in the world 90 /sbin/ipfw add pass udp from any 53 to ${ip} 91 /sbin/ipfw add pass udp from ${ip} to any 53 92 93 # Allow NTP queries out in the world 94 /sbin/ipfw add pass udp from any 123 to ${ip} 95 /sbin/ipfw add pass udp from ${ip} to any 123 96 97 # Everything else is denied as default. 98 99elif [ "${firewall}" = "simple" ]; then 100 101 ############ 102 # This is a prototype setup for a simple firewall. Configure this machine 103 # as a named server and ntp server, and point all the machines on the inside 104 # at this machine for those services. 105 ############ 106 107 # set these to your outside interface network and netmask and ip 108 oif="ed0" 109 onet="192.168.4.0" 110 omask="255.255.255.0" 111 oip="192.168.4.17" 112 113 # set these to your inside interface network and netmask and ip 114 iif="ed1" 115 inet="192.168.3.0" 116 imask="255.255.255.0" 117 iip="192.168.3.17" 118 119 # Stop spoofing 120 /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 121 /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 122 123 # Stop RFC1918 nets on the outside interface 124 /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 125 /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 126 /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 127 128 # Allow TCP through if setup succeeded 129 /sbin/ipfw add pass tcp from any to any established 130 131 # Allow setup of incoming email 132 /sbin/ipfw add pass tcp from any to ${oip} 25 setup 133 134 # Allow access to our DNS 135 /sbin/ipfw add pass tcp from any to ${oip} 53 setup 136 137 # Allow access to our WWW 138 /sbin/ipfw add pass tcp from any to ${oip} 80 setup 139 140 # Reject&Log all setup of incoming connections from the outside 141 /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 142 143 # Allow setup of any other TCP connection 144 /sbin/ipfw add pass tcp from any to any setup 145 146 # Allow DNS queries out in the world 147 /sbin/ipfw add pass udp from any 53 to ${oip} 148 /sbin/ipfw add pass udp from ${oip} to any 53 149 150 # Allow NTP queries out in the world 151 /sbin/ipfw add pass udp from any 123 to ${oip} 152 /sbin/ipfw add pass udp from ${oip} to any 123 153 154 # Everything else is denied as default. 155 156elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then 157 158 /sbin/ipfw ${firewall} 159fi 160