aboutsummaryrefslogtreecommitdiff
path: root/etc/rc.firewall
blob: 7208023f3cb1b237eca2ec8651a5cc4bfe0e6afb (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
############
# Setup system for firewall service.
# $Id: rc.firewall,v 1.4 1996/08/14 14:41:58 jkh Exp $

############
#
# >>Warning<<
# This file is not very old yet, and have been put together without much
# testing of the contents.

# Set this to be the type of firewall you want:  open, client, simple or NONE.
# ``open'' will allow anyone in, ``client'' will try to protect just one
# machine and ``simple'' will try to protect a whole network (entries should
# be customized appropriately below).  To let no one in, use NONE.

firewall_type=NONE


############
#
# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
#	Building Internet Firewalls
#	Brent Chapman and Elizabeth Zwicky
#
#	O'Reilly & Associates, Inc
#	ISBN 1-56592-124-0
#
# For a more advanced treatment of Internet Security read:
#
#	Firewalls & Internet Security
#	Repelling the wily hacker
#	William R. Cheswick, Steven M. Bellowin
#
#	Addison-Wesley
#	ISBN 0-201-6337-4
#

############
# Flush out the list before we begin.
/sbin/ipfw flush

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.

# /sbin/ipfw add 65000 pass all from any to any

############
# Only in rare cases do you want to change this rule
/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1


# Prototype setups.
if [ "${firewall_type}" = "open" ]; then

	/sbin/ipfw add 65000 pass all from any to any

elif [ "${firewall_type}" = "client" ]; then

    ############
    # This is a prototype setup that will protect your system somewhat against
    # people from outside your own network.
    ############

    # set these to your network and netmask and ip
    net="192.168.4.0"
    mask="255.255.255.0"
    ip="192.168.4.17"

    # Allow any traffic to or from my own net.
    /sbin/ipfw add pass all from ${ip} to ${net}:${mask}
    /sbin/ipfw add pass all from ${net}:${mask} to ${ip}

    # Allow TCP through if setup succeeded
    /sbin/ipfw add pass tcp from any to any established

    # Allow setup of incoming email 
    /sbin/ipfw add pass tcp from any to ${ip} 25 setup

    # Allow setup of outgoing TCP connections only
    /sbin/ipfw add pass tcp from ${ip} to any setup

    # Disallow setup of all other TCP connections
    /sbin/ipfw add deny tcp from any to any setup

    # Allow DNS queries out in the world
    /sbin/ipfw add pass udp from any 53 to ${ip}
    /sbin/ipfw add pass udp from ${ip} to any 53

    # Allow NTP queries out in the world
    /sbin/ipfw add pass udp from any 123 to ${ip}
    /sbin/ipfw add pass udp from ${ip} to any 123

    # Everyting else is denied as default.

elif [ "${firewall_type}" = "simple" ]; then

    ############
    # This is a prototype setup for a simple firewall.  Configure this machine 
    # as a named server and ntp server, and point all the machines on the inside
    # at this machine for those services.
    ############

    # set these to your outside interface network and netmask and ip
    oif="ed0"
    onet="192.168.4.0"
    omask="255.255.255.0"
    oip="192.168.4.17"

    # set these to your inside interface network and netmask and ip
    iif="ed1"
    inet="192.168.3.0"
    imask="255.255.255.0"
    iip="192.168.3.17"

    # Stop spoofing
    /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
    /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}

    # Stop RFC1918 nets on the outside interface
    /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
    /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}

    # Allow TCP through if setup succeeded
    /sbin/ipfw add pass tcp from any to any established

    # Allow setup of incoming email 
    /sbin/ipfw add pass tcp from any to ${oip} 25 setup

    # Allow access to our DNS
    /sbin/ipfw add pass tcp from any to ${oip} 53 setup

    # Allow access to our WWW
    /sbin/ipfw add pass tcp from any to ${oip} 80 setup

    # Reject&Log all setup of incoming connections from the outside
    /sbin/ipfw add deny log tcp from any to any in via ${oif} setup

    # Allow setup of any other TCP connection
    /sbin/ipfw add pass tcp from any to any setup

    # Allow DNS queries out in the world
    /sbin/ipfw add pass udp from any 53 to ${oip}
    /sbin/ipfw add pass udp from ${oip} to any 53

    # Allow NTP queries out in the world
    /sbin/ipfw add pass udp from any 123 to ${oip}
    /sbin/ipfw add pass udp from ${oip} to any 123

    # Everyting else is denied as default.
fi