1 # $FreeBSD: src/release/picobsd/floppy.tree/etc/rc.firewall,v 1.2.2.1 2002/03/08 05:17:25 luigi Exp $
2 # $DragonFly: src/release/picobsd/floppy.tree/etc/Attic/rc.firewall,v 1.2 2003/06/17 04:27:20 dillon Exp $
4 # Setup system for firewall service, with some sample configurations.
5 # Select one using ${firewall_type} which you can set in /etc/rc.conf.local.
7 # If you override this file with your own copy, you can use ${hostname}
8 # as the key for the case statement. On entry, the firewall will be flushed
9 # and $fwcmd will point to the appropriate command (usually /sbin/ipfw)
11 # Sample configurations are:
12 # open - will allow anyone in
13 # client - will try to protect just this machine (should be customized).
14 # simple - will try to protect a whole network (should be customized).
15 # closed - totally disables IP services except via lo0 interface
16 # UNKNOWN - disables the loading of firewall rules.
17 # filename - will load the rules in the given filename (full path required)
21 # Only in rare cases do you want to change these rules
22 $fwcmd add 1000 pass all from any to any via lo0
23 $fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
27 case "${firewall_type}" in
29 $fwcmd add 65000 pass all from any to any
35 # This is a prototype setup that will protect your system somewhat against
36 # people from outside your own network.
39 # set these to your network and netmask and ip
44 # Allow any traffic to or from my own net.
45 $fwcmd add pass all from ${ip} to ${net}:${mask}
46 $fwcmd add pass all from ${net}:${mask} to ${ip}
48 # Allow TCP through if setup succeeded
49 $fwcmd add pass tcp from any to any established
51 # Allow setup of incoming email
52 $fwcmd add pass tcp from any to ${ip} 25 setup
54 # Allow setup of outgoing TCP connections only
55 $fwcmd add pass tcp from ${ip} to any setup
57 # Disallow setup of all other TCP connections
58 $fwcmd add deny tcp from any to any setup
60 # Allow DNS queries out in the world
61 $fwcmd add pass udp from any 53 to ${ip}
62 $fwcmd add pass udp from ${ip} to any 53
64 # Allow NTP queries out in the world
65 $fwcmd add pass udp from any 123 to ${ip}
66 $fwcmd add pass udp from ${ip} to any 123
68 # Everything else is denied as default.
69 $fwcmd add 65000 deny all from any to any
75 # This is a prototype setup for a simple firewall. Configure this machine
76 # as a named server and ntp server, and point all the machines on the inside
77 # at this machine for those services.
80 # set these to your outside interface network and netmask and ip
86 # set these to your inside interface network and netmask and ip
93 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
94 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
96 # Stop RFC1918 nets on the outside interface
97 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
98 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
99 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
101 # Allow TCP through if setup succeeded
102 $fwcmd add pass tcp from any to any established
104 # Allow setup of incoming email
105 $fwcmd add pass tcp from any to ${oip} 25 setup
107 # Allow access to our DNS
108 $fwcmd add pass tcp from any to ${oip} 53 setup
110 # Allow access to our WWW
111 $fwcmd add pass tcp from any to ${oip} 80 setup
113 # Reject&Log all setup of incoming connections from the outside
114 $fwcmd add deny log tcp from any to any in via ${oif} setup
116 # Allow setup of any other TCP connection
117 $fwcmd add pass tcp from any to any setup
119 # Allow DNS queries out in the world
120 $fwcmd add pass udp from any 53 to ${oip}
121 $fwcmd add pass udp from ${oip} to any 53
123 # Allow NTP queries out in the world
124 $fwcmd add pass udp from any 123 to ${oip}
125 $fwcmd add pass udp from ${oip} to any 123
127 # Everything else is denied as default.
128 $fwcmd add 65000 deny all from any to any
132 echo "WARNING: firewall rules not loaded."
135 *) # an absolute pathname ?
136 if [ -f "${firewall_type}" ] ; then
137 $fwcmd ${firewall_type}
139 echo "WARNING: firewall config script (${firewall_type}) not found,"
140 echo " firewall rules not loaded."