1############
2# Setup system for firewall service.
3# $FreeBSD: head/release/picobsd/floppy.tree/etc/rc.firewall 50479 1999-08-28 01:35:59Z peter $
| 1# $FreeBSD: head/release/picobsd/floppy.tree/etc/rc.firewall 91853 2002-03-08 05:15:08Z luigi $
|
4
| 2
|
5############
6# Define the firewall type in /etc/rc.conf. Valid values are:
| 3# Setup system for firewall service, with some sample configurations.
4# Select one using ${firewall_type} which you can set in /etc/rc.conf.local.
5#
6# If you override this file with your own copy, you can use ${hostname}
7# as the key for the case statement. On entry, the firewall will be flushed
8# and $fwcmd will point to the appropriate command (usually /sbin/ipfw)
9#
10# Sample configurations are:
|
7# open - will allow anyone in
| 11# open - will allow anyone in
|
8# client - will try to protect just this machine
9# simple - will try to protect a whole network
| 12# client - will try to protect just this machine (should be customized).
13# simple - will try to protect a whole network (should be customized).
|
10# closed - totally disables IP services except via lo0 interface
11# UNKNOWN - disables the loading of firewall rules.
12# filename - will load the rules in the given filename (full path required)
13#
| 14# closed - totally disables IP services except via lo0 interface
15# UNKNOWN - disables the loading of firewall rules.
16# filename - will load the rules in the given filename (full path required)
17#
|
14# For ``client'' and ``simple'' the entries below should be customized
15# appropriately.
| |
16
17############
| 18
19############
|
18#
19# If you don't know enough about packet filtering, we suggest that you
20# take time to read this book:
21#
22# Building Internet Firewalls
23# Brent Chapman and Elizabeth Zwicky
24#
25# O'Reilly & Associates, Inc
26# ISBN 1-56592-124-0
27# http://www.ora.com/
28#
29# For a more advanced treatment of Internet Security read:
30#
31# Firewalls & Internet Security
32# Repelling the wily hacker
33# William R. Cheswick, Steven M. Bellowin
34#
35# Addison-Wesley
36# ISBN 0-201-6337-4
37# http://www.awl.com/
38#
39
40if [ "x$1" != "x" ]; then
41 firewall_type=$1
42fi
43
44############
45# Set quiet mode if requested
46if [ "x$firewall_quiet" = "xYES" ]; then
47 fwcmd="/sbin/ipfw -q"
48else
49 fwcmd="/sbin/ipfw"
50fi
51
52############
53# Flush out the list before we begin.
54$fwcmd -f flush
55
56############
57# If you just configured ipfw in the kernel as a tool to solve network
58# problems or you just want to disallow some particular kinds of traffic
59# they you will want to change the default policy to open. You can also
60# do this as your only action by setting the firewall_type to ``open''.
61
62# $fwcmd add 65000 pass all from any to any
63
64############
| |
65# Only in rare cases do you want to change these rules
66$fwcmd add 1000 pass all from any to any via lo0
67$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
68
69
70# Prototype setups.
| 20# Only in rare cases do you want to change these rules
21$fwcmd add 1000 pass all from any to any via lo0
22$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
23
24
25# Prototype setups.
|
71if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
| 26case "${firewall_type}" in
27open|OPEN)
28 $fwcmd add 65000 pass all from any to any
29 ;;
|
72
| 30
|
73 $fwcmd add 65000 pass all from any to any
| 31client)
|
74
| 32
|
75elif [ "${firewall_type}" = "client" ]; then
76
| |
77 ############
78 # This is a prototype setup that will protect your system somewhat against
79 # people from outside your own network.
80 ############
81
82 # set these to your network and netmask and ip
83 net="192.168.4.0"
84 mask="255.255.255.0"
85 ip="192.168.4.17"
86
87 # Allow any traffic to or from my own net.
88 $fwcmd add pass all from ${ip} to ${net}:${mask}
89 $fwcmd add pass all from ${net}:${mask} to ${ip}
90
91 # Allow TCP through if setup succeeded
92 $fwcmd add pass tcp from any to any established
93
94 # Allow setup of incoming email
95 $fwcmd add pass tcp from any to ${ip} 25 setup
96
97 # Allow setup of outgoing TCP connections only
98 $fwcmd add pass tcp from ${ip} to any setup
99
100 # Disallow setup of all other TCP connections
101 $fwcmd add deny tcp from any to any setup
102
103 # Allow DNS queries out in the world
104 $fwcmd add pass udp from any 53 to ${ip}
105 $fwcmd add pass udp from ${ip} to any 53
106
107 # Allow NTP queries out in the world
108 $fwcmd add pass udp from any 123 to ${ip}
109 $fwcmd add pass udp from ${ip} to any 123
110
111 # Everything else is denied as default.
| 33 ############
34 # This is a prototype setup that will protect your system somewhat against
35 # people from outside your own network.
36 ############
37
38 # set these to your network and netmask and ip
39 net="192.168.4.0"
40 mask="255.255.255.0"
41 ip="192.168.4.17"
42
43 # Allow any traffic to or from my own net.
44 $fwcmd add pass all from ${ip} to ${net}:${mask}
45 $fwcmd add pass all from ${net}:${mask} to ${ip}
46
47 # Allow TCP through if setup succeeded
48 $fwcmd add pass tcp from any to any established
49
50 # Allow setup of incoming email
51 $fwcmd add pass tcp from any to ${ip} 25 setup
52
53 # Allow setup of outgoing TCP connections only
54 $fwcmd add pass tcp from ${ip} to any setup
55
56 # Disallow setup of all other TCP connections
57 $fwcmd add deny tcp from any to any setup
58
59 # Allow DNS queries out in the world
60 $fwcmd add pass udp from any 53 to ${ip}
61 $fwcmd add pass udp from ${ip} to any 53
62
63 # Allow NTP queries out in the world
64 $fwcmd add pass udp from any 123 to ${ip}
65 $fwcmd add pass udp from ${ip} to any 123
66
67 # Everything else is denied as default.
|
| 68 $fwcmd add 65000 deny all from any to any
69 ;;
|
112
| 70
|
113elif [ "${firewall_type}" = "simple" ]; then
| 71simple)
|
114
115 ############
116 # This is a prototype setup for a simple firewall. Configure this machine
117 # as a named server and ntp server, and point all the machines on the inside
118 # at this machine for those services.
119 ############
120
121 # set these to your outside interface network and netmask and ip
122 oif="ed0"
123 onet="192.168.4.0"
124 omask="255.255.255.0"
125 oip="192.168.4.17"
126
127 # set these to your inside interface network and netmask and ip
128 iif="ed1"
129 inet="192.168.3.0"
130 imask="255.255.255.0"
131 iip="192.168.3.17"
132
133 # Stop spoofing
134 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
135 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
136
137 # Stop RFC1918 nets on the outside interface
138 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
139 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
140 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
141
142 # Allow TCP through if setup succeeded
143 $fwcmd add pass tcp from any to any established
144
145 # Allow setup of incoming email
146 $fwcmd add pass tcp from any to ${oip} 25 setup
147
148 # Allow access to our DNS
149 $fwcmd add pass tcp from any to ${oip} 53 setup
150
151 # Allow access to our WWW
152 $fwcmd add pass tcp from any to ${oip} 80 setup
153
154 # Reject&Log all setup of incoming connections from the outside
155 $fwcmd add deny log tcp from any to any in via ${oif} setup
156
157 # Allow setup of any other TCP connection
158 $fwcmd add pass tcp from any to any setup
159
160 # Allow DNS queries out in the world
161 $fwcmd add pass udp from any 53 to ${oip}
162 $fwcmd add pass udp from ${oip} to any 53
163
164 # Allow NTP queries out in the world
165 $fwcmd add pass udp from any 123 to ${oip}
166 $fwcmd add pass udp from ${oip} to any 123
167
168 # Everything else is denied as default.
| 72
73 ############
74 # This is a prototype setup for a simple firewall. Configure this machine
75 # as a named server and ntp server, and point all the machines on the inside
76 # at this machine for those services.
77 ############
78
79 # set these to your outside interface network and netmask and ip
80 oif="ed0"
81 onet="192.168.4.0"
82 omask="255.255.255.0"
83 oip="192.168.4.17"
84
85 # set these to your inside interface network and netmask and ip
86 iif="ed1"
87 inet="192.168.3.0"
88 imask="255.255.255.0"
89 iip="192.168.3.17"
90
91 # Stop spoofing
92 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
93 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
94
95 # Stop RFC1918 nets on the outside interface
96 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
97 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
98 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
99
100 # Allow TCP through if setup succeeded
101 $fwcmd add pass tcp from any to any established
102
103 # Allow setup of incoming email
104 $fwcmd add pass tcp from any to ${oip} 25 setup
105
106 # Allow access to our DNS
107 $fwcmd add pass tcp from any to ${oip} 53 setup
108
109 # Allow access to our WWW
110 $fwcmd add pass tcp from any to ${oip} 80 setup
111
112 # Reject&Log all setup of incoming connections from the outside
113 $fwcmd add deny log tcp from any to any in via ${oif} setup
114
115 # Allow setup of any other TCP connection
116 $fwcmd add pass tcp from any to any setup
117
118 # Allow DNS queries out in the world
119 $fwcmd add pass udp from any 53 to ${oip}
120 $fwcmd add pass udp from ${oip} to any 53
121
122 # Allow NTP queries out in the world
123 $fwcmd add pass udp from any 123 to ${oip}
124 $fwcmd add pass udp from ${oip} to any 123
125
126 # Everything else is denied as default.
|
| 127 $fwcmd add 65000 deny all from any to any
128 ;;
|
169
| 129
|
170elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
| 130UNKNOWN|"")
131 echo "WARNING: firewall rules not loaded."
132 ;;
133
134*) # an absolute pathname ?
135 if [ -f "${firewall_type}" ] ; then
|
171 $fwcmd ${firewall_type}
| 136 $fwcmd ${firewall_type}
|
172fi
| 137 else
138 echo "WARNING: firewall config script (${firewall_type}) not found,"
139 echo " firewall rules not loaded."
140 fi
141 ;;
142esac
|
| |