| 1 | #!/bin/sh -
|
---|
| 2 | # Copyright (c) 1996 Poul-Henning Kamp
|
---|
| 3 | # All rights reserved.
|
---|
| 4 | #
|
---|
| 5 | # Redistribution and use in source and binary forms, with or without
|
---|
| 6 | # modification, are permitted provided that the following conditions
|
---|
| 7 | # are met:
|
---|
| 8 | # 1. Redistributions of source code must retain the above copyright
|
---|
| 9 | # notice, this list of conditions and the following disclaimer.
|
---|
| 10 | # 2. Redistributions in binary form must reproduce the above copyright
|
---|
| 11 | # notice, this list of conditions and the following disclaimer in the
|
---|
| 12 | # documentation and/or other materials provided with the distribution.
|
---|
| 13 | #
|
---|
| 14 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
---|
| 15 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
---|
| 16 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
---|
| 17 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
---|
| 18 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
---|
| 19 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
---|
| 20 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
---|
| 21 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
---|
| 22 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
---|
| 23 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
---|
| 24 | # SUCH DAMAGE.
|
---|
| 25 | #
|
---|
| 26 | # $FreeBSD: src/etc/rc.firewall,v 1.52.2.3.4.1 2009/04/15 03:14:26 kensmith Exp $
|
---|
| 27 | #
|
---|
| 28 |
|
---|
| 29 | #
|
---|
| 30 | # Setup system for ipfw(4) firewall service.
|
---|
| 31 | #
|
---|
| 32 |
|
---|
| 33 | # Suck in the configuration variables.
|
---|
| 34 | if [ -z "${source_rc_confs_defined}" ]; then
|
---|
| 35 | if [ -r /etc/defaults/rc.conf ]; then
|
---|
| 36 | . /etc/defaults/rc.conf
|
---|
| 37 | source_rc_confs
|
---|
| 38 | elif [ -r /etc/rc.conf ]; then
|
---|
| 39 | . /etc/rc.conf
|
---|
| 40 | fi
|
---|
| 41 | fi
|
---|
| 42 |
|
---|
| 43 | trusted_net="84.106.113.143"
|
---|
| 44 |
|
---|
| 45 | # Deny and (if wanted) log the rest unconditionally.
|
---|
| 46 | log="log logamount 500" # The default of 100 is too low.
|
---|
| 47 | sysctl net.inet.ip.fw.verbose=1 >/dev/null
|
---|
| 48 |
|
---|
| 49 | setup_loopback () {
|
---|
| 50 | log="log logamount 500" # The default of 100 is too low.
|
---|
| 51 | ############
|
---|
| 52 | # Only in rare cases do you want to change these rules
|
---|
| 53 | #
|
---|
| 54 | ${fwcmd} add 100 pass all from any to any via lo0
|
---|
| 55 | ${fwcmd} add 200 deny ${log} all from any to 127.0.0.0/8
|
---|
| 56 | #${fwcmd} add 300 deny ${log} ip from 127.0.0.0/8 to any
|
---|
| 57 |
|
---|
| 58 | ${fw6cmd} add 100 pass ip6 from any to any via lo0
|
---|
| 59 | ${fw6cmd} add 200 deny ${log} ip6 from any to ::1
|
---|
| 60 | ${fw6cmd} add 300 deny ${log} ip6 from ::1 to any
|
---|
| 61 | #
|
---|
| 62 | # ND
|
---|
| 63 | #
|
---|
| 64 | # DAD
|
---|
| 65 | ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp
|
---|
| 66 | # RS, RA, NS, NA, redirect...
|
---|
| 67 | ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
|
---|
| 68 | ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
|
---|
| 69 | }
|
---|
| 70 |
|
---|
| 71 | if [ -n "${1}" ]; then
|
---|
| 72 | firewall_type="${1}"
|
---|
| 73 | fi
|
---|
| 74 |
|
---|
| 75 | ############
|
---|
| 76 | # Set quiet mode if requested
|
---|
| 77 | #
|
---|
| 78 | case ${firewall_quiet} in
|
---|
| 79 | [Yy][Ee][Ss])
|
---|
| 80 | fwcmd="/sbin/ipfw -q"
|
---|
| 81 | ;;
|
---|
| 82 | *)
|
---|
| 83 | fwcmd="/sbin/ipfw"
|
---|
| 84 | ;;
|
---|
| 85 | esac
|
---|
| 86 | case ${ipv6_firewall_quiet} in
|
---|
| 87 | [Yy][Ee][Ss])
|
---|
| 88 | fw6cmd="/sbin/ipfw -q"
|
---|
| 89 | ;;
|
---|
| 90 | *)
|
---|
| 91 | fw6cmd="/sbin/ipfw"
|
---|
| 92 | ;;
|
---|
| 93 | esac
|
---|
| 94 |
|
---|
| 95 | ############
|
---|
| 96 | # Flush out the list before we begin.
|
---|
| 97 | ${fwcmd} -f flush
|
---|
| 98 |
|
---|
| 99 | setup_loopback
|
---|
| 100 |
|
---|
| 101 | ############
|
---|
| 102 | # If you just configured ipfw in the kernel as a tool to solve network
|
---|
| 103 | # problems or you just want to disallow some particular kinds of traffic
|
---|
| 104 | # then you will want to change the default policy to open. You can also
|
---|
| 105 | # do this as your only action by setting the firewall_type to ``open''.
|
---|
| 106 | #
|
---|
| 107 | # ${fwcmd} add 65000 pass all from any to any
|
---|
| 108 |
|
---|
| 109 |
|
---|
| 110 |
|
---|
| 111 | ############
|
---|
| 112 | # This is a prototype setup based after simple firewall.
|
---|
| 113 | #
|
---|
| 114 | # Configuration:
|
---|
| 115 | # firewall_oif: Outside network interface.
|
---|
| 116 | ############
|
---|
| 117 |
|
---|
| 118 | # set these to your outside interface network
|
---|
| 119 | oif="$firewall_oif"
|
---|
| 120 |
|
---|
| 121 | # Allow jail to reach outside world
|
---|
| 122 | ${fwcmd} add nat 1 ip from 10.0.0.0/24 to any out via ${oif}
|
---|
| 123 | ${fwcmd} add nat 1 ip from any to 78.46.85.230 in via ${oif}
|
---|
| 124 | ${fwcmd} nat 1 config if ${oif}
|
---|
| 125 |
|
---|
| 126 | # Stop RFC1918 nets on the outside interface
|
---|
| 127 | ${fwcmd} add deny ${log} all from any to 10.0.0.0/8 via ${oif}
|
---|
| 128 | ${fwcmd} add deny ${log} all from any to 172.16.0.0/12 via ${oif}
|
---|
| 129 | ${fwcmd} add deny ${log} all from any to 192.168.0.0/16 via ${oif}
|
---|
| 130 |
|
---|
| 131 | # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
|
---|
| 132 | # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
|
---|
| 133 | # on the outside interface
|
---|
| 134 | ${fwcmd} add deny ${log} all from any to 0.0.0.0/8 via ${oif}
|
---|
| 135 | ${fwcmd} add deny ${log} all from any to 169.254.0.0/16 via ${oif}
|
---|
| 136 | ${fwcmd} add deny ${log} all from any to 192.0.2.0/24 via ${oif}
|
---|
| 137 | ${fwcmd} add deny ${log} all from any to 224.0.0.0/4 via ${oif}
|
---|
| 138 | ${fwcmd} add deny ${log} all from any to 240.0.0.0/4 via ${oif}
|
---|
| 139 |
|
---|
| 140 | # Stop RFC1918 nets on the outside interface
|
---|
| 141 | ${fwcmd} add deny ${log} all from 10.0.0.0/8 to any via ${oif}
|
---|
| 142 | ${fwcmd} add deny ${log} all from 172.16.0.0/12 to any via ${oif}
|
---|
| 143 | ${fwcmd} add deny ${log} all from 192.168.0.0/16 to any via ${oif}
|
---|
| 144 |
|
---|
| 145 | # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
|
---|
| 146 | # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
|
---|
| 147 | # on the outside interface
|
---|
| 148 | ${fwcmd} add deny ${log} all from 0.0.0.0/8 to any via ${oif}
|
---|
| 149 | ${fwcmd} add deny ${log} all from 169.254.0.0/16 to any via ${oif}
|
---|
| 150 | ${fwcmd} add deny ${log} all from 192.0.2.0/24 to any via ${oif}
|
---|
| 151 | ${fwcmd} add deny ${log} all from 224.0.0.0/4 to any via ${oif}
|
---|
| 152 | ${fwcmd} add deny ${log} all from 240.0.0.0/4 to any via ${oif}
|
---|
| 153 |
|
---|
| 154 | # Stop unique local unicast address on the outside interface
|
---|
| 155 | ${fw6cmd} add deny ${log} ip6 from fc00::/7 to any via ${oif}
|
---|
| 156 | ${fw6cmd} add deny ${log} ip6 from any to fc00::/7 via ${oif}
|
---|
| 157 |
|
---|
| 158 | # Stop site-local on the outside interface
|
---|
| 159 | ${fw6cmd} add deny ${log} ip6 from fec0::/10 to any via ${oif}
|
---|
| 160 | ${fw6cmd} add deny ${log} ip6 from any to fec0::/10 via ${oif}
|
---|
| 161 |
|
---|
| 162 | # Disallow "internal" addresses to appear on the wire.
|
---|
| 163 | ${fw6cmd} add deny ${log} ip6 from ::ffff:0.0.0.0/96 to any via ${oif}
|
---|
| 164 | ${fw6cmd} add deny ${log} ip6 from any to ::ffff:0.0.0.0/96 via ${oif}
|
---|
| 165 |
|
---|
| 166 | # Disallow packets to malicious IPv4 compatible prefix.
|
---|
| 167 | ${fw6cmd} add deny ${log} ip6 from ::224.0.0.0/100 to any via ${oif}
|
---|
| 168 | ${fw6cmd} add deny ${log} ip6 from any to ::224.0.0.0/100 via ${oif}
|
---|
| 169 | ${fw6cmd} add deny ${log} ip6 from ::127.0.0.0/104 to any via ${oif}
|
---|
| 170 | ${fw6cmd} add deny ${log} ip6 from any to ::127.0.0.0/104 via ${oif}
|
---|
| 171 | ${fw6cmd} add deny ${log} ip6 from ::0.0.0.0/104 to any via ${oif}
|
---|
| 172 | ${fw6cmd} add deny ${log} ip6 from any to ::0.0.0.0/104 via ${oif}
|
---|
| 173 | ${fw6cmd} add deny ${log} ip6 from ::255.0.0.0/104 to any via ${oif}
|
---|
| 174 | ${fw6cmd} add deny ${log} ip6 from any to ::255.0.0.0/104 via ${oif}
|
---|
| 175 |
|
---|
| 176 | ${fw6cmd} add deny ${log} ip6 from ::0.0.0.0/96 to any via ${oif}
|
---|
| 177 | ${fw6cmd} add deny ${log} ip6 from any to ::0.0.0.0/96 via ${oif}
|
---|
| 178 |
|
---|
| 179 | # Disallow packets to malicious 6to4 prefix.
|
---|
| 180 | ${fw6cmd} add deny ${log} ip6 from 2002:e000::/20 to any via ${oif}
|
---|
| 181 | ${fw6cmd} add deny ${log} ip6 from any to 2002:e000::/20 via ${oif}
|
---|
| 182 | ${fw6cmd} add deny ${log} ip6 from 2002:7f00::/24 to any via ${oif}
|
---|
| 183 | ${fw6cmd} add deny ${log} ip6 from any to 2002:7f00::/24 via ${oif}
|
---|
| 184 | ${fw6cmd} add deny ${log} ip6 from 2002:0000::/24 to any via ${oif}
|
---|
| 185 | ${fw6cmd} add deny ${log} ip6 from any to 2002:0000::/24 via ${oif}
|
---|
| 186 | ${fw6cmd} add deny ${log} ip6 from 2002:ff00::/24 to any via ${oif}
|
---|
| 187 | ${fw6cmd} add deny ${log} ip6 from any to 2002:ff00::/24 via ${oif}
|
---|
| 188 |
|
---|
| 189 | ${fw6cmd} add deny ${log} ip6 from 2002:0a00::/24 to any via ${oif}
|
---|
| 190 | ${fw6cmd} add deny ${log} ip6 from any to 2002:0a00::/24 via ${oif}
|
---|
| 191 | ${fw6cmd} add deny ${log} ip6 from 2002:ac10::/28 to any via ${oif}
|
---|
| 192 | ${fw6cmd} add deny ${log} ip6 from any to 2002:ac10::/28 via ${oif}
|
---|
| 193 | ${fw6cmd} add deny ${log} ip6 from 2002:c0a8::/32 to any via ${oif}
|
---|
| 194 | ${fw6cmd} add deny ${log} ip6 from any to 2002:c0a8::/32 via ${oif}
|
---|
| 195 |
|
---|
| 196 | ${fw6cmd} add deny ${log} ip6 from ff05::/16 to any via ${oif}
|
---|
| 197 | ${fw6cmd} add deny ${log} ip6 from any to ff05::/16 via ${oif}
|
---|
| 198 |
|
---|
| 199 | # Allow TCP through if setup succeeded
|
---|
| 200 | ${fw6cmd} add pass ip6 from any to any established proto tcp
|
---|
| 201 | ${fwcmd} add pass tcp from any to any established
|
---|
| 202 |
|
---|
| 203 | # Allow any link-local multicast traffic
|
---|
| 204 | ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16
|
---|
| 205 |
|
---|
| 206 | # Deployment to production system, thus limited exposure
|
---|
| 207 | # ${fwcmd} add pass tcp from 213.125.247.82 to 144.76.7.58 25,80,443
|
---|
| 208 | # ${fwcmd} add deny ${log} tcp from any to 144.76.7.58 25,80,443
|
---|
| 209 | # ${fw6cmd} add pass tcp from 2001:1af8:febe:0:b6b6:76ff:fe4f:1cd5 to 2a01:4f8:190:8221::4:1 25,80,443
|
---|
| 210 | # ${fw6cmd} add pass tcp from 2001:980:488a:1:b6b6:76ff:fe4f:1cd5 to 2a01:4f8:190:8221::4:1 25,80,443
|
---|
| 211 | # ${fw6cmd} add deny ${log} tcp from any to 2a01:4f8:190:8221::4:1 25,80,443
|
---|
| 212 |
|
---|
| 213 | # HACK!
|
---|
| 214 | ${fw6cmd} add pass ip6 from any to any
|
---|
| 215 |
|
---|
| 216 | # Allow IP fragments to pass through
|
---|
| 217 | ${fwcmd} add pass all from any to any frag
|
---|
| 218 | ${fw6cmd} add pass ip6 from any to any frag
|
---|
| 219 |
|
---|
| 220 | # Allow ICMP queries to arrive
|
---|
| 221 | ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11
|
---|
| 222 | ${fw6cmd} add pass ip6 from any to any icmp6types 1,2,3,4,128 proto ipv6-icmp
|
---|
| 223 |
|
---|
| 224 | # Allow NS/ACK/NA/toobig (don't filter it out)
|
---|
| 225 | ${fw6cmd} add pass ip6 from any to me icmp6types 2,129,135,136 proto ipv6-icmp
|
---|
| 226 | ${fw6cmd} add pass ip6 from me to any proto ipv6-icmp
|
---|
| 227 |
|
---|
| 228 |
|
---|
| 229 | # Allow setup of incoming email
|
---|
| 230 | ${fwcmd} add pass tcp from any to me 25 setup
|
---|
| 231 | ${fw6cmd} add pass ip6 from any to me 25 setup proto tcp
|
---|
| 232 |
|
---|
| 233 | # Allow setup of incoming email (smtps)
|
---|
| 234 | ${fwcmd} add pass tcp from any to me 465 setup
|
---|
| 235 | ${fw6cmd} add pass ip6 from any to me 465 setup proto tcp
|
---|
| 236 |
|
---|
| 237 | # Allow setup of incoming email (submission)
|
---|
| 238 | ${fwcmd} add pass tcp from any to me 587 setup
|
---|
| 239 | ${fw6cmd} add pass ip6 from any to me 587 setup proto tcp
|
---|
| 240 |
|
---|
| 241 | # Allow access to our FTP
|
---|
| 242 | ${fwcmd} add pass tcp from any to me 21 setup
|
---|
| 243 | ${fw6cmd} add pass ip6 from any to me 21 setup proto tcp
|
---|
| 244 |
|
---|
| 245 | # Allow access to our DNS
|
---|
| 246 | ${fwcmd} add pass tcp from any to me 53 setup
|
---|
| 247 | ${fw6cmd} add pass ip6 from any to me 53 setup proto tcp
|
---|
| 248 |
|
---|
| 249 | # Allow access to our Syslog
|
---|
| 250 | ${fwcmd} add pass udp from any to me 514
|
---|
| 251 | ${fwcmd} add pass udp from me 514 to any
|
---|
| 252 |
|
---|
| 253 | # Allow access to our DNS (ivp6)
|
---|
| 254 | ${fwcmd} add pass udp from any to me 53
|
---|
| 255 | ${fwcmd} add pass udp from me 53 to any
|
---|
| 256 | ${fw6cmd} add pass ip6 from any to me 53 proto udp
|
---|
| 257 | ${fw6cmd} add pass ip6 from me 53 to any proto udp
|
---|
| 258 |
|
---|
| 259 | # Allow access to our NTP
|
---|
| 260 | ${fwcmd} add pass udp from any to me 123
|
---|
| 261 | ${fwcmd} add pass udp from me 123 to any
|
---|
| 262 | ${fw6cmd} add pass ip6 from any to me 123 proto udp
|
---|
| 263 | ${fw6cmd} add pass ip6 from me 123 to any proto udp
|
---|
| 264 |
|
---|
| 265 | # Allow access to our WWW
|
---|
| 266 | ${fwcmd} add pass tcp from any to me 80 setup
|
---|
| 267 | ${fw6cmd} add pass ip6 from any to me 80 setup proto tcp
|
---|
| 268 | ${fwcmd} add pass tcp from any to me 443 setup
|
---|
| 269 | ${fw6cmd} add pass ip6 from any to me 443 setup proto tcp
|
---|
| 270 |
|
---|
| 271 | # Allow access to our SNMP
|
---|
| 272 | ${fwcmd} add pass udp from any to me 161
|
---|
| 273 | ${fwcmd} add pass udp from me 161 to any
|
---|
| 274 | ${fw6cmd} add pass ip6 from any to me 161 proto udp
|
---|
| 275 | ${fw6cmd} add pass ip6 from me 161 to any proto udp
|
---|
| 276 |
|
---|
| 277 | # Allow access to our SSH (sshguard operating in 55000 - 55050)
|
---|
| 278 | ${fwcmd} add 56000 pass tcp from any to me 22 setup
|
---|
| 279 | ${fw6cmd} add 56001 pass ip6 from any to me 22 setup proto tcp
|
---|
| 280 | ${fwcmd} add 56002 pass tcp from any to me 1022 setup
|
---|
| 281 | ${fw6cmd} add 56003 pass ip6 from any to me 1022 setup proto tcp
|
---|
| 282 |
|
---|
| 283 | # Allow access to our IMAP
|
---|
| 284 | ${fwcmd} add pass tcp from any to me 143 setup
|
---|
| 285 | ${fw6cmd} add pass ip6 from any to me 143 setup proto tcp
|
---|
| 286 |
|
---|
| 287 | # Allow access to our IMAPS
|
---|
| 288 | ${fwcmd} add pass tcp from any to me 993 setup
|
---|
| 289 | ${fw6cmd} add pass ip6 from any to me 993 setup proto tcp
|
---|
| 290 |
|
---|
| 291 | # Allow access to our IPERF
|
---|
| 292 | ${fwcmd} add pass tcp from any to me 5001 setup
|
---|
| 293 | ${fw6cmd} add pass ip6 from any to me 5001 setup proto tcp
|
---|
| 294 |
|
---|
| 295 | # Allow access to our DARKSTAT
|
---|
| 296 | ${fwcmd} add pass tcp from ${trusted_net} to me 667 setup
|
---|
| 297 | ${fw6cmd} add pass ip6 from ${trusted_net} to me 667 setup proto tcp
|
---|
| 298 |
|
---|
| 299 | # Reject&Log all setup of incoming connections from the outside
|
---|
| 300 | ${fwcmd} add deny ${log} tcp from any to any in via ${oif} setup
|
---|
| 301 |
|
---|
| 302 | # Allow setup of outgoing connections only
|
---|
| 303 | ${fwcmd} add pass tcp from me to any setup
|
---|
| 304 | ${fw6cmd} add pass ip6 from me to any setup proto tcp
|
---|
| 305 |
|
---|
| 306 | # Allow DNS queries out in the world
|
---|
| 307 | ${fwcmd} add pass udp from me to any 53 keep-state
|
---|
| 308 | ${fw6cmd} add pass ip6 from me to any 53 proto udp
|
---|
| 309 |
|
---|
| 310 | # Allow NTP queries out in the world
|
---|
| 311 | ${fwcmd} add pass udp from me to any 123 keep-state
|
---|
| 312 | ${fw6cmd} add pass ip6 from any 123 to me proto udp
|
---|
| 313 | ${fw6cmd} add pass ip6 from me to any 123 proto udp
|
---|
| 314 |
|
---|
| 315 | # Everything else is denied by default, unless the
|
---|
| 316 | # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
|
---|
| 317 | # config file.
|
---|
| 318 | ${fwcmd} add deny ${log} ip from any to any
|
---|
| 319 | ${fwcmd} add deny ${log} ip6 from any to any
|
---|