src - FreeBSD source tree

diff options


context:
space:
mode:

author	Daniel O'Callaghan <danny@FreeBSD.org>	1997-09-11 10:59:02 +0000
committer	Daniel O'Callaghan <danny@FreeBSD.org>	1997-09-11 10:59:02 +0000
commit	5f4feab6965f42051a8c40691c6add3706f02180 (patch)
tree	b8460fde0c5748394914af0b4d2be424eeb18284 /etc/rc.firewall
parent	fe8d21ba575ae4996f1d46428735cc091483fcad (diff)
download	src-5f4feab6965f42051a8c40691c6add3706f02180.tar.gz src-5f4feab6965f42051a8c40691c6add3706f02180.zip

Notes

Diffstat (limited to 'etc/rc.firewall')

-rw-r--r--

etc/rc.firewall

104

1 files changed, 60 insertions, 44 deletions

diff --git a/etc/rc.firewall b/etc/rc.firewall
index b0e29baf309c..5bfaedc69e93 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall

@@ -1,17 +1,18 @@

############

# Setup system for firewall service.

-# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $

+# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $

############

+# Define the firewall type in /etc/rc.conf. Valid values are:

+# open - will allow anyone in

+# client - will try to protect just this machine

+# simple - will try to protect a whole network

+# closed - totally disables IP services except via lo0 interface

+# UNKNOWN - disables the loading of firewall rules.

+# filename - will load the rules in the given filename (full path required)

-# >>Warning<<

-# This file is not very old yet, and have been put together without much

-# testing of the contents.

-# Set this to be the type of firewall you want: open, client, simple or NONE.

-# ``open'' will allow anyone in, ``client'' will try to protect just one

-# machine and ``simple'' will try to protect a whole network (entries should

-# be customized appropriately below). To let no one in, use NONE.

+# For ``client'' and ``simple'' the entries below should be customized

+# appropriately.

############

@@ -36,9 +37,21 @@

# http://www.awl.com/

+if [ "x$1" != "x" ]; then

+ firewall_type=$1

+fi

+############

+# Set quiet mode if requested

+if [ "x$firewall_quiet" = "xYES" ]; then

+ fwcmd="/sbin/ipfw -q"

+else

+ fwcmd="/sbin/ipfw"

+fi

############

# Flush out the list before we begin.

-/sbin/ipfw -f flush

+$fwcmd -f flush

############

# If you just configured ipfw in the kernel as a tool to solve network

@@ -46,19 +59,23 @@

# they you will want to change the default policy to open. You can also

# do this as your only action by setting the firewall_type to ``open''.

-# /sbin/ipfw add 65000 pass all from any to any

+# $fwcmd add 65000 pass all from any to any

############

# Only in rare cases do you want to change this rule

-/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1

+$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1

# Prototype setups.

-if [ "${firewall}" = "open" ]; then

+if [ "${firewall_type}" = "open" ]; then

+ $fwcmd add 65000 pass all from any to any

- /sbin/ipfw add 65000 pass all from any to any

+elif [ "${firewall_type}" = "simple" ]; then

-elif [ "${firewall}" = "client" ]; then

+ $fwcmd add 65000 pass all from any to any via lo0

+elif [ "${firewall_type}" = "client" ]; then

############

# This is a prototype setup that will protect your system somewhat against

@@ -71,32 +88,32 @@ elif [ "${firewall}" = "client" ]; then

ip="192.168.4.17"

# Allow any traffic to or from my own net.

- /sbin/ipfw add pass all from ${ip} to ${net}:${mask}

- /sbin/ipfw add pass all from ${net}:${mask} to ${ip}

+ $fwcmd add pass all from ${ip} to ${net}:${mask}

+ $fwcmd add pass all from ${net}:${mask} to ${ip}

# Allow TCP through if setup succeeded

- /sbin/ipfw add pass tcp from any to any established

+ $fwcmd add pass tcp from any to any established

# Allow setup of incoming email

- /sbin/ipfw add pass tcp from any to ${ip} 25 setup

+ $fwcmd add pass tcp from any to ${ip} 25 setup

# Allow setup of outgoing TCP connections only

- /sbin/ipfw add pass tcp from ${ip} to any setup

+ $fwcmd add pass tcp from ${ip} to any setup

# Disallow setup of all other TCP connections

- /sbin/ipfw add deny tcp from any to any setup

+ $fwcmd add deny tcp from any to any setup

# Allow DNS queries out in the world

- /sbin/ipfw add pass udp from any 53 to ${ip}

- /sbin/ipfw add pass udp from ${ip} to any 53

+ $fwcmd add pass udp from any 53 to ${ip}

+ $fwcmd add pass udp from ${ip} to any 53

# Allow NTP queries out in the world

- /sbin/ipfw add pass udp from any 123 to ${ip}

- /sbin/ipfw add pass udp from ${ip} to any 123

+ $fwcmd add pass udp from any 123 to ${ip}

+ $fwcmd add pass udp from ${ip} to any 123

# Everything else is denied as default.

-elif [ "${firewall}" = "simple" ]; then

+elif [ "${firewall_type}" = "simple" ]; then

############

# This is a prototype setup for a simple firewall. Configure this machine

@@ -117,43 +134,42 @@ elif [ "${firewall}" = "simple" ]; then

iip="192.168.3.17"

# Stop spoofing

- /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}

- /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}

+ $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}

+ $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface

- /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}

- /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}

- /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}

+ $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}

+ $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}

+ $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}

# Allow TCP through if setup succeeded

- /sbin/ipfw add pass tcp from any to any established

+ $fwcmd add pass tcp from any to any established

# Allow setup of incoming email

- /sbin/ipfw add pass tcp from any to ${oip} 25 setup

+ $fwcmd add pass tcp from any to ${oip} 25 setup

# Allow access to our DNS

- /sbin/ipfw add pass tcp from any to ${oip} 53 setup

+ $fwcmd add pass tcp from any to ${oip} 53 setup

# Allow access to our WWW

- /sbin/ipfw add pass tcp from any to ${oip} 80 setup

+ $fwcmd add pass tcp from any to ${oip} 80 setup

# Reject&Log all setup of incoming connections from the outside

- /sbin/ipfw add deny log tcp from any to any in via ${oif} setup

+ $fwcmd add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection

- /sbin/ipfw add pass tcp from any to any setup

+ $fwcmd add pass tcp from any to any setup

# Allow DNS queries out in the world

- /sbin/ipfw add pass udp from any 53 to ${oip}

- /sbin/ipfw add pass udp from ${oip} to any 53

+ $fwcmd add pass udp from any 53 to ${oip}

+ $fwcmd add pass udp from ${oip} to any 53

# Allow NTP queries out in the world

- /sbin/ipfw add pass udp from any 123 to ${oip}

- /sbin/ipfw add pass udp from ${oip} to any 123

+ $fwcmd add pass udp from any 123 to ${oip}

+ $fwcmd add pass udp from ${oip} to any 123

# Everything else is denied as default.

-elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then

- /sbin/ipfw ${firewall}

+elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then

+ $fwcmd ${firewall}