1############ 2# Setup system for firewall service. 3# $FreeBSD: head/release/picobsd/floppy.tree/etc/rc.firewall 50479 1999-08-28 01:35:59Z peter $
| 1# $FreeBSD: head/release/picobsd/floppy.tree/etc/rc.firewall 91853 2002-03-08 05:15:08Z luigi $
|
4
| 2
|
5############ 6# Define the firewall type in /etc/rc.conf. Valid values are:
| 3# Setup system for firewall service, with some sample configurations. 4# Select one using ${firewall_type} which you can set in /etc/rc.conf.local. 5# 6# If you override this file with your own copy, you can use ${hostname} 7# as the key for the case statement. On entry, the firewall will be flushed 8# and $fwcmd will point to the appropriate command (usually /sbin/ipfw) 9# 10# Sample configurations are:
|
7# open - will allow anyone in
| 11# open - will allow anyone in
|
8# client - will try to protect just this machine 9# simple - will try to protect a whole network
| 12# client - will try to protect just this machine (should be customized). 13# simple - will try to protect a whole network (should be customized).
|
10# closed - totally disables IP services except via lo0 interface 11# UNKNOWN - disables the loading of firewall rules. 12# filename - will load the rules in the given filename (full path required) 13#
| 14# closed - totally disables IP services except via lo0 interface 15# UNKNOWN - disables the loading of firewall rules. 16# filename - will load the rules in the given filename (full path required) 17#
|
14# For ``client'' and ``simple'' the entries below should be customized 15# appropriately.
| |
16 17############
| 18 19############
|
18# 19# If you don't know enough about packet filtering, we suggest that you 20# take time to read this book: 21# 22# Building Internet Firewalls 23# Brent Chapman and Elizabeth Zwicky 24# 25# O'Reilly & Associates, Inc 26# ISBN 1-56592-124-0 27# http://www.ora.com/ 28# 29# For a more advanced treatment of Internet Security read: 30# 31# Firewalls & Internet Security 32# Repelling the wily hacker 33# William R. Cheswick, Steven M. Bellowin 34# 35# Addison-Wesley 36# ISBN 0-201-6337-4 37# http://www.awl.com/ 38# 39 40if [ "x$1" != "x" ]; then 41 firewall_type=$1 42fi 43 44############ 45# Set quiet mode if requested 46if [ "x$firewall_quiet" = "xYES" ]; then 47 fwcmd="/sbin/ipfw -q" 48else 49 fwcmd="/sbin/ipfw" 50fi 51 52############ 53# Flush out the list before we begin. 54$fwcmd -f flush 55 56############ 57# If you just configured ipfw in the kernel as a tool to solve network 58# problems or you just want to disallow some particular kinds of traffic 59# they you will want to change the default policy to open. You can also 60# do this as your only action by setting the firewall_type to ``open''. 61 62# $fwcmd add 65000 pass all from any to any 63 64############
| |
65# Only in rare cases do you want to change these rules 66$fwcmd add 1000 pass all from any to any via lo0 67$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 68 69 70# Prototype setups.
| 20# Only in rare cases do you want to change these rules 21$fwcmd add 1000 pass all from any to any via lo0 22$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 23 24 25# Prototype setups.
|
71if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
| 26case "${firewall_type}" in 27open|OPEN) 28 $fwcmd add 65000 pass all from any to any 29 ;;
|
72
| 30
|
73 $fwcmd add 65000 pass all from any to any
| 31client)
|
74
| 32
|
75elif [ "${firewall_type}" = "client" ]; then 76
| |
77 ############ 78 # This is a prototype setup that will protect your system somewhat against 79 # people from outside your own network. 80 ############ 81 82 # set these to your network and netmask and ip 83 net="192.168.4.0" 84 mask="255.255.255.0" 85 ip="192.168.4.17" 86 87 # Allow any traffic to or from my own net. 88 $fwcmd add pass all from ${ip} to ${net}:${mask} 89 $fwcmd add pass all from ${net}:${mask} to ${ip} 90 91 # Allow TCP through if setup succeeded 92 $fwcmd add pass tcp from any to any established 93 94 # Allow setup of incoming email 95 $fwcmd add pass tcp from any to ${ip} 25 setup 96 97 # Allow setup of outgoing TCP connections only 98 $fwcmd add pass tcp from ${ip} to any setup 99 100 # Disallow setup of all other TCP connections 101 $fwcmd add deny tcp from any to any setup 102 103 # Allow DNS queries out in the world 104 $fwcmd add pass udp from any 53 to ${ip} 105 $fwcmd add pass udp from ${ip} to any 53 106 107 # Allow NTP queries out in the world 108 $fwcmd add pass udp from any 123 to ${ip} 109 $fwcmd add pass udp from ${ip} to any 123 110 111 # Everything else is denied as default.
| 33 ############ 34 # This is a prototype setup that will protect your system somewhat against 35 # people from outside your own network. 36 ############ 37 38 # set these to your network and netmask and ip 39 net="192.168.4.0" 40 mask="255.255.255.0" 41 ip="192.168.4.17" 42 43 # Allow any traffic to or from my own net. 44 $fwcmd add pass all from ${ip} to ${net}:${mask} 45 $fwcmd add pass all from ${net}:${mask} to ${ip} 46 47 # Allow TCP through if setup succeeded 48 $fwcmd add pass tcp from any to any established 49 50 # Allow setup of incoming email 51 $fwcmd add pass tcp from any to ${ip} 25 setup 52 53 # Allow setup of outgoing TCP connections only 54 $fwcmd add pass tcp from ${ip} to any setup 55 56 # Disallow setup of all other TCP connections 57 $fwcmd add deny tcp from any to any setup 58 59 # Allow DNS queries out in the world 60 $fwcmd add pass udp from any 53 to ${ip} 61 $fwcmd add pass udp from ${ip} to any 53 62 63 # Allow NTP queries out in the world 64 $fwcmd add pass udp from any 123 to ${ip} 65 $fwcmd add pass udp from ${ip} to any 123 66 67 # Everything else is denied as default.
|
| 68 $fwcmd add 65000 deny all from any to any 69 ;;
|
112
| 70
|
113elif [ "${firewall_type}" = "simple" ]; then
| 71simple)
|
114 115 ############ 116 # This is a prototype setup for a simple firewall. Configure this machine 117 # as a named server and ntp server, and point all the machines on the inside 118 # at this machine for those services. 119 ############ 120 121 # set these to your outside interface network and netmask and ip 122 oif="ed0" 123 onet="192.168.4.0" 124 omask="255.255.255.0" 125 oip="192.168.4.17" 126 127 # set these to your inside interface network and netmask and ip 128 iif="ed1" 129 inet="192.168.3.0" 130 imask="255.255.255.0" 131 iip="192.168.3.17" 132 133 # Stop spoofing 134 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} 135 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} 136 137 # Stop RFC1918 nets on the outside interface 138 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 139 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 140 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 141 142 # Allow TCP through if setup succeeded 143 $fwcmd add pass tcp from any to any established 144 145 # Allow setup of incoming email 146 $fwcmd add pass tcp from any to ${oip} 25 setup 147 148 # Allow access to our DNS 149 $fwcmd add pass tcp from any to ${oip} 53 setup 150 151 # Allow access to our WWW 152 $fwcmd add pass tcp from any to ${oip} 80 setup 153 154 # Reject&Log all setup of incoming connections from the outside 155 $fwcmd add deny log tcp from any to any in via ${oif} setup 156 157 # Allow setup of any other TCP connection 158 $fwcmd add pass tcp from any to any setup 159 160 # Allow DNS queries out in the world 161 $fwcmd add pass udp from any 53 to ${oip} 162 $fwcmd add pass udp from ${oip} to any 53 163 164 # Allow NTP queries out in the world 165 $fwcmd add pass udp from any 123 to ${oip} 166 $fwcmd add pass udp from ${oip} to any 123 167 168 # Everything else is denied as default.
| 72 73 ############ 74 # This is a prototype setup for a simple firewall. Configure this machine 75 # as a named server and ntp server, and point all the machines on the inside 76 # at this machine for those services. 77 ############ 78 79 # set these to your outside interface network and netmask and ip 80 oif="ed0" 81 onet="192.168.4.0" 82 omask="255.255.255.0" 83 oip="192.168.4.17" 84 85 # set these to your inside interface network and netmask and ip 86 iif="ed1" 87 inet="192.168.3.0" 88 imask="255.255.255.0" 89 iip="192.168.3.17" 90 91 # Stop spoofing 92 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} 93 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} 94 95 # Stop RFC1918 nets on the outside interface 96 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 97 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 98 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 99 100 # Allow TCP through if setup succeeded 101 $fwcmd add pass tcp from any to any established 102 103 # Allow setup of incoming email 104 $fwcmd add pass tcp from any to ${oip} 25 setup 105 106 # Allow access to our DNS 107 $fwcmd add pass tcp from any to ${oip} 53 setup 108 109 # Allow access to our WWW 110 $fwcmd add pass tcp from any to ${oip} 80 setup 111 112 # Reject&Log all setup of incoming connections from the outside 113 $fwcmd add deny log tcp from any to any in via ${oif} setup 114 115 # Allow setup of any other TCP connection 116 $fwcmd add pass tcp from any to any setup 117 118 # Allow DNS queries out in the world 119 $fwcmd add pass udp from any 53 to ${oip} 120 $fwcmd add pass udp from ${oip} to any 53 121 122 # Allow NTP queries out in the world 123 $fwcmd add pass udp from any 123 to ${oip} 124 $fwcmd add pass udp from ${oip} to any 123 125 126 # Everything else is denied as default.
|
| 127 $fwcmd add 65000 deny all from any to any 128 ;;
|
169
| 129
|
170elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
| 130UNKNOWN|"") 131 echo "WARNING: firewall rules not loaded." 132 ;; 133 134*) # an absolute pathname ? 135 if [ -f "${firewall_type}" ] ; then
|
171 $fwcmd ${firewall_type}
| 136 $fwcmd ${firewall_type}
|
172fi
| 137 else 138 echo "WARNING: firewall config script (${firewall_type}) not found," 139 echo " firewall rules not loaded." 140 fi 141 ;; 142esac
|
| |