rc.firewall revision 165648
1170808Sdelphij#!/bin/sh - 2170808Sdelphij# Copyright (c) 1996 Poul-Henning Kamp 3170808Sdelphij# All rights reserved. 4170808Sdelphij# 5170808Sdelphij# Redistribution and use in source and binary forms, with or without 6170808Sdelphij# modification, are permitted provided that the following conditions 7170808Sdelphij# are met: 8170808Sdelphij# 1. Redistributions of source code must retain the above copyright 9170808Sdelphij# notice, this list of conditions and the following disclaimer. 10170808Sdelphij# 2. Redistributions in binary form must reproduce the above copyright 11170808Sdelphij# notice, this list of conditions and the following disclaimer in the 12170808Sdelphij# documentation and/or other materials provided with the distribution. 13170808Sdelphij# 14170808Sdelphij# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15170808Sdelphij# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16170808Sdelphij# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17170808Sdelphij# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18170808Sdelphij# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19170808Sdelphij# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20170808Sdelphij# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21170808Sdelphij# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22170808Sdelphij# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23170808Sdelphij# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24170808Sdelphij# SUCH DAMAGE. 25170808Sdelphij# 26170808Sdelphij# $FreeBSD: head/etc/rc.firewall 165648 2006-12-29 21:59:17Z piso $ 27170808Sdelphij# 28170808Sdelphij 29170808Sdelphij# 30170808Sdelphij# Setup system for firewall service. 31170808Sdelphij# 32170808Sdelphij 33170808Sdelphij# Suck in the configuration variables. 34170808Sdelphijif [ -z "${source_rc_confs_defined}" ]; then 35170808Sdelphij if [ -r /etc/defaults/rc.conf ]; then 36170808Sdelphij . /etc/defaults/rc.conf 37170808Sdelphij source_rc_confs 38170808Sdelphij elif [ -r /etc/rc.conf ]; then 39170808Sdelphij . /etc/rc.conf 40170808Sdelphij fi 41170808Sdelphijfi 42170808Sdelphij 43170808Sdelphij############ 44170808Sdelphij# Define the firewall type in /etc/rc.conf. Valid values are: 45170808Sdelphij# open - will allow anyone in 46170808Sdelphij# client - will try to protect just this machine 47170808Sdelphij# simple - will try to protect a whole network 48170808Sdelphij# closed - totally disables IP services except via lo0 interface 49170808Sdelphij# workstation - will try to protect just this machine using statefull 50170808Sdelphij# firewalling. See below for rc.conf variables used 51170808Sdelphij# UNKNOWN - disables the loading of firewall rules. 52170808Sdelphij# filename - will load the rules in the given filename (full path required) 53170808Sdelphij# 54171308Sdelphij# For ``client'' and ``simple'' the entries below should be customized 55170808Sdelphij# appropriately. 56170808Sdelphij 57170808Sdelphij############ 58170808Sdelphij# 59170808Sdelphij# If you don't know enough about packet filtering, we suggest that you 60170808Sdelphij# take time to read this book: 61170808Sdelphij# 62170808Sdelphij# Building Internet Firewalls, 2nd Edition 63170808Sdelphij# Brent Chapman and Elizabeth Zwicky 64170808Sdelphij# 65170808Sdelphij# O'Reilly & Associates, Inc 66170808Sdelphij# ISBN 1-56592-871-7 67170808Sdelphij# http://www.ora.com/ 68170808Sdelphij# http://www.oreilly.com/catalog/fire2/ 69171070Sdelphij# 70170808Sdelphij# For a more advanced treatment of Internet Security read: 71170808Sdelphij# 72170808Sdelphij# Firewalls & Internet Security 73170808Sdelphij# Repelling the wily hacker 74171087Sdelphij# William R. Cheswick, Steven M. Bellowin 75170808Sdelphij# 76170808Sdelphij# Addison-Wesley 77170808Sdelphij# ISBN 0-201-63357-4 78170808Sdelphij# http://www.awl.com/ 79170808Sdelphij# http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html 80170808Sdelphij# 81170808Sdelphij 82170808Sdelphijsetup_loopback () { 83170808Sdelphij ############ 84170808Sdelphij # Only in rare cases do you want to change these rules 85170808Sdelphij # 86170808Sdelphij ${fwcmd} add 100 pass all from any to any via lo0 87170808Sdelphij ${fwcmd} add 200 deny all from any to 127.0.0.0/8 88172442Sdelphij ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any 89170808Sdelphij} 90170808Sdelphij 91170808Sdelphijif [ -n "${1}" ]; then 92170808Sdelphij firewall_type="${1}" 93170808Sdelphijfi 94170808Sdelphij 95170808Sdelphij############ 96171029Sdelphij# Set quiet mode if requested 97170808Sdelphij# 98170808Sdelphijcase ${firewall_quiet} in 99170808Sdelphij[Yy][Ee][Ss]) 100170808Sdelphij fwcmd="/sbin/ipfw -q" 101170808Sdelphij ;; 102171029Sdelphij*) 103170808Sdelphij fwcmd="/sbin/ipfw" 104170808Sdelphij ;; 105170808Sdelphijesac 106170808Sdelphij 107170808Sdelphij############ 108170808Sdelphij# Flush out the list before we begin. 109170808Sdelphij# 110170808Sdelphij${fwcmd} -f flush 111170808Sdelphij 112170808Sdelphijsetup_loopback 113171070Sdelphij 114170808Sdelphij############ 115170808Sdelphij# Network Address Translation. All packets are passed to natd(8) 116170808Sdelphij# before they encounter your remaining rules. The firewall rules 117170808Sdelphij# will then be run again on each packet after translation by natd 118170808Sdelphij# starting at the rule number following the divert rule. 119170808Sdelphij# 120170808Sdelphij# For ``simple'' firewall type the divert rule should be put to a 121170808Sdelphij# different place to not interfere with address-checking rules. 122171070Sdelphij# 123170808Sdelphijcase ${firewall_type} in 124170808Sdelphij[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) 125170808Sdelphij case ${natd_enable} in 126170808Sdelphij [Yy][Ee][Ss]) 127170808Sdelphij if [ -n "${natd_interface}" ]; then 128170808Sdelphij ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface} 129170808Sdelphij fi 130170808Sdelphij ;; 131171070Sdelphij esac 132171070Sdelphij case ${firewall_nat_enable} in 133170808Sdelphij [Yy][Ee][Ss]) 134170808Sdelphij if [ -n "${firewall_nat_interface}" ]; then 135170808Sdelphij ${fwcmd} nat 123 config if ${firewall_nat_interface} log 136170808Sdelphij ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} 137170808Sdelphij fi 138170808Sdelphij ;; 139170808Sdelphij esac 140170808Sdelphijesac 141170808Sdelphij 142170808Sdelphij############ 143170808Sdelphij# If you just configured ipfw in the kernel as a tool to solve network 144171029Sdelphij# problems or you just want to disallow some particular kinds of traffic 145171029Sdelphij# then you will want to change the default policy to open. You can also 146171029Sdelphij# do this as your only action by setting the firewall_type to ``open''. 147171029Sdelphij# 148171070Sdelphij# ${fwcmd} add 65000 pass all from any to any 149171362Sdelphij 150171029Sdelphij 151171029Sdelphij# Prototype setups. 152171029Sdelphij# 153171029Sdelphijcase ${firewall_type} in 154171029Sdelphij[Oo][Pp][Ee][Nn]) 155171029Sdelphij ${fwcmd} add 65000 pass all from any to any 156170808Sdelphij ;; 157171029Sdelphij 158171029Sdelphij[Cc][Ll][Ii][Ee][Nn][Tt]) 159171029Sdelphij ############ 160171029Sdelphij # This is a prototype setup that will protect your system somewhat 161171029Sdelphij # against people from outside your own network. 162171029Sdelphij ############ 163171029Sdelphij 164171029Sdelphij # set these to your network and netmask and ip 165171029Sdelphij net="192.0.2.0" 166171029Sdelphij mask="255.255.255.0" 167171070Sdelphij ip="192.0.2.1" 168171029Sdelphij 169171029Sdelphij # Allow any traffic to or from my own net. 170171029Sdelphij ${fwcmd} add pass all from ${ip} to ${net}:${mask} 171171029Sdelphij ${fwcmd} add pass all from ${net}:${mask} to ${ip} 172171029Sdelphij 173171029Sdelphij # Allow TCP through if setup succeeded 174171362Sdelphij ${fwcmd} add pass tcp from any to any established 175171070Sdelphij 176171029Sdelphij # Allow IP fragments to pass through 177171029Sdelphij ${fwcmd} add pass all from any to any frag 178171029Sdelphij 179171029Sdelphij # Allow setup of incoming email 180171029Sdelphij ${fwcmd} add pass tcp from any to me 25 setup 181171029Sdelphij 182171029Sdelphij # Allow setup of outgoing TCP connections only 183171070Sdelphij ${fwcmd} add pass tcp from me to any setup 184171029Sdelphij 185171029Sdelphij # Disallow setup of all other TCP connections 186171029Sdelphij ${fwcmd} add deny tcp from any to any setup 187170808Sdelphij 188171308Sdelphij # Allow DNS queries out in the world 189170808Sdelphij ${fwcmd} add pass udp from me to any 53 keep-state 190170808Sdelphij 191170808Sdelphij # Allow NTP queries out in the world 192170808Sdelphij ${fwcmd} add pass udp from me to any 123 keep-state 193170808Sdelphij 194170808Sdelphij # Everything else is denied by default, unless the 195171308Sdelphij # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 196171308Sdelphij # config file. 197174379Sdelphij ;; 198170808Sdelphij 199171308Sdelphij[Ss][Ii][Mm][Pp][Ll][Ee]) 200171308Sdelphij ############ 201171308Sdelphij # This is a prototype setup for a simple firewall. Configure this 202171308Sdelphij # machine as a DNS and NTP server, and point all the machines 203171308Sdelphij # on the inside at this machine for those services. 204171308Sdelphij ############ 205171308Sdelphij 206170808Sdelphij # set these to your outside interface network and netmask and ip 207170808Sdelphij oif="ed0" 208170808Sdelphij onet="192.0.2.0" 209170808Sdelphij omask="255.255.255.240" 210170808Sdelphij oip="192.0.2.1" 211170808Sdelphij 212170808Sdelphij # set these to your inside interface network and netmask and ip 213170808Sdelphij iif="ed1" 214170808Sdelphij inet="192.0.2.16" 215170808Sdelphij imask="255.255.255.240" 216172441Sdelphij iip="192.0.2.17" 217173724Sdelphij 218172441Sdelphij # Stop spoofing 219175202Sattilio ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 220182371Sattilio ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 221175294Sattilio 222171308Sdelphij # Stop RFC1918 nets on the outside interface 223171308Sdelphij ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 224170808Sdelphij ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 225171308Sdelphij ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 226171308Sdelphij 227171308Sdelphij # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 228171308Sdelphij # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 229171308Sdelphij # on the outside interface 230171308Sdelphij ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} 231171308Sdelphij ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} 232173570Sdelphij ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} 233171308Sdelphij ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} 234173724Sdelphij ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 235171308Sdelphij 236173724Sdelphij # Network Address Translation. This rule is placed here deliberately 237171308Sdelphij # so that it does not interfere with the surrounding address-checking 238170808Sdelphij # rules. If for example one of your internal LAN machines had its IP 239170808Sdelphij # address set to 192.0.2.1 then an incoming packet for it after being 240170808Sdelphij # translated by natd(8) would match the `deny' rule above. Similarly 241170808Sdelphij # an outgoing packet originated from it before being translated would 242170808Sdelphij # match the `deny' rule below. 243170808Sdelphij case ${natd_enable} in 244170808Sdelphij [Yy][Ee][Ss]) 245170808Sdelphij if [ -n "${natd_interface}" ]; then 246170808Sdelphij ${fwcmd} add divert natd all from any to any via ${natd_interface} 247170808Sdelphij fi 248170808Sdelphij ;; 249170808Sdelphij esac 250171308Sdelphij 251170808Sdelphij # Stop RFC1918 nets on the outside interface 252170808Sdelphij ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 253171308Sdelphij ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 254170808Sdelphij ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 255170808Sdelphij 256171308Sdelphij # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 257170808Sdelphij # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 258170808Sdelphij # on the outside interface 259171308Sdelphij ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 260170808Sdelphij ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 261170808Sdelphij ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 262170808Sdelphij ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 263170808Sdelphij ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 264170808Sdelphij 265171070Sdelphij # Allow TCP through if setup succeeded 266170808Sdelphij ${fwcmd} add pass tcp from any to any established 267170808Sdelphij 268170808Sdelphij # Allow IP fragments to pass through 269171570Sdelphij ${fwcmd} add pass all from any to any frag 270170808Sdelphij 271171070Sdelphij # Allow setup of incoming email 272170808Sdelphij ${fwcmd} add pass tcp from any to ${oip} 25 setup 273170808Sdelphij 274171362Sdelphij # Allow access to our DNS 275173724Sdelphij ${fwcmd} add pass tcp from any to ${oip} 53 setup 276173724Sdelphij ${fwcmd} add pass udp from any to ${oip} 53 277173724Sdelphij ${fwcmd} add pass udp from ${oip} 53 to any 278173724Sdelphij 279173724Sdelphij # Allow access to our WWW 280173724Sdelphij ${fwcmd} add pass tcp from any to ${oip} 80 setup 281173724Sdelphij 282173724Sdelphij # Reject&Log all setup of incoming connections from the outside 283173724Sdelphij ${fwcmd} add deny log tcp from any to any in via ${oif} setup 284170808Sdelphij 285170808Sdelphij # Allow setup of any other TCP connection 286171308Sdelphij ${fwcmd} add pass tcp from any to any setup 287171308Sdelphij 288171308Sdelphij # Allow DNS queries out in the world 289170808Sdelphij ${fwcmd} add pass udp from ${oip} to any 53 keep-state 290170808Sdelphij 291171029Sdelphij # Allow NTP queries out in the world 292171029Sdelphij ${fwcmd} add pass udp from ${oip} to any 123 keep-state 293171362Sdelphij 294170808Sdelphij # Everything else is denied by default, unless the 295170808Sdelphij # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 296170808Sdelphij # config file. 297171362Sdelphij ;; 298170808Sdelphij 299170808Sdelphij[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) 300170808Sdelphij # Configuration: 301170808Sdelphij # firewall_myservices: List of TCP ports on which this host 302170808Sdelphij # offers services. 303170808Sdelphij # firewall_allowservices: List of IPs which has access to 304171070Sdelphij # $firewall_myservices. 305170808Sdelphij # firewall_trusted: List of IPs which has full access 306170808Sdelphij # to this host. Be very carefull 307170808Sdelphij # when setting this. This option can 308170808Sdelphij # seriously degrade the level of 309170808Sdelphij # protection provided by the firewall. 310170808Sdelphij # firewall_logdeny: Boolean (YES/NO) specifying if the 311170808Sdelphij # default denied packets should be 312170808Sdelphij # logged (in /var/log/security). 313170808Sdelphij # firewall_nologports: List of TCP/UDP ports for which 314170808Sdelphij # denied incomming packets are not 315170808Sdelphij # logged. 316170808Sdelphij 317170808Sdelphij # Allow packets for which a state has been built. 318170808Sdelphij ${fwcmd} add check-state 319170808Sdelphij 320170808Sdelphij # For services permitted below. 321170808Sdelphij ${fwcmd} add pass tcp from me to any established 322170808Sdelphij 323170808Sdelphij # Allow any connection out, adding state for each. 324170808Sdelphij ${fwcmd} add pass tcp from me to any setup keep-state 325170808Sdelphij ${fwcmd} add pass udp from me to any keep-state 326170808Sdelphij ${fwcmd} add pass icmp from me to any keep-state 327170808Sdelphij 328170808Sdelphij # Allow DHCP. 329170808Sdelphij ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out 330170808Sdelphij ${fwcmd} add pass udp from any 67 to me 68 in 331170808Sdelphij ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in 332170808Sdelphij # Some servers will ping the IP while trying to decide if it's 333170808Sdelphij # still in use. 334171070Sdelphij ${fwcmd} add pass icmp from any to any icmptype 8 335170808Sdelphij 336170808Sdelphij # Allow "mandatory" ICMP in. 337170808Sdelphij ${fwcmd} add pass icmp from any to any icmptype 3,4,11 338170808Sdelphij 339170808Sdelphij # Add permits for this workstations published services below 340170808Sdelphij # Only IPs and nets in firewall_allowservices is allowed in. 341170808Sdelphij # If you really wish to let anyone use services on your 342170808Sdelphij # workstation, then set "firewall_allowservices='any'" in /etc/rc.conf 343170808Sdelphij # 344170808Sdelphij # Note: We don't use keep-state as that would allow DoS of 345170808Sdelphij # our statetable. 346170808Sdelphij # You can add 'keep-state' to the lines for slightly 347170808Sdelphij # better performance if you fell that DoS of your 348170808Sdelphij # workstation won't be a problem. 349170808Sdelphij # 350170808Sdelphij for i in ${firewall_allowservices} ; do 351170808Sdelphij for j in ${firewall_myservices} ; do 352170808Sdelphij ${fwcmd} add pass tcp from $i to me $j 353170808Sdelphij done 354170808Sdelphij done 355170808Sdelphij 356170808Sdelphij # Allow all connections from trusted IPs. 357170808Sdelphij # Playing with the content of firewall_trusted could seriously 358170808Sdelphij # degrade the level of protection provided by the firewall. 359170808Sdelphij for i in ${firewall_trusted} ; do 360170808Sdelphij ${fwcmd} add pass ip from $i to me 361170808Sdelphij done 362170808Sdelphij 363171029Sdelphij ${fwcmd} add 65000 count ip from any to any 364171029Sdelphij 365171362Sdelphij # Drop packets to ports where we don't want logging 366170808Sdelphij for i in ${firewall_nologports} ; do 367170808Sdelphij ${fwcmd} add deny { tcp or udp } from any to any $i in 368170808Sdelphij done 369171308Sdelphij 370170808Sdelphij # Broadcasts and muticasts 371170808Sdelphij ${fwcmd} add deny ip from any to 255.255.255.255 372170808Sdelphij ${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX 373170808Sdelphij 374171070Sdelphij # Noise from routers 375170808Sdelphij ${fwcmd} add deny udp from any to any 520 in 376170808Sdelphij 377170808Sdelphij # Noise from webbrowsing. 378170808Sdelphij # The statefull filter is a bit agressive, and will cause some 379170808Sdelphij # connection teardowns to be logged. 380170808Sdelphij ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in 381170808Sdelphij 382170808Sdelphij # Deny and (if wanted) log the rest unconditionally. 383170808Sdelphij log="" 384170808Sdelphij if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then 385170808Sdelphij log="log logamount 500" # The default of 100 is too low. 386170808Sdelphij sysctl net.inet.ip.fw.verbose=1 >/dev/null 387171799Sdelphij fi 388170808Sdelphij ${fwcmd} add deny $log ip from any to any 389170808Sdelphij ;; 390171029Sdelphij 391170808Sdelphij[Cc][Ll][Oo][Ss][Ee][Dd]) 392170808Sdelphij ${fwcmd} add 65000 deny ip from any to any 393170808Sdelphij ;; 394170808Sdelphij[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 395170808Sdelphij ;; 396170808Sdelphij*) 397170808Sdelphij if [ -r "${firewall_type}" ]; then 398170808Sdelphij ${fwcmd} ${firewall_flags} ${firewall_type} 399170808Sdelphij fi 400170808Sdelphij ;; 401170808Sdelphijesac 402170808Sdelphij