rc.firewall revision 50186
150186Sdwhite############ 250186Sdwhite# Setup system for firewall service. 350186Sdwhite# $Id: rc.firewall,v 1.1.1.1 1998/08/27 17:38:42 abial Exp $ 450186Sdwhite 550186Sdwhite############ 650186Sdwhite# Define the firewall type in /etc/rc.conf. Valid values are: 750186Sdwhite# open - will allow anyone in 850186Sdwhite# client - will try to protect just this machine 950186Sdwhite# simple - will try to protect a whole network 1050186Sdwhite# closed - totally disables IP services except via lo0 interface 1150186Sdwhite# UNKNOWN - disables the loading of firewall rules. 1250186Sdwhite# filename - will load the rules in the given filename (full path required) 1350186Sdwhite# 1450186Sdwhite# For ``client'' and ``simple'' the entries below should be customized 1550186Sdwhite# appropriately. 1650186Sdwhite 1750186Sdwhite############ 1850186Sdwhite# 1950186Sdwhite# If you don't know enough about packet filtering, we suggest that you 2050186Sdwhite# take time to read this book: 2150186Sdwhite# 2250186Sdwhite# Building Internet Firewalls 2350186Sdwhite# Brent Chapman and Elizabeth Zwicky 2450186Sdwhite# 2550186Sdwhite# O'Reilly & Associates, Inc 2650186Sdwhite# ISBN 1-56592-124-0 2750186Sdwhite# http://www.ora.com/ 2850186Sdwhite# 2950186Sdwhite# For a more advanced treatment of Internet Security read: 3050186Sdwhite# 3150186Sdwhite# Firewalls & Internet Security 3250186Sdwhite# Repelling the wily hacker 3350186Sdwhite# William R. Cheswick, Steven M. Bellowin 3450186Sdwhite# 3550186Sdwhite# Addison-Wesley 3650186Sdwhite# ISBN 0-201-6337-4 3750186Sdwhite# http://www.awl.com/ 3850186Sdwhite# 3950186Sdwhite 4050186Sdwhiteif [ "x$1" != "x" ]; then 4150186Sdwhite firewall_type=$1 4250186Sdwhitefi 4350186Sdwhite 4450186Sdwhite############ 4550186Sdwhite# Set quiet mode if requested 4650186Sdwhiteif [ "x$firewall_quiet" = "xYES" ]; then 4750186Sdwhite fwcmd="/sbin/ipfw -q" 4850186Sdwhiteelse 4950186Sdwhite fwcmd="/sbin/ipfw" 5050186Sdwhitefi 5150186Sdwhite 5250186Sdwhite############ 5350186Sdwhite# Flush out the list before we begin. 5450186Sdwhite$fwcmd -f flush 5550186Sdwhite 5650186Sdwhite############ 5750186Sdwhite# If you just configured ipfw in the kernel as a tool to solve network 5850186Sdwhite# problems or you just want to disallow some particular kinds of traffic 5950186Sdwhite# they you will want to change the default policy to open. You can also 6050186Sdwhite# do this as your only action by setting the firewall_type to ``open''. 6150186Sdwhite 6250186Sdwhite# $fwcmd add 65000 pass all from any to any 6350186Sdwhite 6450186Sdwhite############ 6550186Sdwhite# Only in rare cases do you want to change these rules 6650186Sdwhite$fwcmd add 1000 pass all from any to any via lo0 6750186Sdwhite$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 6850186Sdwhite 6950186Sdwhite 7050186Sdwhite# Prototype setups. 7150186Sdwhiteif [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then 7250186Sdwhite 7350186Sdwhite $fwcmd add 65000 pass all from any to any 7450186Sdwhite 7550186Sdwhiteelif [ "${firewall_type}" = "client" ]; then 7650186Sdwhite 7750186Sdwhite ############ 7850186Sdwhite # This is a prototype setup that will protect your system somewhat against 7950186Sdwhite # people from outside your own network. 8050186Sdwhite ############ 8150186Sdwhite 8250186Sdwhite # set these to your network and netmask and ip 8350186Sdwhite net="192.168.4.0" 8450186Sdwhite mask="255.255.255.0" 8550186Sdwhite ip="192.168.4.17" 8650186Sdwhite 8750186Sdwhite # Allow any traffic to or from my own net. 8850186Sdwhite $fwcmd add pass all from ${ip} to ${net}:${mask} 8950186Sdwhite $fwcmd add pass all from ${net}:${mask} to ${ip} 9050186Sdwhite 9150186Sdwhite # Allow TCP through if setup succeeded 9250186Sdwhite $fwcmd add pass tcp from any to any established 9350186Sdwhite 9450186Sdwhite # Allow setup of incoming email 9550186Sdwhite $fwcmd add pass tcp from any to ${ip} 25 setup 9650186Sdwhite 9750186Sdwhite # Allow setup of outgoing TCP connections only 9850186Sdwhite $fwcmd add pass tcp from ${ip} to any setup 9950186Sdwhite 10050186Sdwhite # Disallow setup of all other TCP connections 10150186Sdwhite $fwcmd add deny tcp from any to any setup 10250186Sdwhite 10350186Sdwhite # Allow DNS queries out in the world 10450186Sdwhite $fwcmd add pass udp from any 53 to ${ip} 10550186Sdwhite $fwcmd add pass udp from ${ip} to any 53 10650186Sdwhite 10750186Sdwhite # Allow NTP queries out in the world 10850186Sdwhite $fwcmd add pass udp from any 123 to ${ip} 10950186Sdwhite $fwcmd add pass udp from ${ip} to any 123 11050186Sdwhite 11150186Sdwhite # Everything else is denied as default. 11250186Sdwhite 11350186Sdwhiteelif [ "${firewall_type}" = "simple" ]; then 11450186Sdwhite 11550186Sdwhite ############ 11650186Sdwhite # This is a prototype setup for a simple firewall. Configure this machine 11750186Sdwhite # as a named server and ntp server, and point all the machines on the inside 11850186Sdwhite # at this machine for those services. 11950186Sdwhite ############ 12050186Sdwhite 12150186Sdwhite # set these to your outside interface network and netmask and ip 12250186Sdwhite oif="ed0" 12350186Sdwhite onet="192.168.4.0" 12450186Sdwhite omask="255.255.255.0" 12550186Sdwhite oip="192.168.4.17" 12650186Sdwhite 12750186Sdwhite # set these to your inside interface network and netmask and ip 12850186Sdwhite iif="ed1" 12950186Sdwhite inet="192.168.3.0" 13050186Sdwhite imask="255.255.255.0" 13150186Sdwhite iip="192.168.3.17" 13250186Sdwhite 13350186Sdwhite # Stop spoofing 13450186Sdwhite $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} 13550186Sdwhite $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} 13650186Sdwhite 13750186Sdwhite # Stop RFC1918 nets on the outside interface 13850186Sdwhite $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 13950186Sdwhite $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 14050186Sdwhite $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 14150186Sdwhite 14250186Sdwhite # Allow TCP through if setup succeeded 14350186Sdwhite $fwcmd add pass tcp from any to any established 14450186Sdwhite 14550186Sdwhite # Allow setup of incoming email 14650186Sdwhite $fwcmd add pass tcp from any to ${oip} 25 setup 14750186Sdwhite 14850186Sdwhite # Allow access to our DNS 14950186Sdwhite $fwcmd add pass tcp from any to ${oip} 53 setup 15050186Sdwhite 15150186Sdwhite # Allow access to our WWW 15250186Sdwhite $fwcmd add pass tcp from any to ${oip} 80 setup 15350186Sdwhite 15450186Sdwhite # Reject&Log all setup of incoming connections from the outside 15550186Sdwhite $fwcmd add deny log tcp from any to any in via ${oif} setup 15650186Sdwhite 15750186Sdwhite # Allow setup of any other TCP connection 15850186Sdwhite $fwcmd add pass tcp from any to any setup 15950186Sdwhite 16050186Sdwhite # Allow DNS queries out in the world 16150186Sdwhite $fwcmd add pass udp from any 53 to ${oip} 16250186Sdwhite $fwcmd add pass udp from ${oip} to any 53 16350186Sdwhite 16450186Sdwhite # Allow NTP queries out in the world 16550186Sdwhite $fwcmd add pass udp from any 123 to ${oip} 16650186Sdwhite $fwcmd add pass udp from ${oip} to any 123 16750186Sdwhite 16850186Sdwhite # Everything else is denied as default. 16950186Sdwhite 17050186Sdwhiteelif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then 17150186Sdwhite $fwcmd ${firewall_type} 17250186Sdwhitefi 173