| rc.firewall (25478) | rc.firewall (29300) |
|---|---|
| 1############ 2# Setup system for firewall service. | 1############ 2# Setup system for firewall service. |
| 3# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $ | 3# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $ |
| 4 5############ | 4 5############ |
| 6# Define the firewall type in /etc/rc.conf. Valid values are: 7# open - will allow anyone in 8# client - will try to protect just this machine 9# simple - will try to protect a whole network 10# closed - totally disables IP services except via lo0 interface 11# UNKNOWN - disables the loading of firewall rules. 12# filename - will load the rules in the given filename (full path required) |
|
| 6# | 13# |
| 7# >>Warning<< 8# This file is not very old yet, and have been put together without much 9# testing of the contents. | 14# For ``client'' and ``simple'' the entries below should be customized 15# appropriately. |
| 10 | 16 |
| 11# Set this to be the type of firewall you want: open, client, simple or NONE. 12# ``open'' will allow anyone in, ``client'' will try to protect just one 13# machine and ``simple'' will try to protect a whole network (entries should 14# be customized appropriately below). To let no one in, use NONE. 15 | |
| 16############ 17# 18# If you don't know enough about packet filtering, we suggest that you 19# take time to read this book: 20# 21# Building Internet Firewalls 22# Brent Chapman and Elizabeth Zwicky 23# --- 7 unchanged lines hidden (view full) --- 31# Repelling the wily hacker 32# William R. Cheswick, Steven M. Bellowin 33# 34# Addison-Wesley 35# ISBN 0-201-6337-4 36# http://www.awl.com/ 37# 38 | 17############ 18# 19# If you don't know enough about packet filtering, we suggest that you 20# take time to read this book: 21# 22# Building Internet Firewalls 23# Brent Chapman and Elizabeth Zwicky 24# --- 7 unchanged lines hidden (view full) --- 32# Repelling the wily hacker 33# William R. Cheswick, Steven M. Bellowin 34# 35# Addison-Wesley 36# ISBN 0-201-6337-4 37# http://www.awl.com/ 38# 39 |
| 40if [ "x$1" != "x" ]; then 41 firewall_type=$1 42fi 43 |
|
| 39############ | 44############ |
| 45# Set quiet mode if requested 46if [ "x$firewall_quiet" = "xYES" ]; then 47 fwcmd="/sbin/ipfw -q" 48else 49 fwcmd="/sbin/ipfw" 50fi 51 52############ |
|
| 40# Flush out the list before we begin. | 53# Flush out the list before we begin. |
| 41/sbin/ipfw -f flush | 54$fwcmd -f flush |
| 42 43############ 44# If you just configured ipfw in the kernel as a tool to solve network 45# problems or you just want to disallow some particular kinds of traffic 46# they you will want to change the default policy to open. You can also 47# do this as your only action by setting the firewall_type to ``open''. 48 | 55 56############ 57# If you just configured ipfw in the kernel as a tool to solve network 58# problems or you just want to disallow some particular kinds of traffic 59# they you will want to change the default policy to open. You can also 60# do this as your only action by setting the firewall_type to ``open''. 61 |
| 49# /sbin/ipfw add 65000 pass all from any to any | 62# $fwcmd add 65000 pass all from any to any |
| 50 51############ 52# Only in rare cases do you want to change this rule | 63 64############ 65# Only in rare cases do you want to change this rule |
| 53/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 | 66$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 |
| 54 55 56# Prototype setups. | 67 68 69# Prototype setups. |
| 57if [ "${firewall}" = "open" ]; then | 70if [ "${firewall_type}" = "open" ]; then |
| 58 | 71 |
| 59 /sbin/ipfw add 65000 pass all from any to any | 72 $fwcmd add 65000 pass all from any to any |
| 60 | 73 |
| 61elif [ "${firewall}" = "client" ]; then | 74elif [ "${firewall_type}" = "simple" ]; then |
| 62 | 75 |
| 76 $fwcmd add 65000 pass all from any to any via lo0 77 78elif [ "${firewall_type}" = "client" ]; then 79 |
|
| 63 ############ 64 # This is a prototype setup that will protect your system somewhat against 65 # people from outside your own network. 66 ############ 67 68 # set these to your network and netmask and ip 69 net="192.168.4.0" 70 mask="255.255.255.0" 71 ip="192.168.4.17" 72 73 # Allow any traffic to or from my own net. | 80 ############ 81 # This is a prototype setup that will protect your system somewhat against 82 # people from outside your own network. 83 ############ 84 85 # set these to your network and netmask and ip 86 net="192.168.4.0" 87 mask="255.255.255.0" 88 ip="192.168.4.17" 89 90 # Allow any traffic to or from my own net. |
| 74 /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 75 /sbin/ipfw add pass all from ${net}:${mask} to ${ip} | 91 $fwcmd add pass all from ${ip} to ${net}:${mask} 92 $fwcmd add pass all from ${net}:${mask} to ${ip} |
| 76 77 # Allow TCP through if setup succeeded | 93 94 # Allow TCP through if setup succeeded |
| 78 /sbin/ipfw add pass tcp from any to any established | 95 $fwcmd add pass tcp from any to any established |
| 79 80 # Allow setup of incoming email | 96 97 # Allow setup of incoming email |
| 81 /sbin/ipfw add pass tcp from any to ${ip} 25 setup | 98 $fwcmd add pass tcp from any to ${ip} 25 setup |
| 82 83 # Allow setup of outgoing TCP connections only | 99 100 # Allow setup of outgoing TCP connections only |
| 84 /sbin/ipfw add pass tcp from ${ip} to any setup | 101 $fwcmd add pass tcp from ${ip} to any setup |
| 85 86 # Disallow setup of all other TCP connections | 102 103 # Disallow setup of all other TCP connections |
| 87 /sbin/ipfw add deny tcp from any to any setup | 104 $fwcmd add deny tcp from any to any setup |
| 88 89 # Allow DNS queries out in the world | 105 106 # Allow DNS queries out in the world |
| 90 /sbin/ipfw add pass udp from any 53 to ${ip} 91 /sbin/ipfw add pass udp from ${ip} to any 53 | 107 $fwcmd add pass udp from any 53 to ${ip} 108 $fwcmd add pass udp from ${ip} to any 53 |
| 92 93 # Allow NTP queries out in the world | 109 110 # Allow NTP queries out in the world |
| 94 /sbin/ipfw add pass udp from any 123 to ${ip} 95 /sbin/ipfw add pass udp from ${ip} to any 123 | 111 $fwcmd add pass udp from any 123 to ${ip} 112 $fwcmd add pass udp from ${ip} to any 123 |
| 96 97 # Everything else is denied as default. 98 | 113 114 # Everything else is denied as default. 115 |
| 99elif [ "${firewall}" = "simple" ]; then | 116elif [ "${firewall_type}" = "simple" ]; then |
| 100 101 ############ 102 # This is a prototype setup for a simple firewall. Configure this machine 103 # as a named server and ntp server, and point all the machines on the inside 104 # at this machine for those services. 105 ############ 106 107 # set these to your outside interface network and netmask and ip --- 4 unchanged lines hidden (view full) --- 112 113 # set these to your inside interface network and netmask and ip 114 iif="ed1" 115 inet="192.168.3.0" 116 imask="255.255.255.0" 117 iip="192.168.3.17" 118 119 # Stop spoofing | 117 118 ############ 119 # This is a prototype setup for a simple firewall. Configure this machine 120 # as a named server and ntp server, and point all the machines on the inside 121 # at this machine for those services. 122 ############ 123 124 # set these to your outside interface network and netmask and ip --- 4 unchanged lines hidden (view full) --- 129 130 # set these to your inside interface network and netmask and ip 131 iif="ed1" 132 inet="192.168.3.0" 133 imask="255.255.255.0" 134 iip="192.168.3.17" 135 136 # Stop spoofing |
| 120 /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 121 /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} | 137 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} 138 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} |
| 122 123 # Stop RFC1918 nets on the outside interface | 139 140 # Stop RFC1918 nets on the outside interface |
| 124 /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 125 /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 126 /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} | 141 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 142 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 143 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} |
| 127 128 # Allow TCP through if setup succeeded | 144 145 # Allow TCP through if setup succeeded |
| 129 /sbin/ipfw add pass tcp from any to any established | 146 $fwcmd add pass tcp from any to any established |
| 130 131 # Allow setup of incoming email | 147 148 # Allow setup of incoming email |
| 132 /sbin/ipfw add pass tcp from any to ${oip} 25 setup | 149 $fwcmd add pass tcp from any to ${oip} 25 setup |
| 133 134 # Allow access to our DNS | 150 151 # Allow access to our DNS |
| 135 /sbin/ipfw add pass tcp from any to ${oip} 53 setup | 152 $fwcmd add pass tcp from any to ${oip} 53 setup |
| 136 137 # Allow access to our WWW | 153 154 # Allow access to our WWW |
| 138 /sbin/ipfw add pass tcp from any to ${oip} 80 setup | 155 $fwcmd add pass tcp from any to ${oip} 80 setup |
| 139 140 # Reject&Log all setup of incoming connections from the outside | 156 157 # Reject&Log all setup of incoming connections from the outside |
| 141 /sbin/ipfw add deny log tcp from any to any in via ${oif} setup | 158 $fwcmd add deny log tcp from any to any in via ${oif} setup |
| 142 143 # Allow setup of any other TCP connection | 159 160 # Allow setup of any other TCP connection |
| 144 /sbin/ipfw add pass tcp from any to any setup | 161 $fwcmd add pass tcp from any to any setup |
| 145 146 # Allow DNS queries out in the world | 162 163 # Allow DNS queries out in the world |
| 147 /sbin/ipfw add pass udp from any 53 to ${oip} 148 /sbin/ipfw add pass udp from ${oip} to any 53 | 164 $fwcmd add pass udp from any 53 to ${oip} 165 $fwcmd add pass udp from ${oip} to any 53 |
| 149 150 # Allow NTP queries out in the world | 166 167 # Allow NTP queries out in the world |
| 151 /sbin/ipfw add pass udp from any 123 to ${oip} 152 /sbin/ipfw add pass udp from ${oip} to any 123 | 168 $fwcmd add pass udp from any 123 to ${oip} 169 $fwcmd add pass udp from ${oip} to any 123 |
| 153 154 # Everything else is denied as default. 155 | 170 171 # Everything else is denied as default. 172 |
| 156elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then 157 158 /sbin/ipfw ${firewall} | 173elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then 174 $fwcmd ${firewall} |
| 159fi | 175fi |