rc.firewall revision 91853
150479Speter# $FreeBSD: head/release/picobsd/floppy.tree/etc/rc.firewall 91853 2002-03-08 05:15:08Z luigi $ 250186Sdwhite 391853Sluigi# Setup system for firewall service, with some sample configurations. 491853Sluigi# Select one using ${firewall_type} which you can set in /etc/rc.conf.local. 591853Sluigi# 691853Sluigi# If you override this file with your own copy, you can use ${hostname} 791853Sluigi# as the key for the case statement. On entry, the firewall will be flushed 891853Sluigi# and $fwcmd will point to the appropriate command (usually /sbin/ipfw) 991853Sluigi# 1091853Sluigi# Sample configurations are: 1150186Sdwhite# open - will allow anyone in 1291853Sluigi# client - will try to protect just this machine (should be customized). 1391853Sluigi# simple - will try to protect a whole network (should be customized). 1450186Sdwhite# closed - totally disables IP services except via lo0 interface 1550186Sdwhite# UNKNOWN - disables the loading of firewall rules. 1650186Sdwhite# filename - will load the rules in the given filename (full path required) 1750186Sdwhite# 1850186Sdwhite 1950186Sdwhite############ 2050186Sdwhite# Only in rare cases do you want to change these rules 2150186Sdwhite$fwcmd add 1000 pass all from any to any via lo0 2250186Sdwhite$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 2350186Sdwhite 2450186Sdwhite 2550186Sdwhite# Prototype setups. 2691853Sluigicase "${firewall_type}" in 2791853Sluigiopen|OPEN) 2891853Sluigi $fwcmd add 65000 pass all from any to any 2991853Sluigi ;; 3050186Sdwhite 3191853Sluigiclient) 3250186Sdwhite 3350186Sdwhite ############ 3450186Sdwhite # This is a prototype setup that will protect your system somewhat against 3550186Sdwhite # people from outside your own network. 3650186Sdwhite ############ 3750186Sdwhite 3850186Sdwhite # set these to your network and netmask and ip 3950186Sdwhite net="192.168.4.0" 4050186Sdwhite mask="255.255.255.0" 4150186Sdwhite ip="192.168.4.17" 4250186Sdwhite 4350186Sdwhite # Allow any traffic to or from my own net. 4450186Sdwhite $fwcmd add pass all from ${ip} to ${net}:${mask} 4550186Sdwhite $fwcmd add pass all from ${net}:${mask} to ${ip} 4650186Sdwhite 4750186Sdwhite # Allow TCP through if setup succeeded 4850186Sdwhite $fwcmd add pass tcp from any to any established 4950186Sdwhite 5050186Sdwhite # Allow setup of incoming email 5150186Sdwhite $fwcmd add pass tcp from any to ${ip} 25 setup 5250186Sdwhite 5350186Sdwhite # Allow setup of outgoing TCP connections only 5450186Sdwhite $fwcmd add pass tcp from ${ip} to any setup 5550186Sdwhite 5650186Sdwhite # Disallow setup of all other TCP connections 5750186Sdwhite $fwcmd add deny tcp from any to any setup 5850186Sdwhite 5950186Sdwhite # Allow DNS queries out in the world 6050186Sdwhite $fwcmd add pass udp from any 53 to ${ip} 6150186Sdwhite $fwcmd add pass udp from ${ip} to any 53 6250186Sdwhite 6350186Sdwhite # Allow NTP queries out in the world 6450186Sdwhite $fwcmd add pass udp from any 123 to ${ip} 6550186Sdwhite $fwcmd add pass udp from ${ip} to any 123 6650186Sdwhite 6750186Sdwhite # Everything else is denied as default. 6891853Sluigi $fwcmd add 65000 deny all from any to any 6991853Sluigi ;; 7050186Sdwhite 7191853Sluigisimple) 7250186Sdwhite 7350186Sdwhite ############ 7450186Sdwhite # This is a prototype setup for a simple firewall. Configure this machine 7550186Sdwhite # as a named server and ntp server, and point all the machines on the inside 7650186Sdwhite # at this machine for those services. 7750186Sdwhite ############ 7850186Sdwhite 7950186Sdwhite # set these to your outside interface network and netmask and ip 8050186Sdwhite oif="ed0" 8150186Sdwhite onet="192.168.4.0" 8250186Sdwhite omask="255.255.255.0" 8350186Sdwhite oip="192.168.4.17" 8450186Sdwhite 8550186Sdwhite # set these to your inside interface network and netmask and ip 8650186Sdwhite iif="ed1" 8750186Sdwhite inet="192.168.3.0" 8850186Sdwhite imask="255.255.255.0" 8950186Sdwhite iip="192.168.3.17" 9050186Sdwhite 9150186Sdwhite # Stop spoofing 9250186Sdwhite $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} 9350186Sdwhite $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} 9450186Sdwhite 9550186Sdwhite # Stop RFC1918 nets on the outside interface 9650186Sdwhite $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} 9750186Sdwhite $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} 9850186Sdwhite $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} 9950186Sdwhite 10050186Sdwhite # Allow TCP through if setup succeeded 10150186Sdwhite $fwcmd add pass tcp from any to any established 10250186Sdwhite 10350186Sdwhite # Allow setup of incoming email 10450186Sdwhite $fwcmd add pass tcp from any to ${oip} 25 setup 10550186Sdwhite 10650186Sdwhite # Allow access to our DNS 10750186Sdwhite $fwcmd add pass tcp from any to ${oip} 53 setup 10850186Sdwhite 10950186Sdwhite # Allow access to our WWW 11050186Sdwhite $fwcmd add pass tcp from any to ${oip} 80 setup 11150186Sdwhite 11250186Sdwhite # Reject&Log all setup of incoming connections from the outside 11350186Sdwhite $fwcmd add deny log tcp from any to any in via ${oif} setup 11450186Sdwhite 11550186Sdwhite # Allow setup of any other TCP connection 11650186Sdwhite $fwcmd add pass tcp from any to any setup 11750186Sdwhite 11850186Sdwhite # Allow DNS queries out in the world 11950186Sdwhite $fwcmd add pass udp from any 53 to ${oip} 12050186Sdwhite $fwcmd add pass udp from ${oip} to any 53 12150186Sdwhite 12250186Sdwhite # Allow NTP queries out in the world 12350186Sdwhite $fwcmd add pass udp from any 123 to ${oip} 12450186Sdwhite $fwcmd add pass udp from ${oip} to any 123 12550186Sdwhite 12650186Sdwhite # Everything else is denied as default. 12791853Sluigi $fwcmd add 65000 deny all from any to any 12891853Sluigi ;; 12950186Sdwhite 13091853SluigiUNKNOWN|"") 13191853Sluigi echo "WARNING: firewall rules not loaded." 13291853Sluigi ;; 13391853Sluigi 13491853Sluigi*) # an absolute pathname ? 13591853Sluigi if [ -f "${firewall_type}" ] ; then 13650186Sdwhite $fwcmd ${firewall_type} 13791853Sluigi else 13891853Sluigi echo "WARNING: firewall config script (${firewall_type}) not found," 13991853Sluigi echo " firewall rules not loaded." 14091853Sluigi fi 14191853Sluigi ;; 14291853Sluigiesac 143