rc.firewall (208060) | rc.firewall (229783) |
---|---|
1#!/bin/sh - 2# Copyright (c) 1996 Poul-Henning Kamp 3# All rights reserved. 4# 5# Redistribution and use in source and binary forms, with or without 6# modification, are permitted provided that the following conditions 7# are met: 8# 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24# SUCH DAMAGE. 25# | 1#!/bin/sh - 2# Copyright (c) 1996 Poul-Henning Kamp 3# All rights reserved. 4# 5# Redistribution and use in source and binary forms, with or without 6# modification, are permitted provided that the following conditions 7# are met: 8# 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24# SUCH DAMAGE. 25# |
26# $FreeBSD: head/etc/rc.firewall 208060 2010-05-14 04:53:57Z dougb $ | 26# $FreeBSD: head/etc/rc.firewall 229783 2012-01-07 16:10:32Z uqs $ |
27# 28 29# 30# Setup system for ipfw(4) firewall service. 31# 32 33# Suck in the configuration variables. 34if [ -z "${source_rc_confs_defined}" ]; then --- 6 unchanged lines hidden (view full) --- 41fi 42 43############ 44# Define the firewall type in /etc/rc.conf. Valid values are: 45# open - will allow anyone in 46# client - will try to protect just this machine 47# simple - will try to protect a whole network 48# closed - totally disables IP services except via lo0 interface | 27# 28 29# 30# Setup system for ipfw(4) firewall service. 31# 32 33# Suck in the configuration variables. 34if [ -z "${source_rc_confs_defined}" ]; then --- 6 unchanged lines hidden (view full) --- 41fi 42 43############ 44# Define the firewall type in /etc/rc.conf. Valid values are: 45# open - will allow anyone in 46# client - will try to protect just this machine 47# simple - will try to protect a whole network 48# closed - totally disables IP services except via lo0 interface |
49# workstation - will try to protect just this machine using statefull | 49# workstation - will try to protect just this machine using stateful |
50# firewalling. See below for rc.conf variables used 51# UNKNOWN - disables the loading of firewall rules. 52# filename - will load the rules in the given filename (full path required) 53# 54# For ``client'' and ``simple'' the entries below should be customized 55# appropriately. 56 57############ --- 42 unchanged lines hidden (view full) --- 100 # ND 101 # 102 # DAD 103 ${fwcmd} add pass ipv6-icmp from :: to ff02::/16 104 # RS, RA, NS, NA, redirect... 105 ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 106 ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 107 | 50# firewalling. See below for rc.conf variables used 51# UNKNOWN - disables the loading of firewall rules. 52# filename - will load the rules in the given filename (full path required) 53# 54# For ``client'' and ``simple'' the entries below should be customized 55# appropriately. 56 57############ --- 42 unchanged lines hidden (view full) --- 100 # ND 101 # 102 # DAD 103 ${fwcmd} add pass ipv6-icmp from :: to ff02::/16 104 # RS, RA, NS, NA, redirect... 105 ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 106 ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 107 |
108 # Allow ICMPv6 destination unreach | 108 # Allow ICMPv6 destination unreachable |
109 ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1 110 111 # Allow NS/NA/toobig (don't filter it out) 112 ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136 113} 114 115if [ -n "${1}" ]; then 116 firewall_type="${1}" --- 315 unchanged lines hidden (view full) --- 432 # Be very careful when setting this. 433 # This option can seriously degrade 434 # the level of protection provided by 435 # the firewall. 436 # firewall_logdeny: Boolean (YES/NO) specifying if the 437 # default denied packets should be 438 # logged (in /var/log/security). 439 # firewall_nologports: List of TCP/UDP ports for which | 109 ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1 110 111 # Allow NS/NA/toobig (don't filter it out) 112 ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136 113} 114 115if [ -n "${1}" ]; then 116 firewall_type="${1}" --- 315 unchanged lines hidden (view full) --- 432 # Be very careful when setting this. 433 # This option can seriously degrade 434 # the level of protection provided by 435 # the firewall. 436 # firewall_logdeny: Boolean (YES/NO) specifying if the 437 # default denied packets should be 438 # logged (in /var/log/security). 439 # firewall_nologports: List of TCP/UDP ports for which |
440 # denied incomming packets are not | 440 # denied incoming packets are not |
441 # logged. 442 443 # Allow packets for which a state has been built. 444 ${fwcmd} add check-state 445 446 # For services permitted below. 447 ${fwcmd} add pass tcp from me to any established 448 --- 51 unchanged lines hidden (view full) --- 500 501 ${fwcmd} add 65000 count ip from any to any 502 503 # Drop packets to ports where we don't want logging 504 for i in ${firewall_nologports} ; do 505 ${fwcmd} add deny { tcp or udp } from any to any $i in 506 done 507 | 441 # logged. 442 443 # Allow packets for which a state has been built. 444 ${fwcmd} add check-state 445 446 # For services permitted below. 447 ${fwcmd} add pass tcp from me to any established 448 --- 51 unchanged lines hidden (view full) --- 500 501 ${fwcmd} add 65000 count ip from any to any 502 503 # Drop packets to ports where we don't want logging 504 for i in ${firewall_nologports} ; do 505 ${fwcmd} add deny { tcp or udp } from any to any $i in 506 done 507 |
508 # Broadcasts and muticasts | 508 # Broadcasts and multicasts |
509 ${fwcmd} add deny ip from any to 255.255.255.255 510 ${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX 511 512 # Noise from routers 513 ${fwcmd} add deny udp from any to any 520 in 514 515 # Noise from webbrowsing. | 509 ${fwcmd} add deny ip from any to 255.255.255.255 510 ${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX 511 512 # Noise from routers 513 ${fwcmd} add deny udp from any to any 520 in 514 515 # Noise from webbrowsing. |
516 # The statefull filter is a bit agressive, and will cause some | 516 # The stateful filter is a bit aggressive, and will cause some |
517 # connection teardowns to be logged. 518 ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in 519 520 # Deny and (if wanted) log the rest unconditionally. 521 log="" 522 if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then 523 log="log logamount 500" # The default of 100 is too low. 524 sysctl net.inet.ip.fw.verbose=1 >/dev/null --- 15 unchanged lines hidden --- | 517 # connection teardowns to be logged. 518 ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in 519 520 # Deny and (if wanted) log the rest unconditionally. 521 log="" 522 if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then 523 log="log logamount 500" # The default of 100 is too low. 524 sysctl net.inet.ip.fw.verbose=1 >/dev/null --- 15 unchanged lines hidden --- |