rc.firewall revision 29590 
1############
2# Setup system for firewall service.
3# $Id: rc.firewall,v 1.13 1997/09/11 10:59:00 danny Exp $
4
5############
6# Define the firewall type in /etc/rc.conf.  Valid values are:
7#   open     - will allow anyone in
8#   client   - will try to protect just this machine
9#   simple   - will try to protect a whole network
10#   closed   - totally disables IP services except via lo0 interface
11#   UNKNOWN  - disables the loading of firewall rules.
12#   filename - will load the rules in the given filename (full path required)
13#
14# For ``client'' and ``simple'' the entries below should be customized 
15# appropriately.
16
17############
18#
19# If you don't know enough about packet filtering, we suggest that you
20# take time to read this book:
21#
22#	Building Internet Firewalls
23#	Brent Chapman and Elizabeth Zwicky
24#
25#	O'Reilly & Associates, Inc
26#	ISBN 1-56592-124-0
27#	http://www.ora.com/
28#
29# For a more advanced treatment of Internet Security read:
30#
31#	Firewalls & Internet Security
32#	Repelling the wily hacker
33#	William R. Cheswick, Steven M. Bellowin
34#
35#	Addison-Wesley
36#	ISBN 0-201-6337-4
37#	http://www.awl.com/
38#
39
40if [ "x$1" != "x" ]; then
41	firewall_type=$1
42fi
43
44############
45# Set quiet mode if requested
46if [ "x$firewall_quiet" = "xYES" ]; then
47	fwcmd="/sbin/ipfw -q"
48else
49	fwcmd="/sbin/ipfw"
50fi
51
52############
53# Flush out the list before we begin.
54$fwcmd -f flush
55
56############
57# If you just configured ipfw in the kernel as a tool to solve network
58# problems or you just want to disallow some particular kinds of traffic
59# they you will want to change the default policy to open.  You can also
60# do this as your only action by setting the firewall_type to ``open''.
61
62# $fwcmd add 65000 pass all from any to any
63
64############
65# Only in rare cases do you want to change this rule
66$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1
67
68
69# Prototype setups.
70if [ "${firewall_type}" = "open" ]; then
71
72	$fwcmd add 65000 pass all from any to any
73
74elif [ "${firewall_type}" = "simple" ]; then
75
76	$fwcmd add 65000 pass all from any to any via lo0
77
78elif [ "${firewall_type}" = "client" ]; then
79
80    ############
81    # This is a prototype setup that will protect your system somewhat against
82    # people from outside your own network.
83    ############
84
85    # set these to your network and netmask and ip
86    net="192.168.4.0"
87    mask="255.255.255.0"
88    ip="192.168.4.17"
89
90    # Allow any traffic to or from my own net.
91    $fwcmd add pass all from ${ip} to ${net}:${mask}
92    $fwcmd add pass all from ${net}:${mask} to ${ip}
93
94    # Allow TCP through if setup succeeded
95    $fwcmd add pass tcp from any to any established
96
97    # Allow setup of incoming email 
98    $fwcmd add pass tcp from any to ${ip} 25 setup
99
100    # Allow setup of outgoing TCP connections only
101    $fwcmd add pass tcp from ${ip} to any setup
102
103    # Disallow setup of all other TCP connections
104    $fwcmd add deny tcp from any to any setup
105
106    # Allow DNS queries out in the world
107    $fwcmd add pass udp from any 53 to ${ip}
108    $fwcmd add pass udp from ${ip} to any 53
109
110    # Allow NTP queries out in the world
111    $fwcmd add pass udp from any 123 to ${ip}
112    $fwcmd add pass udp from ${ip} to any 123
113
114    # Everything else is denied as default.
115
116elif [ "${firewall_type}" = "simple" ]; then
117
118    ############
119    # This is a prototype setup for a simple firewall.  Configure this machine 
120    # as a named server and ntp server, and point all the machines on the inside
121    # at this machine for those services.
122    ############
123
124    # set these to your outside interface network and netmask and ip
125    oif="ed0"
126    onet="192.168.4.0"
127    omask="255.255.255.0"
128    oip="192.168.4.17"
129
130    # set these to your inside interface network and netmask and ip
131    iif="ed1"
132    inet="192.168.3.0"
133    imask="255.255.255.0"
134    iip="192.168.3.17"
135
136    # Stop spoofing
137    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
138    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
139
140    # Stop RFC1918 nets on the outside interface
141    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
142    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
143    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
144
145    # Allow TCP through if setup succeeded
146    $fwcmd add pass tcp from any to any established
147
148    # Allow setup of incoming email 
149    $fwcmd add pass tcp from any to ${oip} 25 setup
150
151    # Allow access to our DNS
152    $fwcmd add pass tcp from any to ${oip} 53 setup
153
154    # Allow access to our WWW
155    $fwcmd add pass tcp from any to ${oip} 80 setup
156
157    # Reject&Log all setup of incoming connections from the outside
158    $fwcmd add deny log tcp from any to any in via ${oif} setup
159
160    # Allow setup of any other TCP connection
161    $fwcmd add pass tcp from any to any setup
162
163    # Allow DNS queries out in the world
164    $fwcmd add pass udp from any 53 to ${oip}
165    $fwcmd add pass udp from ${oip} to any 53
166
167    # Allow NTP queries out in the world
168    $fwcmd add pass udp from any 123 to ${oip}
169    $fwcmd add pass udp from ${oip} to any 123
170
171    # Everything else is denied as default.
172
173elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then
174	$fwcmd ${firewall_type}
175fi
176