#!/bin/sh - # Copyright (c) 1996 Poul-Henning Kamp # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: src/etc/rc.firewall,v 1.52.2.3.4.1 2009/04/15 03:14:26 kensmith Exp $ # # # Setup system for ipfw(4) firewall service. # # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi trusted_net="84.106.113.143" # Deny and (if wanted) log the rest unconditionally. log="log logamount 500" # The default of 100 is too low. sysctl net.inet.ip.fw.verbose=1 >/dev/null setup_loopback () { log="log logamount 500" # The default of 100 is too low. ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny ${log} all from any to 127.0.0.0/8 #${fwcmd} add 300 deny ${log} ip from 127.0.0.0/8 to any ${fw6cmd} add 100 pass ip6 from any to any via lo0 ${fw6cmd} add 200 deny ${log} ip6 from any to ::1 ${fw6cmd} add 300 deny ${log} ip6 from ::1 to any # # ND # # DAD ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp # RS, RA, NS, NA, redirect... ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp } if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac case ${ipv6_firewall_quiet} in [Yy][Ee][Ss]) fw6cmd="/sbin/ipfw -q" ;; *) fw6cmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. ${fwcmd} -f flush setup_loopback ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any ############ # This is a prototype setup based after simple firewall. # # Configuration: # firewall_oif: Outside network interface. ############ # set these to your outside interface network oif="$firewall_oif" # Allow jail to reach outside world ${fwcmd} add nat 1 ip from 10.0.0.0/24 to any out via ${oif} ${fwcmd} add nat 1 ip from any to 78.46.85.230 in via ${oif} ${fwcmd} nat 1 config if ${oif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny ${log} all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny ${log} all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny ${log} all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny ${log} all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny ${log} all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny ${log} all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny ${log} all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny ${log} all from any to 240.0.0.0/4 via ${oif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny ${log} all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny ${log} all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny ${log} all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny ${log} all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny ${log} all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny ${log} all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny ${log} all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny ${log} all from 240.0.0.0/4 to any via ${oif} # Stop unique local unicast address on the outside interface ${fw6cmd} add deny ${log} ip6 from fc00::/7 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to fc00::/7 via ${oif} # Stop site-local on the outside interface ${fw6cmd} add deny ${log} ip6 from fec0::/10 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. ${fw6cmd} add deny ${log} ip6 from ::ffff:0.0.0.0/96 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. ${fw6cmd} add deny ${log} ip6 from ::224.0.0.0/100 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to ::224.0.0.0/100 via ${oif} ${fw6cmd} add deny ${log} ip6 from ::127.0.0.0/104 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to ::127.0.0.0/104 via ${oif} ${fw6cmd} add deny ${log} ip6 from ::0.0.0.0/104 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to ::0.0.0.0/104 via ${oif} ${fw6cmd} add deny ${log} ip6 from ::255.0.0.0/104 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to ::255.0.0.0/104 via ${oif} ${fw6cmd} add deny ${log} ip6 from ::0.0.0.0/96 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. ${fw6cmd} add deny ${log} ip6 from 2002:e000::/20 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to 2002:e000::/20 via ${oif} ${fw6cmd} add deny ${log} ip6 from 2002:7f00::/24 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to 2002:7f00::/24 via ${oif} ${fw6cmd} add deny ${log} ip6 from 2002:0000::/24 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to 2002:0000::/24 via ${oif} ${fw6cmd} add deny ${log} ip6 from 2002:ff00::/24 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to 2002:ff00::/24 via ${oif} ${fw6cmd} add deny ${log} ip6 from 2002:0a00::/24 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to 2002:0a00::/24 via ${oif} ${fw6cmd} add deny ${log} ip6 from 2002:ac10::/28 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to 2002:ac10::/28 via ${oif} ${fw6cmd} add deny ${log} ip6 from 2002:c0a8::/32 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to 2002:c0a8::/32 via ${oif} ${fw6cmd} add deny ${log} ip6 from ff05::/16 to any via ${oif} ${fw6cmd} add deny ${log} ip6 from any to ff05::/16 via ${oif} # Allow TCP through if setup succeeded ${fw6cmd} add pass ip6 from any to any established proto tcp ${fwcmd} add pass tcp from any to any established # Allow any link-local multicast traffic ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 # Deployment to production system, thus limited exposure # ${fwcmd} add pass tcp from 213.125.247.82 to 144.76.7.58 25,80,443 # ${fwcmd} add deny ${log} tcp from any to 144.76.7.58 25,80,443 # ${fw6cmd} add pass tcp from 2001:1af8:febe:0:b6b6:76ff:fe4f:1cd5 to 2a01:4f8:190:8221::4:1 25,80,443 # ${fw6cmd} add pass tcp from 2001:980:488a:1:b6b6:76ff:fe4f:1cd5 to 2a01:4f8:190:8221::4:1 25,80,443 # ${fw6cmd} add deny ${log} tcp from any to 2a01:4f8:190:8221::4:1 25,80,443 # HACK! ${fw6cmd} add pass ip6 from any to any # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ${fw6cmd} add pass ip6 from any to any frag # Allow ICMP queries to arrive ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11 ${fw6cmd} add pass ip6 from any to any icmp6types 1,2,3,4,128 proto ipv6-icmp # Allow NS/ACK/NA/toobig (don't filter it out) ${fw6cmd} add pass ip6 from any to me icmp6types 2,129,135,136 proto ipv6-icmp ${fw6cmd} add pass ip6 from me to any proto ipv6-icmp # Allow setup of incoming email ${fwcmd} add pass tcp from any to me 25 setup ${fw6cmd} add pass ip6 from any to me 25 setup proto tcp # Allow setup of incoming email (smtps) ${fwcmd} add pass tcp from any to me 465 setup ${fw6cmd} add pass ip6 from any to me 465 setup proto tcp # Allow setup of incoming email (submission) ${fwcmd} add pass tcp from any to me 587 setup ${fw6cmd} add pass ip6 from any to me 587 setup proto tcp # Allow access to our FTP ${fwcmd} add pass tcp from any to me 21 setup ${fw6cmd} add pass ip6 from any to me 21 setup proto tcp # Allow access to our DNS ${fwcmd} add pass tcp from any to me 53 setup ${fw6cmd} add pass ip6 from any to me 53 setup proto tcp # Allow access to our Syslog ${fwcmd} add pass udp from any to me 514 ${fwcmd} add pass udp from me 514 to any # Allow access to our DNS (ivp6) ${fwcmd} add pass udp from any to me 53 ${fwcmd} add pass udp from me 53 to any ${fw6cmd} add pass ip6 from any to me 53 proto udp ${fw6cmd} add pass ip6 from me 53 to any proto udp # Allow access to our NTP ${fwcmd} add pass udp from any to me 123 ${fwcmd} add pass udp from me 123 to any ${fw6cmd} add pass ip6 from any to me 123 proto udp ${fw6cmd} add pass ip6 from me 123 to any proto udp # Allow access to our WWW ${fwcmd} add pass tcp from any to me 80 setup ${fw6cmd} add pass ip6 from any to me 80 setup proto tcp ${fwcmd} add pass tcp from any to me 443 setup ${fw6cmd} add pass ip6 from any to me 443 setup proto tcp # Allow access to our SNMP ${fwcmd} add pass udp from any to me 161 ${fwcmd} add pass udp from me 161 to any ${fw6cmd} add pass ip6 from any to me 161 proto udp ${fw6cmd} add pass ip6 from me 161 to any proto udp # Allow access to our SSH (sshguard operating in 55000 - 55050) ${fwcmd} add 56000 pass tcp from any to me 22 setup ${fw6cmd} add 56001 pass ip6 from any to me 22 setup proto tcp ${fwcmd} add 56002 pass tcp from any to me 1022 setup ${fw6cmd} add 56003 pass ip6 from any to me 1022 setup proto tcp # Allow access to our IMAP ${fwcmd} add pass tcp from any to me 143 setup ${fw6cmd} add pass ip6 from any to me 143 setup proto tcp # Allow access to our IMAPS ${fwcmd} add pass tcp from any to me 993 setup ${fw6cmd} add pass ip6 from any to me 993 setup proto tcp # Allow access to our IPERF ${fwcmd} add pass tcp from any to me 5001 setup ${fw6cmd} add pass ip6 from any to me 5001 setup proto tcp # Allow access to our DARKSTAT ${fwcmd} add pass tcp from ${trusted_net} to me 667 setup ${fw6cmd} add pass ip6 from ${trusted_net} to me 667 setup proto tcp # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny ${log} tcp from any to any in via ${oif} setup # Allow setup of outgoing connections only ${fwcmd} add pass tcp from me to any setup ${fw6cmd} add pass ip6 from me to any setup proto tcp # Allow DNS queries out in the world ${fwcmd} add pass udp from me to any 53 keep-state ${fw6cmd} add pass ip6 from me to any 53 proto udp # Allow NTP queries out in the world ${fwcmd} add pass udp from me to any 123 keep-state ${fw6cmd} add pass ip6 from any 123 to me proto udp ${fw6cmd} add pass ip6 from me to any 123 proto udp # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ${fwcmd} add deny ${log} ip from any to any ${fwcmd} add deny ${log} ip6 from any to any