diff options
Diffstat (limited to 'release/picobsd/router/floppy.tree/etc/rc.firewall')
| -rw-r--r-- | release/picobsd/router/floppy.tree/etc/rc.firewall | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/release/picobsd/router/floppy.tree/etc/rc.firewall b/release/picobsd/router/floppy.tree/etc/rc.firewall new file mode 100644 index 000000000000..0a3e3d2f7c95 --- /dev/null +++ b/release/picobsd/router/floppy.tree/etc/rc.firewall @@ -0,0 +1,172 @@ +############ +# Setup system for firewall service. +# $Id: rc.firewall,v 1.1 1998/08/02 13:03:31 abial Exp $ + +############ +# Define the firewall type in /etc/rc.conf. Valid values are: +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) +# +# For ``client'' and ``simple'' the entries below should be customized +# appropriately. + +############ +# +# If you don't know enough about packet filtering, we suggest that you +# take time to read this book: +# +# Building Internet Firewalls +# Brent Chapman and Elizabeth Zwicky +# +# O'Reilly & Associates, Inc +# ISBN 1-56592-124-0 +# http://www.ora.com/ +# +# For a more advanced treatment of Internet Security read: +# +# Firewalls & Internet Security +# Repelling the wily hacker +# William R. Cheswick, Steven M. Bellowin +# +# Addison-Wesley +# ISBN 0-201-6337-4 +# http://www.awl.com/ +# + +if [ "x$1" != "x" ]; then + firewall_type=$1 +fi + +############ +# Set quiet mode if requested +if [ "x$firewall_quiet" = "xYES" ]; then + fwcmd="/sbin/ipfw -q" +else + fwcmd="/sbin/ipfw" +fi + +############ +# Flush out the list before we begin. +$fwcmd -f flush + +############ +# If you just configured ipfw in the kernel as a tool to solve network +# problems or you just want to disallow some particular kinds of traffic +# they you will want to change the default policy to open. You can also +# do this as your only action by setting the firewall_type to ``open''. + +# $fwcmd add 65000 pass all from any to any + +############ +# Only in rare cases do you want to change these rules +$fwcmd add 1000 pass all from any to any via lo0 +$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 + + +# Prototype setups. +if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then + + $fwcmd add 65000 pass all from any to any + +elif [ "${firewall_type}" = "client" ]; then + + ############ + # This is a prototype setup that will protect your system somewhat against + # people from outside your own network. + ############ + + # set these to your network and netmask and ip + net="192.168.4.0" + mask="255.255.255.0" + ip="192.168.4.17" + + # Allow any traffic to or from my own net. + $fwcmd add pass all from ${ip} to ${net}:${mask} + $fwcmd add pass all from ${net}:${mask} to ${ip} + + # Allow TCP through if setup succeeded + $fwcmd add pass tcp from any to any established + + # Allow setup of incoming email + $fwcmd add pass tcp from any to ${ip} 25 setup + + # Allow setup of outgoing TCP connections only + $fwcmd add pass tcp from ${ip} to any setup + + # Disallow setup of all other TCP connections + $fwcmd add deny tcp from any to any setup + + # Allow DNS queries out in the world + $fwcmd add pass udp from any 53 to ${ip} + $fwcmd add pass udp from ${ip} to any 53 + + # Allow NTP queries out in the world + $fwcmd add pass udp from any 123 to ${ip} + $fwcmd add pass udp from ${ip} to any 123 + + # Everything else is denied as default. + +elif [ "${firewall_type}" = "simple" ]; then + + ############ + # This is a prototype setup for a simple firewall. Configure this machine + # as a named server and ntp server, and point all the machines on the inside + # at this machine for those services. + ############ + + # set these to your outside interface network and netmask and ip + oif="ed0" + onet="192.168.4.0" + omask="255.255.255.0" + oip="192.168.4.17" + + # set these to your inside interface network and netmask and ip + iif="ed1" + inet="192.168.3.0" + imask="255.255.255.0" + iip="192.168.3.17" + + # Stop spoofing + $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} + $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} + + # Stop RFC1918 nets on the outside interface + $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + + # Allow TCP through if setup succeeded + $fwcmd add pass tcp from any to any established + + # Allow setup of incoming email + $fwcmd add pass tcp from any to ${oip} 25 setup + + # Allow access to our DNS + $fwcmd add pass tcp from any to ${oip} 53 setup + + # Allow access to our WWW + $fwcmd add pass tcp from any to ${oip} 80 setup + + # Reject&Log all setup of incoming connections from the outside + $fwcmd add deny log tcp from any to any in via ${oif} setup + + # Allow setup of any other TCP connection + $fwcmd add pass tcp from any to any setup + + # Allow DNS queries out in the world + $fwcmd add pass udp from any 53 to ${oip} + $fwcmd add pass udp from ${oip} to any 53 + + # Allow NTP queries out in the world + $fwcmd add pass udp from any 123 to ${oip} + $fwcmd add pass udp from ${oip} to any 123 + + # Everything else is denied as default. + +elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then + $fwcmd ${firewall_type} +fi |