Cross Reference: /freebsd-9.3-release/etc/rc.firewall

Deleted Added

sdiff udiff text old ( 15210 ) new ( 16578 )

full compact

rc.firewall (15210)	rc.firewall (16578)
1############ 2# Setup system for firewall service.	1############ 2# Setup system for firewall service.
3# $Id: rc.firewall,v 1.1 1996/04/03 17:13:58 phk Exp $	3# $Id: rc.firewall,v 1.2 1996/04/12 09:16:42 phk Exp $
4 5############ 6# 7# >>Warning<< 8# This file is not very old yet, and have been put together without much 9# test of the contents. 10 11############ 12# 13# If you don't know enough about packet filtering, we suggest that you 14# take time to read this book: 15# 16# Building Internet Firewalls 17# Brent Chapman and Elizabeth Zwicky 18# 19# O'Reilly & Associates, Inc 20# ISBN 1-56592-124-0 21# 22# For a more advanced treatment of Internet Security read: 23# 24# Firewalls & Internet Security 25# Repelling the wily hacker 26# William R. Cheswick, Steven M. Bellowin 27# 28# Addison-Wesley 29# ISBN 0-201-6337-4 30# 31 32############	4 5############ 6# 7# >>Warning<< 8# This file is not very old yet, and have been put together without much 9# test of the contents. 10 11############ 12# 13# If you don't know enough about packet filtering, we suggest that you 14# take time to read this book: 15# 16# Building Internet Firewalls 17# Brent Chapman and Elizabeth Zwicky 18# 19# O'Reilly & Associates, Inc 20# ISBN 1-56592-124-0 21# 22# For a more advanced treatment of Internet Security read: 23# 24# Firewalls & Internet Security 25# Repelling the wily hacker 26# William R. Cheswick, Steven M. Bellowin 27# 28# Addison-Wesley 29# ISBN 0-201-6337-4 30# 31 32############
	33# Flush out the list before we begin. 34/sbin/ipfw flush 35 36############
33# If you just configured ipfw in the kernel as a tool to solve network 34# problems or you just want to disallow some particular kinds of traffic 35# they you will want to change the default policy to open. 36 37# /sbin/ipfw add 65000 pass all from any to any 38 39############ 40# Only in rare cases do you want to change this rule 41/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 42 43############ 44# This is a prototype setup that will protect your system somewhat against 45# people from outside your own network. 46# 47# To enable simply change "false" to "true" in the if line and set the 48# variables to your network parameters 49 50if false ; then 51 # set these to your network and netmask and ip 52 net="192.168.4.0" 53 mask="255.255.255.0" 54 ip="192.168.4.17" 55 56 # Allow any traffic to or from my own net. 57 /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 58 /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 59 60 # Allow TCP through if setup succeeded 61 /sbin/ipfw add pass tcp from any to any established 62 63 # Allow setup of incoming email 64 /sbin/ipfw add pass tcp from any to ${ip} 25 setup 65 66 # Allow setup of outgoing TCP connections only 67 /sbin/ipfw add pass tcp from ${ip} to any setup 68 69 # Disallow setup of all other TCP connections 70 /sbin/ipfw add deny tcp from any to any setup 71 72 # Allow DNS queries out in the world 73 /sbin/ipfw add pass udp from any 53 to ${ip} 74 /sbin/ipfw add pass udp from ${ip} to any 53 75 76 # Allow NTP queries out in the world 77 /sbin/ipfw add pass udp from any 123 to ${ip} 78 /sbin/ipfw add pass udp from ${ip} to any 123 79 80 # Everyting else is denied as default. 81fi 82 83############ 84# This is a prototype setup for a simple firewall. Configure this machine 85# as a named server and ntp server, and point all the machines on the inside 86# at this machine for those services. 87# 88# To enable simply change "false" to "true" in the if line and set the 89# variables to your network parameters 90 91if false ; then 92 # set these to your outside interface network and netmask and ip 93 oif="ed0" 94 onet="192.168.4.0" 95 omask="255.255.255.0" 96 oip="192.168.4.17" 97 98 # set these to your inside interface network and netmask and ip 99 iif="ed1" 100 inet="192.168.3.0" 101 imask="255.255.255.0" 102 iip="192.168.3.17" 103 104 # Stop spoofing 105 /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 106 /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 107 108 # Stop RFC1918 nets on the outside interface 109 /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 110 /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 111 /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 112 113 # Allow TCP through if setup succeeded 114 /sbin/ipfw add pass tcp from any to any established 115 116 # Allow setup of incoming email 117 /sbin/ipfw add pass tcp from any to ${oip} 25 setup 118 119 # Allow access to our DNS 120 /sbin/ipfw add pass tcp from any to ${oip} 53 setup 121 122 # Allow access to our WWW 123 /sbin/ipfw add pass tcp from any to ${oip} 80 setup 124 125 # Reject&Log all setup of incoming connections from the outside 126 /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 127 128 # Allow setup of any other TCP connection 129 /sbin/ipfw add pass tcp from any to any setup 130 131 # Allow DNS queries out in the world 132 /sbin/ipfw add pass udp from any 53 to ${oip} 133 /sbin/ipfw add pass udp from ${oip} to any 53 134 135 # Allow NTP queries out in the world 136 /sbin/ipfw add pass udp from any 123 to ${oip} 137 /sbin/ipfw add pass udp from ${oip} to any 123 138 139 # Everyting else is denied as default. 140fi 141	37# If you just configured ipfw in the kernel as a tool to solve network 38# problems or you just want to disallow some particular kinds of traffic 39# they you will want to change the default policy to open. 40 41# /sbin/ipfw add 65000 pass all from any to any 42 43############ 44# Only in rare cases do you want to change this rule 45/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 46 47############ 48# This is a prototype setup that will protect your system somewhat against 49# people from outside your own network. 50# 51# To enable simply change "false" to "true" in the if line and set the 52# variables to your network parameters 53 54if false ; then 55 # set these to your network and netmask and ip 56 net="192.168.4.0" 57 mask="255.255.255.0" 58 ip="192.168.4.17" 59 60 # Allow any traffic to or from my own net. 61 /sbin/ipfw add pass all from ${ip} to ${net}:${mask} 62 /sbin/ipfw add pass all from ${net}:${mask} to ${ip} 63 64 # Allow TCP through if setup succeeded 65 /sbin/ipfw add pass tcp from any to any established 66 67 # Allow setup of incoming email 68 /sbin/ipfw add pass tcp from any to ${ip} 25 setup 69 70 # Allow setup of outgoing TCP connections only 71 /sbin/ipfw add pass tcp from ${ip} to any setup 72 73 # Disallow setup of all other TCP connections 74 /sbin/ipfw add deny tcp from any to any setup 75 76 # Allow DNS queries out in the world 77 /sbin/ipfw add pass udp from any 53 to ${ip} 78 /sbin/ipfw add pass udp from ${ip} to any 53 79 80 # Allow NTP queries out in the world 81 /sbin/ipfw add pass udp from any 123 to ${ip} 82 /sbin/ipfw add pass udp from ${ip} to any 123 83 84 # Everyting else is denied as default. 85fi 86 87############ 88# This is a prototype setup for a simple firewall. Configure this machine 89# as a named server and ntp server, and point all the machines on the inside 90# at this machine for those services. 91# 92# To enable simply change "false" to "true" in the if line and set the 93# variables to your network parameters 94 95if false ; then 96 # set these to your outside interface network and netmask and ip 97 oif="ed0" 98 onet="192.168.4.0" 99 omask="255.255.255.0" 100 oip="192.168.4.17" 101 102 # set these to your inside interface network and netmask and ip 103 iif="ed1" 104 inet="192.168.3.0" 105 imask="255.255.255.0" 106 iip="192.168.3.17" 107 108 # Stop spoofing 109 /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} 110 /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} 111 112 # Stop RFC1918 nets on the outside interface 113 /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 114 /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 115 /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 116 117 # Allow TCP through if setup succeeded 118 /sbin/ipfw add pass tcp from any to any established 119 120 # Allow setup of incoming email 121 /sbin/ipfw add pass tcp from any to ${oip} 25 setup 122 123 # Allow access to our DNS 124 /sbin/ipfw add pass tcp from any to ${oip} 53 setup 125 126 # Allow access to our WWW 127 /sbin/ipfw add pass tcp from any to ${oip} 80 setup 128 129 # Reject&Log all setup of incoming connections from the outside 130 /sbin/ipfw add deny log tcp from any to any in via ${oif} setup 131 132 # Allow setup of any other TCP connection 133 /sbin/ipfw add pass tcp from any to any setup 134 135 # Allow DNS queries out in the world 136 /sbin/ipfw add pass udp from any 53 to ${oip} 137 /sbin/ipfw add pass udp from ${oip} to any 53 138 139 # Allow NTP queries out in the world 140 /sbin/ipfw add pass udp from any 123 to ${oip} 141 /sbin/ipfw add pass udp from ${oip} to any 123 142 143 # Everyting else is denied as default. 144fi 145