projects / dragonfly.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Raise WARNS to 6 and fix resulting warnings.
[dragonfly.git] / etc / rc.firewall
... / ...
CommitLineData
1#!/bin/sh
2#
3# Copyright (c) 2004 The DragonFly Project. All rights reserved.
4#
5# This code is derived from software contributed to The DragonFly Project
6# by Andreas Hauser <andy-dragonfly@splashground.de>
7#
8# Redistribution and use in source and binary forms, with or without
9# modification, are permitted provided that the following conditions
10# are met:
11#
12# 1. Redistributions of source code must retain the above copyright
13# notice, this list of conditions and the following disclaimer.
14# 2. Redistributions in binary form must reproduce the above copyright
15# notice, this list of conditions and the following disclaimer in
16# the documentation and/or other materials provided with the
17# distribution.
18# 3. Neither the name of The DragonFly Project nor the names of its
19# contributors may be used to endorse or promote products derived
20# from this software without specific, prior written permission.
21#
22# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
25# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
26# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
27# INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
28# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
29# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
30# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
31# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
32# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33# SUCH DAMAGE.
34#
35# $DragonFly: src/etc/rc.firewall,v 1.6 2007/06/02 09:16:49 swildner Exp $
36
37# A simple packetfilter configurable via /etc/rc.conf
38#
39# Variables in rc.conf:
40#
41# firewall_type
42# UNKNOWN - disables the loading of firewall rules.
43# open - will allow anyone in
44# client - enables the packetfilter
45# simple - enables the packetfilter
46# closed - totally disables IP services except via lo0 interface
47# filename - will load the rules in the given filename (full path required)
48#
49# firewall_trusted_nets
50# firewall_trusted_interfaces
51# firewall_allowed_icmp_types
52# firewall_open_tcp_ports
53# firewall_open_udp_ports
54
55if [ -z "${source_rc_confs_defined}" ]; then
56 if [ -r /etc/defaults/rc.conf ]; then
57 . /etc/defaults/rc.conf
58 source_rc_confs
59 elif [ -r /etc/rc.conf ]; then
60 . /etc/rc.conf
61 fi
62fi
63
64case ${firewall_quiet} in
65[Yy][Ee][Ss])
66 fwcmd="/sbin/ipfw -q"
67 ;;
68*)
69 fwcmd="/sbin/ipfw"
70 ;;
71esac
72
73case ${firewall_logging} in
74[Yy][Ee][Ss])
75 log="log"
76 ;;
77*)
78 log=""
79 ;;
80esac
81
82# we handle start, stop, firewall_type and nothing as argument
83if [ -n "$1" ]; then
84 case $1 in
85 start)
86 ;;
87 stop)
88 firewall_type="open"
89 ;;
90 *)
91 firewall_type="$1"
92 ;;
93 esac
94fi
95
96divert_nat() {
97 case ${natd_enable} in
98 [Yy][Ee][Ss])
99 if [ -n "${natd_interface}" ]; then
100 ${fwcmd} add divert natd all from any to any via ${natd_interface}
101 fi
102 esac
103}
104
105allow_loopback() {
106 ${fwcmd} add pass all from any to any via lo0
107 ${fwcmd} add deny ${log} all from any to 127.0.0.0/8
108 ${fwcmd} add deny ${log} ip from 127.0.0.0/8 to any
109}
110
111deny_spoof() {
112 # XXX we don't have verrevpath yet
113 # ${fwcmd} add deny ${log} ip from any to any not verrevpath in
114 echo no verrevpath yet, so no anti-spoof
115}
116
117allow_icmp_types() {
118 for type in $*; do
119 ${fwcmd} add allow icmp from any to any icmptypes ${type}
120 done
121}
122
123allow_trusted_nets() {
124 for net in $*; do
125 ${fwcmd} add pass all from me to ${net}
126 ${fwcmd} add pass all from ${net} to me
127 done
128}
129
130allow_trusted_interfaces() {
131 for interface in $*; do
132 ${fwcmd} add pass all from any to any via ${interface}
133 done
134}
135
136allow_connections() {
137 ${fwcmd} add pass tcp from any to any established
138 ${fwcmd} add pass all from any to any frag
139 ${fwcmd} add pass tcp from me to any setup
140 ${fwcmd} add pass udp from me to any keep-state
141}
142
143open_tcp_ports() {
144 for port in $*; do
145 ${fwcmd} add pass tcp from any to me ${port} setup
146 done
147}
148
149open_udp_ports() {
150 for port in $*; do
151 ${fwcmd} add pass udp from any to me ${port}
152 ${fwcmd} add pass udp from me ${port} to any
153 done
154}
155
156deny_not_routed_nets()
157{
158 # These nets should not be routed
159 nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
160 169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
161 for net in ${nets} ; do
162 ${fwcmd} add deny ${log} all from $net to any
163 done
164}
165
166deny_rest() {
167 ${fwcmd} add 65000 deny ${log} all from any to any
168}
169
170allow_rest() {
171 ${fwcmd} add 65000 pass all from any to any
172}
173
174
175${fwcmd} -f flush
176
177case ${firewall_type} in
178 [Oo][Pp][Ee][Nn])
179 allow_loopback
180 deny_spoof
181 divert_nat
182 allow_rest
183 ;;
184
185 # historical names
186 [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"")
187 allow_loopback
188 deny_spoof
189 divert_nat
190 allow_trusted_nets ${firewall_trusted_nets}
191 allow_trusted_interfaces ${firewall_trusted_interfaces}
192 allow_connections
193 allow_icmp_types ${firewall_allowed_icmp_types}
194 deny_not_routed_nets
195 open_tcp_ports ${firewall_open_tcp_ports}
196 open_udp_ports ${firewall_open_udp_ports}
197 deny_rest
198 ;;
199
200 [Cc][Ll][Oo][Ss][Ee][Dd])
201 allow_loopback
202 deny_rest
203 ;;
204
205 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
206 ;;
207
208 *)
209 if [ -r "${firewall_type}" ]; then
210 ${fwcmd} ${firewall_flags} ${firewall_type}
211 fi
212 ;;
213esac
DragonFly Project Source