source: sysconfig/zweat/etc/rc.firewall.local@ 401

Last change on this file since 401 was 399, checked in by Rick van der Zwet, 10 years ago

Innitial import of configuration files of zweat

File size: 12.0 KB
Line 
1#!/bin/sh -
2# Copyright (c) 1996 Poul-Henning Kamp
3# All rights reserved.
4#
5# Redistribution and use in source and binary forms, with or without
6# modification, are permitted provided that the following conditions
7# are met:
8# 1. Redistributions of source code must retain the above copyright
9# notice, this list of conditions and the following disclaimer.
10# 2. Redistributions in binary form must reproduce the above copyright
11# notice, this list of conditions and the following disclaimer in the
12# documentation and/or other materials provided with the distribution.
13#
14# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24# SUCH DAMAGE.
25#
26# $FreeBSD: src/etc/rc.firewall,v 1.52.2.3.4.1 2009/04/15 03:14:26 kensmith Exp $
27#
28
29#
30# Setup system for ipfw(4) firewall service.
31#
32
33# Suck in the configuration variables.
34if [ -z "${source_rc_confs_defined}" ]; then
35 if [ -r /etc/defaults/rc.conf ]; then
36 . /etc/defaults/rc.conf
37 source_rc_confs
38 elif [ -r /etc/rc.conf ]; then
39 . /etc/rc.conf
40 fi
41fi
42
43trusted_net="84.106.113.143"
44
45# Deny and (if wanted) log the rest unconditionally.
46log="log logamount 500" # The default of 100 is too low.
47sysctl net.inet.ip.fw.verbose=1 >/dev/null
48
49setup_loopback () {
50 log="log logamount 500" # The default of 100 is too low.
51 ############
52 # Only in rare cases do you want to change these rules
53 #
54 ${fwcmd} add 100 pass all from any to any via lo0
55 ${fwcmd} add 200 deny ${log} all from any to 127.0.0.0/8
56 #${fwcmd} add 300 deny ${log} ip from 127.0.0.0/8 to any
57
58 ${fw6cmd} add 100 pass ip6 from any to any via lo0
59 ${fw6cmd} add 200 deny ${log} ip6 from any to ::1
60 ${fw6cmd} add 300 deny ${log} ip6 from ::1 to any
61 #
62 # ND
63 #
64 # DAD
65 ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp
66 # RS, RA, NS, NA, redirect...
67 ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
68 ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
69}
70
71if [ -n "${1}" ]; then
72 firewall_type="${1}"
73fi
74
75############
76# Set quiet mode if requested
77#
78case ${firewall_quiet} in
79[Yy][Ee][Ss])
80 fwcmd="/sbin/ipfw -q"
81 ;;
82*)
83 fwcmd="/sbin/ipfw"
84 ;;
85esac
86case ${ipv6_firewall_quiet} in
87[Yy][Ee][Ss])
88 fw6cmd="/sbin/ipfw -q"
89 ;;
90*)
91 fw6cmd="/sbin/ipfw"
92 ;;
93esac
94
95############
96# Flush out the list before we begin.
97${fwcmd} -f flush
98
99setup_loopback
100
101############
102# If you just configured ipfw in the kernel as a tool to solve network
103# problems or you just want to disallow some particular kinds of traffic
104# then you will want to change the default policy to open. You can also
105# do this as your only action by setting the firewall_type to ``open''.
106#
107# ${fwcmd} add 65000 pass all from any to any
108
109
110
111############
112# This is a prototype setup based after simple firewall.
113#
114# Configuration:
115# firewall_oif: Outside network interface.
116############
117
118# set these to your outside interface network
119oif="$firewall_oif"
120
121# Allow jail to reach outside world
122${fwcmd} add nat 1 ip from 10.0.0.0/24 to any out via ${oif}
123${fwcmd} add nat 1 ip from any to 78.46.85.230 in via ${oif}
124${fwcmd} nat 1 config if ${oif}
125
126# Stop RFC1918 nets on the outside interface
127${fwcmd} add deny ${log} all from any to 10.0.0.0/8 via ${oif}
128${fwcmd} add deny ${log} all from any to 172.16.0.0/12 via ${oif}
129${fwcmd} add deny ${log} all from any to 192.168.0.0/16 via ${oif}
130
131# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
132# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
133# on the outside interface
134${fwcmd} add deny ${log} all from any to 0.0.0.0/8 via ${oif}
135${fwcmd} add deny ${log} all from any to 169.254.0.0/16 via ${oif}
136${fwcmd} add deny ${log} all from any to 192.0.2.0/24 via ${oif}
137${fwcmd} add deny ${log} all from any to 224.0.0.0/4 via ${oif}
138${fwcmd} add deny ${log} all from any to 240.0.0.0/4 via ${oif}
139
140# Stop RFC1918 nets on the outside interface
141${fwcmd} add deny ${log} all from 10.0.0.0/8 to any via ${oif}
142${fwcmd} add deny ${log} all from 172.16.0.0/12 to any via ${oif}
143${fwcmd} add deny ${log} all from 192.168.0.0/16 to any via ${oif}
144
145# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
146# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
147# on the outside interface
148${fwcmd} add deny ${log} all from 0.0.0.0/8 to any via ${oif}
149${fwcmd} add deny ${log} all from 169.254.0.0/16 to any via ${oif}
150${fwcmd} add deny ${log} all from 192.0.2.0/24 to any via ${oif}
151${fwcmd} add deny ${log} all from 224.0.0.0/4 to any via ${oif}
152${fwcmd} add deny ${log} all from 240.0.0.0/4 to any via ${oif}
153
154# Stop unique local unicast address on the outside interface
155${fw6cmd} add deny ${log} ip6 from fc00::/7 to any via ${oif}
156${fw6cmd} add deny ${log} ip6 from any to fc00::/7 via ${oif}
157
158# Stop site-local on the outside interface
159${fw6cmd} add deny ${log} ip6 from fec0::/10 to any via ${oif}
160${fw6cmd} add deny ${log} ip6 from any to fec0::/10 via ${oif}
161
162# Disallow "internal" addresses to appear on the wire.
163${fw6cmd} add deny ${log} ip6 from ::ffff:0.0.0.0/96 to any via ${oif}
164${fw6cmd} add deny ${log} ip6 from any to ::ffff:0.0.0.0/96 via ${oif}
165
166# Disallow packets to malicious IPv4 compatible prefix.
167${fw6cmd} add deny ${log} ip6 from ::224.0.0.0/100 to any via ${oif}
168${fw6cmd} add deny ${log} ip6 from any to ::224.0.0.0/100 via ${oif}
169${fw6cmd} add deny ${log} ip6 from ::127.0.0.0/104 to any via ${oif}
170${fw6cmd} add deny ${log} ip6 from any to ::127.0.0.0/104 via ${oif}
171${fw6cmd} add deny ${log} ip6 from ::0.0.0.0/104 to any via ${oif}
172${fw6cmd} add deny ${log} ip6 from any to ::0.0.0.0/104 via ${oif}
173${fw6cmd} add deny ${log} ip6 from ::255.0.0.0/104 to any via ${oif}
174${fw6cmd} add deny ${log} ip6 from any to ::255.0.0.0/104 via ${oif}
175
176${fw6cmd} add deny ${log} ip6 from ::0.0.0.0/96 to any via ${oif}
177${fw6cmd} add deny ${log} ip6 from any to ::0.0.0.0/96 via ${oif}
178
179# Disallow packets to malicious 6to4 prefix.
180${fw6cmd} add deny ${log} ip6 from 2002:e000::/20 to any via ${oif}
181${fw6cmd} add deny ${log} ip6 from any to 2002:e000::/20 via ${oif}
182${fw6cmd} add deny ${log} ip6 from 2002:7f00::/24 to any via ${oif}
183${fw6cmd} add deny ${log} ip6 from any to 2002:7f00::/24 via ${oif}
184${fw6cmd} add deny ${log} ip6 from 2002:0000::/24 to any via ${oif}
185${fw6cmd} add deny ${log} ip6 from any to 2002:0000::/24 via ${oif}
186${fw6cmd} add deny ${log} ip6 from 2002:ff00::/24 to any via ${oif}
187${fw6cmd} add deny ${log} ip6 from any to 2002:ff00::/24 via ${oif}
188
189${fw6cmd} add deny ${log} ip6 from 2002:0a00::/24 to any via ${oif}
190${fw6cmd} add deny ${log} ip6 from any to 2002:0a00::/24 via ${oif}
191${fw6cmd} add deny ${log} ip6 from 2002:ac10::/28 to any via ${oif}
192${fw6cmd} add deny ${log} ip6 from any to 2002:ac10::/28 via ${oif}
193${fw6cmd} add deny ${log} ip6 from 2002:c0a8::/32 to any via ${oif}
194${fw6cmd} add deny ${log} ip6 from any to 2002:c0a8::/32 via ${oif}
195
196${fw6cmd} add deny ${log} ip6 from ff05::/16 to any via ${oif}
197${fw6cmd} add deny ${log} ip6 from any to ff05::/16 via ${oif}
198
199# Allow TCP through if setup succeeded
200${fw6cmd} add pass ip6 from any to any established proto tcp
201${fwcmd} add pass tcp from any to any established
202
203# Allow any link-local multicast traffic
204${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16
205
206# Deployment to production system, thus limited exposure
207# ${fwcmd} add pass tcp from 213.125.247.82 to 144.76.7.58 25,80,443
208# ${fwcmd} add deny ${log} tcp from any to 144.76.7.58 25,80,443
209# ${fw6cmd} add pass tcp from 2001:1af8:febe:0:b6b6:76ff:fe4f:1cd5 to 2a01:4f8:190:8221::4:1 25,80,443
210# ${fw6cmd} add pass tcp from 2001:980:488a:1:b6b6:76ff:fe4f:1cd5 to 2a01:4f8:190:8221::4:1 25,80,443
211# ${fw6cmd} add deny ${log} tcp from any to 2a01:4f8:190:8221::4:1 25,80,443
212
213# HACK!
214${fw6cmd} add pass ip6 from any to any
215
216# Allow IP fragments to pass through
217${fwcmd} add pass all from any to any frag
218${fw6cmd} add pass ip6 from any to any frag
219
220# Allow ICMP queries to arrive
221${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11
222${fw6cmd} add pass ip6 from any to any icmp6types 1,2,3,4,128 proto ipv6-icmp
223
224# Allow NS/ACK/NA/toobig (don't filter it out)
225${fw6cmd} add pass ip6 from any to me icmp6types 2,129,135,136 proto ipv6-icmp
226${fw6cmd} add pass ip6 from me to any proto ipv6-icmp
227
228
229# Allow setup of incoming email
230${fwcmd} add pass tcp from any to me 25 setup
231${fw6cmd} add pass ip6 from any to me 25 setup proto tcp
232
233# Allow setup of incoming email (smtps)
234${fwcmd} add pass tcp from any to me 465 setup
235${fw6cmd} add pass ip6 from any to me 465 setup proto tcp
236
237# Allow setup of incoming email (submission)
238${fwcmd} add pass tcp from any to me 587 setup
239${fw6cmd} add pass ip6 from any to me 587 setup proto tcp
240
241# Allow access to our FTP
242${fwcmd} add pass tcp from any to me 21 setup
243${fw6cmd} add pass ip6 from any to me 21 setup proto tcp
244
245# Allow access to our DNS
246${fwcmd} add pass tcp from any to me 53 setup
247${fw6cmd} add pass ip6 from any to me 53 setup proto tcp
248
249# Allow access to our Syslog
250${fwcmd} add pass udp from any to me 514
251${fwcmd} add pass udp from me 514 to any
252
253# Allow access to our DNS (ivp6)
254${fwcmd} add pass udp from any to me 53
255${fwcmd} add pass udp from me 53 to any
256${fw6cmd} add pass ip6 from any to me 53 proto udp
257${fw6cmd} add pass ip6 from me 53 to any proto udp
258
259# Allow access to our NTP
260${fwcmd} add pass udp from any to me 123
261${fwcmd} add pass udp from me 123 to any
262${fw6cmd} add pass ip6 from any to me 123 proto udp
263${fw6cmd} add pass ip6 from me 123 to any proto udp
264
265# Allow access to our WWW
266${fwcmd} add pass tcp from any to me 80 setup
267${fw6cmd} add pass ip6 from any to me 80 setup proto tcp
268${fwcmd} add pass tcp from any to me 443 setup
269${fw6cmd} add pass ip6 from any to me 443 setup proto tcp
270
271# Allow access to our SNMP
272${fwcmd} add pass udp from any to me 161
273${fwcmd} add pass udp from me 161 to any
274${fw6cmd} add pass ip6 from any to me 161 proto udp
275${fw6cmd} add pass ip6 from me 161 to any proto udp
276
277# Allow access to our SSH (sshguard operating in 55000 - 55050)
278${fwcmd} add 56000 pass tcp from any to me 22 setup
279${fw6cmd} add 56001 pass ip6 from any to me 22 setup proto tcp
280${fwcmd} add 56002 pass tcp from any to me 1022 setup
281${fw6cmd} add 56003 pass ip6 from any to me 1022 setup proto tcp
282
283# Allow access to our IMAP
284${fwcmd} add pass tcp from any to me 143 setup
285${fw6cmd} add pass ip6 from any to me 143 setup proto tcp
286
287# Allow access to our IMAPS
288${fwcmd} add pass tcp from any to me 993 setup
289${fw6cmd} add pass ip6 from any to me 993 setup proto tcp
290
291# Allow access to our IPERF
292${fwcmd} add pass tcp from any to me 5001 setup
293${fw6cmd} add pass ip6 from any to me 5001 setup proto tcp
294
295# Allow access to our DARKSTAT
296${fwcmd} add pass tcp from ${trusted_net} to me 667 setup
297${fw6cmd} add pass ip6 from ${trusted_net} to me 667 setup proto tcp
298
299# Reject&Log all setup of incoming connections from the outside
300${fwcmd} add deny ${log} tcp from any to any in via ${oif} setup
301
302# Allow setup of outgoing connections only
303${fwcmd} add pass tcp from me to any setup
304${fw6cmd} add pass ip6 from me to any setup proto tcp
305
306# Allow DNS queries out in the world
307${fwcmd} add pass udp from me to any 53 keep-state
308${fw6cmd} add pass ip6 from me to any 53 proto udp
309
310# Allow NTP queries out in the world
311${fwcmd} add pass udp from me to any 123 keep-state
312${fw6cmd} add pass ip6 from any 123 to me proto udp
313${fw6cmd} add pass ip6 from me to any 123 proto udp
314
315# Everything else is denied by default, unless the
316# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
317# config file.
318${fwcmd} add deny ${log} ip from any to any
319${fwcmd} add deny ${log} ip6 from any to any
Note: See TracBrowser for help on using the repository browser.