rc.firewall revision 30617 
1############
2# Setup system for firewall service.
3# $Id: rc.firewall,v 1.14 1997/09/18 22:43:42 danny Exp $
4
5############
6# Define the firewall type in /etc/rc.conf.  Valid values are:
7#   open     - will allow anyone in
8#   client   - will try to protect just this machine
9#   simple   - will try to protect a whole network
10#   closed   - totally disables IP services except via lo0 interface
11#   UNKNOWN  - disables the loading of firewall rules.
12#   filename - will load the rules in the given filename (full path required)
13#
14# For ``client'' and ``simple'' the entries below should be customized 
15# appropriately.
16
17############
18#
19# If you don't know enough about packet filtering, we suggest that you
20# take time to read this book:
21#
22#	Building Internet Firewalls
23#	Brent Chapman and Elizabeth Zwicky
24#
25#	O'Reilly & Associates, Inc
26#	ISBN 1-56592-124-0
27#	http://www.ora.com/
28#
29# For a more advanced treatment of Internet Security read:
30#
31#	Firewalls & Internet Security
32#	Repelling the wily hacker
33#	William R. Cheswick, Steven M. Bellowin
34#
35#	Addison-Wesley
36#	ISBN 0-201-6337-4
37#	http://www.awl.com/
38#
39
40if [ "x$1" != "x" ]; then
41	firewall_type=$1
42fi
43
44############
45# Set quiet mode if requested
46if [ "x$firewall_quiet" = "xYES" ]; then
47	fwcmd="/sbin/ipfw -q"
48else
49	fwcmd="/sbin/ipfw"
50fi
51
52############
53# Flush out the list before we begin.
54$fwcmd -f flush
55
56############
57# If you just configured ipfw in the kernel as a tool to solve network
58# problems or you just want to disallow some particular kinds of traffic
59# they you will want to change the default policy to open.  You can also
60# do this as your only action by setting the firewall_type to ``open''.
61
62# $fwcmd add 65000 pass all from any to any
63
64############
65# Only in rare cases do you want to change these rules
66$fwcmd add 1000 pass all from any to any via lo0
67$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
68
69
70# Prototype setups.
71if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
72
73	$fwcmd add 65000 pass all from any to any
74
75elif [ "${firewall_type}" = "client" ]; then
76
77    ############
78    # This is a prototype setup that will protect your system somewhat against
79    # people from outside your own network.
80    ############
81
82    # set these to your network and netmask and ip
83    net="192.168.4.0"
84    mask="255.255.255.0"
85    ip="192.168.4.17"
86
87    # Allow any traffic to or from my own net.
88    $fwcmd add pass all from ${ip} to ${net}:${mask}
89    $fwcmd add pass all from ${net}:${mask} to ${ip}
90
91    # Allow TCP through if setup succeeded
92    $fwcmd add pass tcp from any to any established
93
94    # Allow setup of incoming email 
95    $fwcmd add pass tcp from any to ${ip} 25 setup
96
97    # Allow setup of outgoing TCP connections only
98    $fwcmd add pass tcp from ${ip} to any setup
99
100    # Disallow setup of all other TCP connections
101    $fwcmd add deny tcp from any to any setup
102
103    # Allow DNS queries out in the world
104    $fwcmd add pass udp from any 53 to ${ip}
105    $fwcmd add pass udp from ${ip} to any 53
106
107    # Allow NTP queries out in the world
108    $fwcmd add pass udp from any 123 to ${ip}
109    $fwcmd add pass udp from ${ip} to any 123
110
111    # Everything else is denied as default.
112
113elif [ "${firewall_type}" = "simple" ]; then
114
115    ############
116    # This is a prototype setup for a simple firewall.  Configure this machine 
117    # as a named server and ntp server, and point all the machines on the inside
118    # at this machine for those services.
119    ############
120
121    # set these to your outside interface network and netmask and ip
122    oif="ed0"
123    onet="192.168.4.0"
124    omask="255.255.255.0"
125    oip="192.168.4.17"
126
127    # set these to your inside interface network and netmask and ip
128    iif="ed1"
129    inet="192.168.3.0"
130    imask="255.255.255.0"
131    iip="192.168.3.17"
132
133    # Stop spoofing
134    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
135    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
136
137    # Stop RFC1918 nets on the outside interface
138    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
139    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
140    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
141
142    # Allow TCP through if setup succeeded
143    $fwcmd add pass tcp from any to any established
144
145    # Allow setup of incoming email 
146    $fwcmd add pass tcp from any to ${oip} 25 setup
147
148    # Allow access to our DNS
149    $fwcmd add pass tcp from any to ${oip} 53 setup
150
151    # Allow access to our WWW
152    $fwcmd add pass tcp from any to ${oip} 80 setup
153
154    # Reject&Log all setup of incoming connections from the outside
155    $fwcmd add deny log tcp from any to any in via ${oif} setup
156
157    # Allow setup of any other TCP connection
158    $fwcmd add pass tcp from any to any setup
159
160    # Allow DNS queries out in the world
161    $fwcmd add pass udp from any 53 to ${oip}
162    $fwcmd add pass udp from ${oip} to any 53
163
164    # Allow NTP queries out in the world
165    $fwcmd add pass udp from any 123 to ${oip}
166    $fwcmd add pass udp from ${oip} to any 123
167
168    # Everything else is denied as default.
169
170elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
171	$fwcmd ${firewall_type}
172fi
173