2 # Setup system for firewall service.
3 # $FreeBSD: src/release/picobsd/router/floppy.tree/etc/rc.firewall,v 1.3 1999/08/28 01:33:50 peter Exp $
4 # $DragonFly: src/release/picobsd/router/floppy.tree/etc/Attic/rc.firewall,v 1.2 2003/06/17 04:27:20 dillon Exp $
7 # Define the firewall type in /etc/rc.conf. Valid values are:
8 # open - will allow anyone in
9 # client - will try to protect just this machine
10 # simple - will try to protect a whole network
11 # closed - totally disables IP services except via lo0 interface
12 # UNKNOWN - disables the loading of firewall rules.
13 # filename - will load the rules in the given filename (full path required)
15 # For ``client'' and ``simple'' the entries below should be customized
20 # If you don't know enough about packet filtering, we suggest that you
21 # take time to read this book:
23 # Building Internet Firewalls
24 # Brent Chapman and Elizabeth Zwicky
26 # O'Reilly & Associates, Inc
30 # For a more advanced treatment of Internet Security read:
32 # Firewalls & Internet Security
33 # Repelling the wily hacker
34 # William R. Cheswick, Steven M. Bellowin
41 if [ "x$1" != "x" ]; then
46 # Set quiet mode if requested
47 if [ "x$firewall_quiet" = "xYES" ]; then
54 # Flush out the list before we begin.
58 # If you just configured ipfw in the kernel as a tool to solve network
59 # problems or you just want to disallow some particular kinds of traffic
60 # they you will want to change the default policy to open. You can also
61 # do this as your only action by setting the firewall_type to ``open''.
63 # $fwcmd add 65000 pass all from any to any
66 # Only in rare cases do you want to change these rules
67 $fwcmd add 1000 pass all from any to any via lo0
68 $fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
72 if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
74 $fwcmd add 65000 pass all from any to any
76 elif [ "${firewall_type}" = "client" ]; then
79 # This is a prototype setup that will protect your system somewhat against
80 # people from outside your own network.
83 # set these to your network and netmask and ip
88 # Allow any traffic to or from my own net.
89 $fwcmd add pass all from ${ip} to ${net}:${mask}
90 $fwcmd add pass all from ${net}:${mask} to ${ip}
92 # Allow TCP through if setup succeeded
93 $fwcmd add pass tcp from any to any established
95 # Allow setup of incoming email
96 $fwcmd add pass tcp from any to ${ip} 25 setup
98 # Allow setup of outgoing TCP connections only
99 $fwcmd add pass tcp from ${ip} to any setup
101 # Disallow setup of all other TCP connections
102 $fwcmd add deny tcp from any to any setup
104 # Allow DNS queries out in the world
105 $fwcmd add pass udp from any 53 to ${ip}
106 $fwcmd add pass udp from ${ip} to any 53
108 # Allow NTP queries out in the world
109 $fwcmd add pass udp from any 123 to ${ip}
110 $fwcmd add pass udp from ${ip} to any 123
112 # Everything else is denied as default.
114 elif [ "${firewall_type}" = "simple" ]; then
117 # This is a prototype setup for a simple firewall. Configure this machine
118 # as a named server and ntp server, and point all the machines on the inside
119 # at this machine for those services.
122 # set these to your outside interface network and netmask and ip
125 omask="255.255.255.0"
128 # set these to your inside interface network and netmask and ip
131 imask="255.255.255.0"
135 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
136 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
138 # Stop RFC1918 nets on the outside interface
139 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
140 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
141 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
143 # Allow TCP through if setup succeeded
144 $fwcmd add pass tcp from any to any established
146 # Allow setup of incoming email
147 $fwcmd add pass tcp from any to ${oip} 25 setup
149 # Allow access to our DNS
150 $fwcmd add pass tcp from any to ${oip} 53 setup
152 # Allow access to our WWW
153 $fwcmd add pass tcp from any to ${oip} 80 setup
155 # Reject&Log all setup of incoming connections from the outside
156 $fwcmd add deny log tcp from any to any in via ${oif} setup
158 # Allow setup of any other TCP connection
159 $fwcmd add pass tcp from any to any setup
161 # Allow DNS queries out in the world
162 $fwcmd add pass udp from any 53 to ${oip}
163 $fwcmd add pass udp from ${oip} to any 53
165 # Allow NTP queries out in the world
166 $fwcmd add pass udp from any 123 to ${oip}
167 $fwcmd add pass udp from ${oip} to any 123
169 # Everything else is denied as default.
171 elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
172 $fwcmd ${firewall_type}