| 1 | #!/bin/sh |
| 2 | ############ |
| 3 | # Setup system for IPv6 firewall service. |
| 4 | # $FreeBSD: src/etc/rc.firewall6,v 1.1.2.11 2003/02/10 05:45:06 trhodes Exp $ |
| 5 | # $DragonFly: src/etc/rc.firewall6,v 1.3 2008/08/10 21:29:16 hasso Exp $ |
| 6 | |
| 7 | # Suck in the configuration variables. |
| 8 | if [ -z "${source_rc_confs_defined}" ]; then |
| 9 | if [ -r /etc/defaults/rc.conf ]; then |
| 10 | . /etc/defaults/rc.conf |
| 11 | source_rc_confs |
| 12 | elif [ -r /etc/rc.conf ]; then |
| 13 | . /etc/rc.conf |
| 14 | fi |
| 15 | fi |
| 16 | |
| 17 | ############ |
| 18 | # Define the firewall type in /etc/rc.conf. Valid values are: |
| 19 | # open - will allow anyone in |
| 20 | # client - will try to protect just this machine |
| 21 | # simple - will try to protect a whole network |
| 22 | # closed - totally disables IP services except via lo0 interface |
| 23 | # UNKNOWN - disables the loading of firewall rules. |
| 24 | # filename - will load the rules in the given filename (full path required) |
| 25 | # |
| 26 | # For ``client'' and ``simple'' the entries below should be customized |
| 27 | # appropriately. |
| 28 | |
| 29 | ############ |
| 30 | # |
| 31 | # If you don't know enough about packet filtering, we suggest that you |
| 32 | # take time to read this book: |
| 33 | # |
| 34 | # Building Internet Firewalls, 2nd Edition |
| 35 | # Brent Chapman and Elizabeth Zwicky |
| 36 | # |
| 37 | # O'Reilly & Associates, Inc |
| 38 | # ISBN 1-56592-871-7 |
| 39 | # http://www.ora.com/ |
| 40 | # http://www.oreilly.com/catalog/fire2/ |
| 41 | # |
| 42 | # For a more advanced treatment of Internet Security read: |
| 43 | # |
| 44 | # Firewalls & Internet Security |
| 45 | # Repelling the wily hacker |
| 46 | # William R. Cheswick, Steven M. Bellowin |
| 47 | # |
| 48 | # Addison-Wesley |
| 49 | # ISBN 0-201-63357-4 |
| 50 | # http://www.awl.com/ |
| 51 | # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html |
| 52 | # |
| 53 | |
| 54 | setup_local () { |
| 55 | ############ |
| 56 | # Only in rare cases do you want to change these rules |
| 57 | # |
| 58 | ${fw6cmd} add 100 pass all from any to any via lo0 |
| 59 | # |
| 60 | # ND |
| 61 | # |
| 62 | # DAD |
| 63 | ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 |
| 64 | # RS, RA, NS, NA, redirect... |
| 65 | ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 |
| 66 | ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 |
| 67 | } |
| 68 | |
| 69 | if [ -n "${1}" ]; then |
| 70 | ipv6_firewall_type="${1}" |
| 71 | fi |
| 72 | |
| 73 | ############ |
| 74 | # Set quiet mode if requested |
| 75 | # |
| 76 | case ${ipv6_firewall_quiet} in |
| 77 | [Yy][Ee][Ss]) |
| 78 | fw6cmd="/sbin/ip6fw -q" |
| 79 | ;; |
| 80 | *) |
| 81 | fw6cmd="/sbin/ip6fw" |
| 82 | ;; |
| 83 | esac |
| 84 | |
| 85 | ############ |
| 86 | # Flush out the list before we begin. |
| 87 | # |
| 88 | ${fw6cmd} -f flush |
| 89 | |
| 90 | ############ |
| 91 | # If you just configured ipfw in the kernel as a tool to solve network |
| 92 | # problems or you just want to disallow some particular kinds of traffic |
| 93 | # then you will want to change the default policy to open. You can also |
| 94 | # do this as your only action by setting the ipv6_firewall_type to ``open''. |
| 95 | # |
| 96 | # ${fw6cmd} add 65000 pass all from any to any |
| 97 | |
| 98 | |
| 99 | # Prototype setups. |
| 100 | # |
| 101 | case ${ipv6_firewall_type} in |
| 102 | [Oo][Pp][Ee][Nn]) |
| 103 | setup_local |
| 104 | ${fw6cmd} add 65000 pass all from any to any |
| 105 | ;; |
| 106 | |
| 107 | [Cc][Ll][Ii][Ee][Nn][Tt]) |
| 108 | ############ |
| 109 | # This is a prototype setup that will protect your system somewhat |
| 110 | # against people from outside your own network. |
| 111 | ############ |
| 112 | |
| 113 | # set these to your network and prefixlen and ip |
| 114 | # |
| 115 | # This needs more work |
| 116 | # |
| 117 | net="2001:db8:2:1::" |
| 118 | prefixlen="64" |
| 119 | ip="2001:db8:2:1::1" |
| 120 | |
| 121 | setup_local |
| 122 | |
| 123 | # Allow any traffic to or from my own net. |
| 124 | ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} |
| 125 | ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} |
| 126 | |
| 127 | # Allow any link-local multicast traffic |
| 128 | ${fw6cmd} add pass all from fe80::/10 to ff02::/16 |
| 129 | ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 |
| 130 | |
| 131 | # Allow TCP through if setup succeeded |
| 132 | ${fw6cmd} add pass tcp from any to any established |
| 133 | |
| 134 | # Allow IP fragments to pass through |
| 135 | ${fw6cmd} add pass all from any to any frag |
| 136 | |
| 137 | # Allow setup of incoming email |
| 138 | ${fw6cmd} add pass tcp from any to ${ip} 25 setup |
| 139 | |
| 140 | # Allow setup of outgoing TCP connections only |
| 141 | ${fw6cmd} add pass tcp from ${ip} to any setup |
| 142 | |
| 143 | # Disallow setup of all other TCP connections |
| 144 | ${fw6cmd} add deny tcp from any to any setup |
| 145 | |
| 146 | # Allow DNS queries out in the world |
| 147 | ${fw6cmd} add pass udp from any 53 to ${ip} |
| 148 | ${fw6cmd} add pass udp from ${ip} to any 53 |
| 149 | |
| 150 | # Allow NTP queries out in the world |
| 151 | ${fw6cmd} add pass udp from any 123 to ${ip} |
| 152 | ${fw6cmd} add pass udp from ${ip} to any 123 |
| 153 | |
| 154 | # Allow ICMPv6 destination unreach |
| 155 | ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 |
| 156 | |
| 157 | # Allow NS/NA/toobig (don't filter it out) |
| 158 | ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 |
| 159 | |
| 160 | # Everything else is denied by default, unless the |
| 161 | # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel |
| 162 | # config file. |
| 163 | ;; |
| 164 | |
| 165 | [Ss][Ii][Mm][Pp][Ll][Ee]) |
| 166 | ############ |
| 167 | # This is a prototype setup for a simple firewall. Configure this |
| 168 | # machine as a named server and ntp server, and point all the machines |
| 169 | # on the inside at this machine for those services. |
| 170 | ############ |
| 171 | |
| 172 | # set these to your outside interface network and prefixlen and ip |
| 173 | oif="ed0" |
| 174 | onet="2001:db8:2:1::" |
| 175 | oprefixlen="64" |
| 176 | oip="2001:db8:2:1::1" |
| 177 | |
| 178 | # set these to your inside interface network and prefixlen and ip |
| 179 | iif="ed1" |
| 180 | inet="2001:db8:2:2::" |
| 181 | iprefixlen="64" |
| 182 | iip="2001:db8:2:2::1" |
| 183 | |
| 184 | setup_local |
| 185 | |
| 186 | # Stop spoofing |
| 187 | ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} |
| 188 | ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} |
| 189 | |
| 190 | # Stop site-local on the outside interface |
| 191 | ${fw6cmd} add deny all from fec0::/10 to any via ${oif} |
| 192 | ${fw6cmd} add deny all from any to fec0::/10 via ${oif} |
| 193 | |
| 194 | # Disallow "internal" addresses to appear on the wire. |
| 195 | ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} |
| 196 | ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} |
| 197 | |
| 198 | # Disallow packets to malicious IPv4 compatible prefix. |
| 199 | ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} |
| 200 | ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} |
| 201 | ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} |
| 202 | ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} |
| 203 | ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} |
| 204 | ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} |
| 205 | ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} |
| 206 | ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} |
| 207 | |
| 208 | ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} |
| 209 | ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} |
| 210 | |
| 211 | # Disallow packets to malicious 6to4 prefix. |
| 212 | ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} |
| 213 | ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} |
| 214 | ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} |
| 215 | ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} |
| 216 | ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} |
| 217 | ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} |
| 218 | ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} |
| 219 | ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} |
| 220 | |
| 221 | ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} |
| 222 | ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} |
| 223 | ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} |
| 224 | ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} |
| 225 | ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} |
| 226 | ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} |
| 227 | |
| 228 | ${fw6cmd} add deny all from ff05::/16 to any via ${oif} |
| 229 | ${fw6cmd} add deny all from any to ff05::/16 via ${oif} |
| 230 | |
| 231 | # Allow TCP through if setup succeeded |
| 232 | ${fw6cmd} add pass tcp from any to any established |
| 233 | |
| 234 | # Allow IP fragments to pass through |
| 235 | ${fw6cmd} add pass all from any to any frag |
| 236 | |
| 237 | # Allow setup of incoming email |
| 238 | ${fw6cmd} add pass tcp from any to ${oip} 25 setup |
| 239 | |
| 240 | # Allow access to our DNS |
| 241 | ${fw6cmd} add pass tcp from any to ${oip} 53 setup |
| 242 | ${fw6cmd} add pass udp from any to ${oip} 53 |
| 243 | ${fw6cmd} add pass udp from ${oip} 53 to any |
| 244 | |
| 245 | # Allow access to our WWW |
| 246 | ${fw6cmd} add pass tcp from any to ${oip} 80 setup |
| 247 | |
| 248 | # Reject&Log all setup of incoming connections from the outside |
| 249 | ${fw6cmd} add deny log tcp from any to any in via ${oif} setup |
| 250 | |
| 251 | # Allow setup of any other TCP connection |
| 252 | ${fw6cmd} add pass tcp from any to any setup |
| 253 | |
| 254 | # Allow DNS queries out in the world |
| 255 | ${fw6cmd} add pass udp from any 53 to ${oip} |
| 256 | ${fw6cmd} add pass udp from ${oip} to any 53 |
| 257 | |
| 258 | # Allow NTP queries out in the world |
| 259 | ${fw6cmd} add pass udp from any 123 to ${oip} |
| 260 | ${fw6cmd} add pass udp from ${oip} to any 123 |
| 261 | |
| 262 | # Allow RIPng |
| 263 | #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 |
| 264 | #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 |
| 265 | |
| 266 | # Allow ICMPv6 destination unreach |
| 267 | ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 |
| 268 | |
| 269 | # Allow NS/NA/toobig (don't filter it out) |
| 270 | ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 |
| 271 | |
| 272 | # Everything else is denied by default, unless the |
| 273 | # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel |
| 274 | # config file. |
| 275 | ;; |
| 276 | |
| 277 | [Cc][Ll][Oo][Ss][Ee][Dd]) |
| 278 | # Only enable the loopback interface |
| 279 | ${fw6cmd} add 100 pass all from any to any via lo0 |
| 280 | ;; |
| 281 | [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) |
| 282 | ;; |
| 283 | *) |
| 284 | if [ -r "${ipv6_firewall_type}" ]; then |
| 285 | ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type} |
| 286 | fi |
| 287 | ;; |
| 288 | esac |