1162485Sjulian#!/bin/sh - 2162485Sjulian# Copyright (c) 1996 Poul-Henning Kamp 3162485Sjulian# All rights reserved. 4162485Sjulian# 5162485Sjulian# Redistribution and use in source and binary forms, with or without 6162485Sjulian# modification, are permitted provided that the following conditions 7162485Sjulian# are met: 8162485Sjulian# 1. Redistributions of source code must retain the above copyright 9162485Sjulian# notice, this list of conditions and the following disclaimer. 10162485Sjulian# 2. Redistributions in binary form must reproduce the above copyright 11162485Sjulian# notice, this list of conditions and the following disclaimer in the 12162485Sjulian# documentation and/or other materials provided with the distribution. 13162485Sjulian# 14162485Sjulian# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15162485Sjulian# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16162485Sjulian# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17162485Sjulian# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18162485Sjulian# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19162485Sjulian# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20162485Sjulian# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21162485Sjulian# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22162485Sjulian# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23162485Sjulian# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24162485Sjulian# SUCH DAMAGE. 25162485Sjulian# 26162485Sjulian# $FreeBSD$ 27162485Sjulian# 28162485Sjulian 29162485Sjulian# 30162485Sjulian# Setup system for firewall service. 31162485Sjulian# 32162485Sjulian 33162485Sjulian# Suck in the configuration variables. 34162485Sjulianif [ -z "${source_rc_confs_defined}" ]; then 35162485Sjulian if [ -r /etc/defaults/rc.conf ]; then 36162485Sjulian . /etc/defaults/rc.conf 37162485Sjulian source_rc_confs 38162485Sjulian elif [ -r /etc/rc.conf ]; then 39162485Sjulian . /etc/rc.conf 40162485Sjulian fi 41162485Sjulianfi 42162485Sjulian 43162485Sjulian############ 44162485Sjulian# Define the firewall type in /etc/rc.conf. Valid values are: 45162485Sjulian# open - will allow anyone in 46162485Sjulian# client - will try to protect just this machine 47162485Sjulian# simple - will try to protect a whole network 48162485Sjulian# closed - totally disables IP services except via lo0 interface 49162485Sjulian# UNKNOWN - disables the loading of firewall rules. 50162485Sjulian# filename - will load the rules in the given filename (full path required) 51162485Sjulian# 52162485Sjulian# For ``client'' and ``simple'' the entries below should be customized 53162485Sjulian# appropriately. 54162485Sjulian 55162485Sjulian############ 56162485Sjulian# 57162485Sjulian# If you don't know enough about packet filtering, we suggest that you 58162485Sjulian# take time to read this book: 59162485Sjulian# 60162485Sjulian# Building Internet Firewalls, 2nd Edition 61162485Sjulian# Brent Chapman and Elizabeth Zwicky 62162485Sjulian# 63162485Sjulian# O'Reilly & Associates, Inc 64162485Sjulian# ISBN 1-56592-871-7 65162485Sjulian# http://www.ora.com/ 66162485Sjulian# http://www.oreilly.com/catalog/fire2/ 67162485Sjulian# 68162485Sjulian# For a more advanced treatment of Internet Security read: 69162485Sjulian# 70162485Sjulian# Firewalls & Internet Security 71162485Sjulian# Repelling the wily hacker 72162485Sjulian# William R. Cheswick, Steven M. Bellowin 73162485Sjulian# 74162485Sjulian# Addison-Wesley 75162485Sjulian# ISBN 0-201-63357-4 76162485Sjulian# http://www.awl.com/ 77162485Sjulian# http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html 78162485Sjulian# 79162485Sjulian 80162485Sjuliansetup_loopback () { 81162485Sjulian ############ 82162485Sjulian # Only in rare cases do you want to change these rules 83162485Sjulian # 84162485Sjulian ${fwcmd} add 100 pass all from any to any via lo0 85162485Sjulian ${fwcmd} add 200 deny all from any to 127.0.0.0/8 86162485Sjulian ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any 87162485Sjulian} 88162485Sjulian 89162485Sjulianif [ -n "${1}" ]; then 90162485Sjulian firewall_type="${1}" 91162485Sjulianfi 92162485Sjulian 93162485Sjulian############ 94162485Sjulian# Set quiet mode if requested 95162485Sjulian# 96162485Sjuliancase ${firewall_quiet} in 97162485Sjulian[Yy][Ee][Ss]) 98162485Sjulian fwcmd="/sbin/ipfw -q" 99162485Sjulian ;; 100162485Sjulian*) 101162485Sjulian fwcmd="/sbin/ipfw" 102162485Sjulian ;; 103162485Sjulianesac 104162485Sjulian 105162485Sjulian############ 106162485Sjulian# Flush out the list before we begin. 107162485Sjulian# 108162485Sjulian${fwcmd} -f flush 109162485Sjulian 110162485Sjulian############ 111162485Sjulian# Network Address Translation. All packets are passed to natd(8) 112162485Sjulian# before they encounter your remaining rules. The firewall rules 113162485Sjulian# will then be run again on each packet after translation by natd 114162485Sjulian# starting at the rule number following the divert rule. 115162485Sjulian# 116162485Sjulian# For ``simple'' firewall type the divert rule should be put to a 117162485Sjulian# different place to not interfere with address-checking rules. 118162485Sjulian# 119162485Sjuliancase ${firewall_type} in 120162485Sjulian[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) 121162485Sjulian case ${natd_enable} in 122162485Sjulian [Yy][Ee][Ss]) 123162485Sjulian if [ -n "${natd_interface}" ]; then 124162485Sjulian ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} 125162485Sjulian fi 126162485Sjulian ;; 127162485Sjulian esac 128162485Sjulianesac 129162485Sjulian 130162485Sjulian############ 131162485Sjulian# If you just configured ipfw in the kernel as a tool to solve network 132162485Sjulian# problems or you just want to disallow some particular kinds of traffic 133162485Sjulian# then you will want to change the default policy to open. You can also 134162485Sjulian# do this as your only action by setting the firewall_type to ``open''. 135162485Sjulian# 136162485Sjulian# ${fwcmd} add 65000 pass all from any to any 137162485Sjulian 138162485Sjulian 139162485Sjulian# Prototype setups. 140162485Sjulian# 141162485Sjuliancase ${firewall_type} in 142162485Sjulian[Oo][Pp][Ee][Nn]) 143162485Sjulian setup_loopback 144162485Sjulian ${fwcmd} add 65000 pass all from any to any 145162485Sjulian ;; 146162485Sjulian 147162485Sjulian[Cc][Ll][Ii][Ee][Nn][Tt]) 148162485Sjulian ############ 149162485Sjulian # This is a prototype setup that will protect your system somewhat 150162485Sjulian # against people from outside your own network. 151162485Sjulian ############ 152162485Sjulian 153162485Sjulian # set these to your network and netmask and ip 154162485Sjulian net="192.0.2.0" 155162485Sjulian mask="255.255.255.0" 156162485Sjulian ip="192.0.2.1" 157162485Sjulian 158162485Sjulian setup_loopback 159162485Sjulian 160162485Sjulian # Allow any traffic to or from my own net. 161162485Sjulian ${fwcmd} add pass all from ${ip} to ${net}:${mask} 162162485Sjulian ${fwcmd} add pass all from ${net}:${mask} to ${ip} 163162485Sjulian 164162485Sjulian # Allow TCP through if setup succeeded 165162485Sjulian ${fwcmd} add pass tcp from any to any established 166162485Sjulian 167162485Sjulian # Allow IP fragments to pass through 168162485Sjulian ${fwcmd} add pass all from any to any frag 169162485Sjulian 170162485Sjulian # Allow setup of incoming email 171162485Sjulian ${fwcmd} add pass tcp from any to ${ip} 25 setup 172162485Sjulian 173162485Sjulian # Allow setup of outgoing TCP connections only 174162485Sjulian ${fwcmd} add pass tcp from ${ip} to any setup 175162485Sjulian 176162485Sjulian # Disallow setup of all other TCP connections 177162485Sjulian ${fwcmd} add deny tcp from any to any setup 178162485Sjulian 179162485Sjulian # Allow DNS queries out in the world 180162485Sjulian ${fwcmd} add pass udp from ${ip} to any 53 keep-state 181162485Sjulian 182162485Sjulian # Allow NTP queries out in the world 183162485Sjulian ${fwcmd} add pass udp from ${ip} to any 123 keep-state 184162485Sjulian 185162485Sjulian # Everything else is denied by default, unless the 186162485Sjulian # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 187162485Sjulian # config file. 188162485Sjulian ;; 189162485Sjulian 190162485Sjulian[Ss][Ii][Mm][Pp][Ll][Ee]) 191162485Sjulian ############ 192162485Sjulian # This is a prototype setup for a simple firewall. Configure this 193162485Sjulian # machine as a DNS and NTP server, and point all the machines 194162485Sjulian # on the inside at this machine for those services. 195162485Sjulian ############ 196162485Sjulian 197162485Sjulian # set these to your outside interface network and netmask and ip 198162485Sjulian oif="ed0" 199162485Sjulian onet="192.0.2.0" 200162485Sjulian omask="255.255.255.240" 201162485Sjulian oip="192.0.2.1" 202162485Sjulian 203162485Sjulian # set these to your inside interface network and netmask and ip 204162485Sjulian iif="ed1" 205162485Sjulian inet="192.0.2.16" 206162485Sjulian imask="255.255.255.240" 207162485Sjulian iip="192.0.2.17" 208162485Sjulian 209162485Sjulian setup_loopback 210162485Sjulian 211162485Sjulian # Stop spoofing 212162485Sjulian ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 213162485Sjulian ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 214162485Sjulian 215162485Sjulian # Stop RFC1918 nets on the outside interface 216162485Sjulian ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 217162485Sjulian ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 218162485Sjulian ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 219162485Sjulian 220162485Sjulian # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 221162485Sjulian # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 222162485Sjulian # on the outside interface 223162485Sjulian ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} 224162485Sjulian ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} 225162485Sjulian ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} 226162485Sjulian ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} 227162485Sjulian ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 228162485Sjulian 229162485Sjulian # Network Address Translation. This rule is placed here deliberately 230162485Sjulian # so that it does not interfere with the surrounding address-checking 231162485Sjulian # rules. If for example one of your internal LAN machines had its IP 232162485Sjulian # address set to 192.0.2.1 then an incoming packet for it after being 233162485Sjulian # translated by natd(8) would match the `deny' rule above. Similarly 234162485Sjulian # an outgoing packet originated from it before being translated would 235162485Sjulian # match the `deny' rule below. 236162485Sjulian case ${natd_enable} in 237162485Sjulian [Yy][Ee][Ss]) 238162485Sjulian if [ -n "${natd_interface}" ]; then 239162485Sjulian ${fwcmd} add divert natd all from any to any via ${natd_interface} 240162485Sjulian fi 241162485Sjulian ;; 242162485Sjulian esac 243162485Sjulian 244162485Sjulian # Stop RFC1918 nets on the outside interface 245162485Sjulian ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 246162485Sjulian ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 247162485Sjulian ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 248162485Sjulian 249162485Sjulian # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 250162485Sjulian # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 251162485Sjulian # on the outside interface 252162485Sjulian ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 253162485Sjulian ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 254162485Sjulian ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 255162485Sjulian ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 256162485Sjulian ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 257162485Sjulian 258162485Sjulian # Allow TCP through if setup succeeded 259162485Sjulian ${fwcmd} add pass tcp from any to any established 260162485Sjulian 261162485Sjulian # Allow IP fragments to pass through 262162485Sjulian ${fwcmd} add pass all from any to any frag 263162485Sjulian 264162485Sjulian # Allow setup of incoming email 265162485Sjulian ${fwcmd} add pass tcp from any to ${oip} 25 setup 266162485Sjulian 267162485Sjulian # Allow access to our DNS 268162485Sjulian ${fwcmd} add pass tcp from any to ${oip} 53 setup 269162485Sjulian ${fwcmd} add pass udp from any to ${oip} 53 270162485Sjulian ${fwcmd} add pass udp from ${oip} 53 to any 271162485Sjulian 272162485Sjulian # Allow access to our WWW 273162485Sjulian ${fwcmd} add pass tcp from any to ${oip} 80 setup 274162485Sjulian 275162485Sjulian # Reject&Log all setup of incoming connections from the outside 276162485Sjulian ${fwcmd} add deny log tcp from any to any in via ${oif} setup 277162485Sjulian 278162485Sjulian # Allow setup of any other TCP connection 279162485Sjulian ${fwcmd} add pass tcp from any to any setup 280162485Sjulian 281162485Sjulian # Allow DNS queries out in the world 282162485Sjulian ${fwcmd} add pass udp from ${oip} to any 53 keep-state 283162485Sjulian 284162485Sjulian # Allow NTP queries out in the world 285162485Sjulian ${fwcmd} add pass udp from ${oip} to any 123 keep-state 286162485Sjulian 287162485Sjulian # Everything else is denied by default, unless the 288162485Sjulian # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 289162485Sjulian # config file. 290162485Sjulian ;; 291162485Sjulian 292162485Sjulian[Cc][Ll][Oo][Ss][Ee][Dd]) 293162485Sjulian setup_loopback 294162485Sjulian ;; 295162485Sjulian[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 296162485Sjulian ;; 297162485Sjulian*) 298162485Sjulian if [ -r "${firewall_type}" ]; then 299162485Sjulian ${fwcmd} ${firewall_flags} ${firewall_type} 300162485Sjulian fi 301162485Sjulian ;; 302162485Sjulianesac 303