rc.firewall
andy at splashground.de
andy at splashground.de
Thu Oct 21 13:28:38 PDT 2004
Hoi,
this replaces rc.firewall so that it doesn't need to be
modified anymore and can be used with rc.conf variables.
Andy
http://ftp.fortunaty.net/DragonFly/inofficial/patches/rc.firewall.patch
Index: etc/rc.firewall
===================================================================
RCS file: /home/dcvs/src/etc/rc.firewall,v
retrieving revision 1.2
diff -u -p -r1.2 rc.firewall
--- etc/rc.firewall 17 Jun 2003 04:24:45 -0000 1.2
+++ etc/rc.firewall 9 Oct 2004 14:51:13 -0000
@@ -1,303 +1,179 @@
#!/bin/sh
-# Copyright (c) 1996 Poul-Henning Kamp
-# All rights reserved.
#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
+# /etc/rc.d/netfilter
#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
+# A simple packetfilter configurable via /etc/rc.conf
#
-# $FreeBSD: src/etc/rc.firewall,v 1.30.2.16 2003/02/10 05:45:06 trhodes Exp $
-# $DragonFly: src/etc/rc.firewall,v 1.2 2003/06/17 04:24:45 dillon Exp $
+# Variables in rc.conf:
#
+# firewall_type
+# UNKNOWN - disables the loading of firewall rules.
+# open - will allow anyone in
+# client - enables the packetfilter
+# simple - enables the packetfilter
+# closed - totally disables IP services except via lo0 interface
+# filename - will load the rules in the given filename (full path required)
+#
+# firewall_trusted_nets
+# firewall_trusted_interfaces
+# firewall_allowed_icmp_types
+# firewall_open_tcp_ports
+# firewall_open_udp_ports
-#
-# Setup system for firewall service.
-#
-# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
- if [ -r /etc/defaults/rc.conf ]; then
- . /etc/defaults/rc.conf
- source_rc_confs
- elif [ -r /etc/rc.conf ]; then
- . /etc/rc.conf
- fi
+ if [ -r /etc/defaults/rc.conf ]; then
+ . /etc/defaults/rc.conf
+ source_rc_confs
+ elif [ -r /etc/rc.conf ]; then
+ . /etc/rc.conf
+ fi
fi
-############
-# Define the firewall type in /etc/rc.conf. Valid values are:
-# open - will allow anyone in
-# client - will try to protect just this machine
-# simple - will try to protect a whole network
-# closed - totally disables IP services except via lo0 interface
-# UNKNOWN - disables the loading of firewall rules.
-# filename - will load the rules in the given filename (full path required)
-#
-# For ``client'' and ``simple'' the entries below should be customized
-# appropriately.
+case ${firewall_quiet} in
+[Yy][Ee][Ss])
+ fwcmd="/sbin/ipfw -q"
+ ;;
+*)
+ fwcmd="/sbin/ipfw"
+ ;;
+esac
-############
-#
-# If you don't know enough about packet filtering, we suggest that you
-# take time to read this book:
-#
-# Building Internet Firewalls, 2nd Edition
-# Brent Chapman and Elizabeth Zwicky
-#
-# O'Reilly & Associates, Inc
-# ISBN 1-56592-871-7
-# http://www.ora.com/
-# http://www.oreilly.com/catalog/fire2/
-#
-# For a more advanced treatment of Internet Security read:
-#
-# Firewalls & Internet Security
-# Repelling the wily hacker
-# William R. Cheswick, Steven M. Bellowin
-#
-# Addison-Wesley
-# ISBN 0-201-63357-4
-# http://www.awl.com/
-# http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html
-#
+case ${firewall_logging} in
+[Yy][Ee][Ss])
+ log="log"
+ ;;
+*)
+ log=""
+ ;;
+esac
-setup_loopback () {
- ############
- # Only in rare cases do you want to change these rules
- #
- ${fwcmd} add 100 pass all from any to any via lo0
- ${fwcmd} add 200 deny all from any to 127.0.0.0/8
- ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+# we handle start, stop, firewall_type and nothing as argument
+if [ -n "$1" ]; then
+ case $1 in
+ start)
+ ;;
+ stop)
+ firewall_type="open"
+ ;;
+ *)
+ firewall_type="$1"
+ ;;
+ esac
+fi
+
+allow_loopback() {
+ ${fwcmd} add pass all from any to any via lo0
+ ${fwcmd} add deny ${log} all from any to 127.0.0.0/8
+ ${fwcmd} add deny ${log} ip from 127.0.0.0/8 to any
+}
+
+deny_spoof() {
+ # XXX we don't have verrevpath yet
+ # ${fwcmd} add deny ${log} ip from any to any not verrevpath in
+ echo no verrevpath yet, so no anti-spoof
+}
+
+allow_icmp_types() {
+ for type in $*; do
+ ${fwcmd} add allow icmp from any to any icmptypes ${type}
+ done
+}
+
+allow_trusted_nets() {
+ for net in $*; do
+ ${fwcmd} add pass all from me to ${net}
+ ${fwcmd} add pass all from ${net} to me
+ done
+}
+
+allow_trusted_interfaces() {
+ for interface in $*; do
+ ${fwcmd} add pass all from any to any via ${interface}
+ done
+}
+
+allow_connections() {
+ ${fwcmd} add pass tcp from any to any established
+ ${fwcmd} add pass all from any to any frag
+ ${fwcmd} add pass tcp from me to any setup
+ ${fwcmd} add pass udp from me to any keep-state
+}
+
+open_tcp_ports() {
+ for port in $*; do
+ ${fwcmd} add pass tcp from any to me ${port} setup
+ done
+}
+
+open_udp_ports() {
+ for port in $*; do
+ ${fwcmd} add pass udp from any to me ${port}
+ ${fwcmd} add pass udp from me ${port} to any
+ done
+}
+
+deny_not_routed_nets()
+{
+ # These nets should not be routed
+ nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
+ 169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
+ for net in ${nets} ; do
+ ${fwcmd} add deny ${log} all from any to $net
+ done
+}
+
+deny_rest() {
+ ${fwcmd} add 65000 deny ${log} all from any to any
}
-if [ -n "${1}" ]; then
- firewall_type="${1}"
-fi
-############
-# Set quiet mode if requested
-#
-case ${firewall_quiet} in
-[Yy][Ee][Ss])
- fwcmd="/sbin/ipfw -q"
- ;;
-*)
- fwcmd="/sbin/ipfw"
- ;;
-esac
-############
-# Flush out the list before we begin.
-#
${fwcmd} -f flush
-############
-# Network Address Translation. All packets are passed to natd(8)
-# before they encounter your remaining rules. The firewall rules
-# will then be run again on each packet after translation by natd
-# starting at the rule number following the divert rule.
-#
-# For ``simple'' firewall type the divert rule should be put to a
-# different place to not interfere with address-checking rules.
-#
case ${firewall_type} in
-[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
- case ${natd_enable} in
- [Yy][Ee][Ss])
- if [ -n "${natd_interface}" ]; then
- ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
- fi
- ;;
- esac
+ [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
+ case ${natd_enable} in
+ [Yy][Ee][Ss])
+ if [ -n "${natd_interface}" ]; then
+ ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
+ fi
+ ;;
+ esac
esac
-############
-# If you just configured ipfw in the kernel as a tool to solve network
-# problems or you just want to disallow some particular kinds of traffic
-# then you will want to change the default policy to open. You can also
-# do this as your only action by setting the firewall_type to ``open''.
-#
-# ${fwcmd} add 65000 pass all from any to any
-
-
-# Prototype setups.
-#
case ${firewall_type} in
-[Oo][Pp][Ee][Nn])
- setup_loopback
- ${fwcmd} add 65000 pass all from any to any
- ;;
-
-[Cc][Ll][Ii][Ee][Nn][Tt])
- ############
- # This is a prototype setup that will protect your system somewhat
- # against people from outside your own network.
- ############
-
- # set these to your network and netmask and ip
- net="192.0.2.0"
- mask="255.255.255.0"
- ip="192.0.2.1"
-
- setup_loopback
-
- # Allow any traffic to or from my own net.
- ${fwcmd} add pass all from ${ip} to ${net}:${mask}
- ${fwcmd} add pass all from ${net}:${mask} to ${ip}
-
- # Allow TCP through if setup succeeded
- ${fwcmd} add pass tcp from any to any established
-
- # Allow IP fragments to pass through
- ${fwcmd} add pass all from any to any frag
-
- # Allow setup of incoming email
- ${fwcmd} add pass tcp from any to ${ip} 25 setup
-
- # Allow setup of outgoing TCP connections only
- ${fwcmd} add pass tcp from ${ip} to any setup
-
- # Disallow setup of all other TCP connections
- ${fwcmd} add deny tcp from any to any setup
-
- # Allow DNS queries out in the world
- ${fwcmd} add pass udp from ${ip} to any 53 keep-state
-
- # Allow NTP queries out in the world
- ${fwcmd} add pass udp from ${ip} to any 123 keep-state
-
- # Everything else is denied by default, unless the
- # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
- # config file.
- ;;
-
-[Ss][Ii][Mm][Pp][Ll][Ee])
- ############
- # This is a prototype setup for a simple firewall. Configure this
- # machine as a named server and ntp server, and point all the machines
- # on the inside at this machine for those services.
- ############
-
- # set these to your outside interface network and netmask and ip
- oif="ed0"
- onet="192.0.2.0"
- omask="255.255.255.240"
- oip="192.0.2.1"
-
- # set these to your inside interface network and netmask and ip
- iif="ed1"
- inet="192.0.2.16"
- imask="255.255.255.240"
- iip="192.0.2.17"
-
- setup_loopback
-
- # Stop spoofing
- ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
- ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
-
- # Stop RFC1918 nets on the outside interface
- ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
- ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
- ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
-
- # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
- # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
- # on the outside interface
- ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
- ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
- ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
- ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
- ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
-
- # Network Address Translation. This rule is placed here deliberately
- # so that it does not interfere with the surrounding address-checking
- # rules. If for example one of your internal LAN machines had its IP
- # address set to 192.0.2.1 then an incoming packet for it after being
- # translated by natd(8) would match the `deny' rule above. Similarly
- # an outgoing packet originated from it before being translated would
- # match the `deny' rule below.
- case ${natd_enable} in
- [Yy][Ee][Ss])
- if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via ${natd_interface}
- fi
- ;;
- esac
-
- # Stop RFC1918 nets on the outside interface
- ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
- ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
- ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
-
- # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
- # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
- # on the outside interface
- ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
- ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
- ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
- ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
- ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
-
- # Allow TCP through if setup succeeded
- ${fwcmd} add pass tcp from any to any established
-
- # Allow IP fragments to pass through
- ${fwcmd} add pass all from any to any frag
-
- # Allow setup of incoming email
- ${fwcmd} add pass tcp from any to ${oip} 25 setup
-
- # Allow access to our DNS
- ${fwcmd} add pass tcp from any to ${oip} 53 setup
- ${fwcmd} add pass udp from any to ${oip} 53
- ${fwcmd} add pass udp from ${oip} 53 to any
-
- # Allow access to our WWW
- ${fwcmd} add pass tcp from any to ${oip} 80 setup
-
- # Reject&Log all setup of incoming connections from the outside
- ${fwcmd} add deny log tcp from any to any in via ${oif} setup
-
- # Allow setup of any other TCP connection
- ${fwcmd} add pass tcp from any to any setup
-
- # Allow DNS queries out in the world
- ${fwcmd} add pass udp from ${oip} to any 53 keep-state
-
- # Allow NTP queries out in the world
- ${fwcmd} add pass udp from ${oip} to any 123 keep-state
-
- # Everything else is denied by default, unless the
- # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
- # config file.
- ;;
-
-[Cc][Ll][Oo][Ss][Ee][Dd])
- setup_loopback
- ;;
-[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
- ;;
-*)
- if [ -r "${firewall_type}" ]; then
- ${fwcmd} ${firewall_flags} ${firewall_type}
- fi
- ;;
+ [Oo][Pp][Ee][Nn])
+ allow_loopback
+ deny_spoof
+ ${fwcmd} add 1 pass all from any to any
+ ;;
+
+ # historical names
+ [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"")
+ allow_loopback
+ deny_spoof
+ allow_trusted_nets ${firewall_trusted_nets}
+ allow_trusted_interfaces ${firewall_trusted_interfaces}
+ allow_connections
+ deny_not_routed_nets
+ allow_icmp_types ${firewall_allowed_icmp_types}
+ open_tcp_ports ${firewall_open_tcp_ports}
+ open_udp_ports ${firewall_open_udp_ports}
+ deny_rest
+ ;;
+
+ [Cc][Ll][Oo][Ss][Ee][Dd])
+ setup_loopback
+ deny_rest
+ ;;
+
+ [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
+ ;;
+
+ *)
+ if [ -r "${firewall_type}" ]; then
+ ${fwcmd} ${firewall_flags} ${firewall_type}
+ fi
+ ;;
esac
Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/dcvs/src/etc/defaults/rc.conf,v
retrieving revision 1.15
diff -u -p -r1.15 rc.conf
--- etc/defaults/rc.conf 6 Oct 2004 17:03:49 -0000 1.15
+++ etc/defaults/rc.conf 9 Oct 2004 06:31:58 -0000
@@ -59,6 +59,11 @@ dhclient_flags="" # Additional flags to
firewall_enable="NO" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
+firewall_trusted_nets="192.168.0.0/16" # list of trusted nets
+firewall_trusted_interfaces="" # list of trusted interfaces e.g. "rl0 xl0"
+firewall_allowed_icmp_types="" # list of icmp types not blocked
+firewall_open_tcp_ports="22 25 53 80 443" # open ports for our TCP daemons
+firewall_open_udp_ports="53" # open UDP ports for our daemons
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file
More information about the Submit
mailing list