| 1 | #!/bin/sh |
| 2 | # |
| 3 | # Copyright (c) 2004 The DragonFly Project. All rights reserved. |
| 4 | # |
| 5 | # This code is derived from software contributed to The DragonFly Project |
| 6 | # by Andreas Hauser <andy-dragonfly@splashground.de> |
| 7 | # |
| 8 | # Redistribution and use in source and binary forms, with or without |
| 9 | # modification, are permitted provided that the following conditions |
| 10 | # are met: |
| 11 | # |
| 12 | # 1. Redistributions of source code must retain the above copyright |
| 13 | # notice, this list of conditions and the following disclaimer. |
| 14 | # 2. Redistributions in binary form must reproduce the above copyright |
| 15 | # notice, this list of conditions and the following disclaimer in |
| 16 | # the documentation and/or other materials provided with the |
| 17 | # distribution. |
| 18 | # 3. Neither the name of The DragonFly Project nor the names of its |
| 19 | # contributors may be used to endorse or promote products derived |
| 20 | # from this software without specific, prior written permission. |
| 21 | # |
| 22 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 23 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 24 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
| 25 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
| 26 | # COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, |
| 27 | # INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, |
| 28 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 29 | # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED |
| 30 | # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| 31 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT |
| 32 | # OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 33 | # SUCH DAMAGE. |
| 34 | # |
| 35 | # $DragonFly: src/etc/rc.firewall,v 1.6 2007/06/02 09:16:49 swildner Exp $ |
| 36 | |
| 37 | # A simple packetfilter configurable via /etc/rc.conf |
| 38 | # |
| 39 | # Variables in rc.conf: |
| 40 | # |
| 41 | # firewall_type |
| 42 | # UNKNOWN - disables the loading of firewall rules. |
| 43 | # open - will allow anyone in |
| 44 | # client - enables the packetfilter |
| 45 | # simple - enables the packetfilter |
| 46 | # closed - totally disables IP services except via lo0 interface |
| 47 | # filename - will load the rules in the given filename (full path required) |
| 48 | # |
| 49 | # firewall_trusted_nets |
| 50 | # firewall_trusted_interfaces |
| 51 | # firewall_allowed_icmp_types |
| 52 | # firewall_open_tcp_ports |
| 53 | # firewall_open_udp_ports |
| 54 | |
| 55 | if [ -z "${source_rc_confs_defined}" ]; then |
| 56 | if [ -r /etc/defaults/rc.conf ]; then |
| 57 | . /etc/defaults/rc.conf |
| 58 | source_rc_confs |
| 59 | elif [ -r /etc/rc.conf ]; then |
| 60 | . /etc/rc.conf |
| 61 | fi |
| 62 | fi |
| 63 | |
| 64 | case ${firewall_quiet} in |
| 65 | [Yy][Ee][Ss]) |
| 66 | fwcmd="/sbin/ipfw -q" |
| 67 | ;; |
| 68 | *) |
| 69 | fwcmd="/sbin/ipfw" |
| 70 | ;; |
| 71 | esac |
| 72 | |
| 73 | case ${firewall_logging} in |
| 74 | [Yy][Ee][Ss]) |
| 75 | log="log" |
| 76 | ;; |
| 77 | *) |
| 78 | log="" |
| 79 | ;; |
| 80 | esac |
| 81 | |
| 82 | # we handle start, stop, firewall_type and nothing as argument |
| 83 | if [ -n "$1" ]; then |
| 84 | case $1 in |
| 85 | start) |
| 86 | ;; |
| 87 | stop) |
| 88 | firewall_type="open" |
| 89 | ;; |
| 90 | *) |
| 91 | firewall_type="$1" |
| 92 | ;; |
| 93 | esac |
| 94 | fi |
| 95 | |
| 96 | divert_nat() { |
| 97 | case ${natd_enable} in |
| 98 | [Yy][Ee][Ss]) |
| 99 | if [ -n "${natd_interface}" ]; then |
| 100 | ${fwcmd} add divert natd all from any to any via ${natd_interface} |
| 101 | fi |
| 102 | esac |
| 103 | } |
| 104 | |
| 105 | allow_loopback() { |
| 106 | ${fwcmd} add pass all from any to any via lo0 |
| 107 | ${fwcmd} add deny ${log} all from any to 127.0.0.0/8 |
| 108 | ${fwcmd} add deny ${log} ip from 127.0.0.0/8 to any |
| 109 | } |
| 110 | |
| 111 | deny_spoof() { |
| 112 | # XXX we don't have verrevpath yet |
| 113 | # ${fwcmd} add deny ${log} ip from any to any not verrevpath in |
| 114 | echo no verrevpath yet, so no anti-spoof |
| 115 | } |
| 116 | |
| 117 | allow_icmp_types() { |
| 118 | for type in $*; do |
| 119 | ${fwcmd} add allow icmp from any to any icmptypes ${type} |
| 120 | done |
| 121 | } |
| 122 | |
| 123 | allow_trusted_nets() { |
| 124 | for net in $*; do |
| 125 | ${fwcmd} add pass all from me to ${net} |
| 126 | ${fwcmd} add pass all from ${net} to me |
| 127 | done |
| 128 | } |
| 129 | |
| 130 | allow_trusted_interfaces() { |
| 131 | for interface in $*; do |
| 132 | ${fwcmd} add pass all from any to any via ${interface} |
| 133 | done |
| 134 | } |
| 135 | |
| 136 | allow_connections() { |
| 137 | ${fwcmd} add pass tcp from any to any established |
| 138 | ${fwcmd} add pass all from any to any frag |
| 139 | ${fwcmd} add pass tcp from me to any setup |
| 140 | ${fwcmd} add pass udp from me to any keep-state |
| 141 | } |
| 142 | |
| 143 | open_tcp_ports() { |
| 144 | for port in $*; do |
| 145 | ${fwcmd} add pass tcp from any to me ${port} setup |
| 146 | done |
| 147 | } |
| 148 | |
| 149 | open_udp_ports() { |
| 150 | for port in $*; do |
| 151 | ${fwcmd} add pass udp from any to me ${port} |
| 152 | ${fwcmd} add pass udp from me ${port} to any |
| 153 | done |
| 154 | } |
| 155 | |
| 156 | deny_not_routed_nets() |
| 157 | { |
| 158 | # These nets should not be routed |
| 159 | nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \ |
| 160 | 169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4" |
| 161 | for net in ${nets} ; do |
| 162 | ${fwcmd} add deny ${log} all from $net to any |
| 163 | done |
| 164 | } |
| 165 | |
| 166 | deny_rest() { |
| 167 | ${fwcmd} add 65000 deny ${log} all from any to any |
| 168 | } |
| 169 | |
| 170 | allow_rest() { |
| 171 | ${fwcmd} add 65000 pass all from any to any |
| 172 | } |
| 173 | |
| 174 | |
| 175 | ${fwcmd} -f flush |
| 176 | |
| 177 | case ${firewall_type} in |
| 178 | [Oo][Pp][Ee][Nn]) |
| 179 | allow_loopback |
| 180 | deny_spoof |
| 181 | divert_nat |
| 182 | allow_rest |
| 183 | ;; |
| 184 | |
| 185 | # historical names |
| 186 | [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"") |
| 187 | allow_loopback |
| 188 | deny_spoof |
| 189 | divert_nat |
| 190 | allow_trusted_nets ${firewall_trusted_nets} |
| 191 | allow_trusted_interfaces ${firewall_trusted_interfaces} |
| 192 | allow_connections |
| 193 | allow_icmp_types ${firewall_allowed_icmp_types} |
| 194 | deny_not_routed_nets |
| 195 | open_tcp_ports ${firewall_open_tcp_ports} |
| 196 | open_udp_ports ${firewall_open_udp_ports} |
| 197 | deny_rest |
| 198 | ;; |
| 199 | |
| 200 | [Cc][Ll][Oo][Ss][Ee][Dd]) |
| 201 | allow_loopback |
| 202 | deny_rest |
| 203 | ;; |
| 204 | |
| 205 | [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) |
| 206 | ;; |
| 207 | |
| 208 | *) |
| 209 | if [ -r "${firewall_type}" ]; then |
| 210 | ${fwcmd} ${firewall_flags} ${firewall_type} |
| 211 | fi |
| 212 | ;; |
| 213 | esac |