From 429c71776eaa50e6430949a6d8f61cbe39f8f59a Mon Sep 17 00:00:00 2001 From: Poul-Henning Kamp Date: Wed, 3 Apr 1996 17:13:59 +0000 Subject: [PATCH] Add skeleton firewall setup(s). Comments very welcome. --- etc/Makefile | 5 +- etc/netstart | 7 ++- etc/rc.firewall | 133 ++++++++++++++++++++++++++++++++++++++++++++++++ etc/sysconfig | 5 +- 4 files changed, 146 insertions(+), 4 deletions(-) create mode 100644 etc/rc.firewall diff --git a/etc/Makefile b/etc/Makefile index 802e795c7043..b79696c81510 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,5 +1,5 @@ # from: @(#)Makefile 5.11 (Berkeley) 5/21/91 -# $Id: Makefile,v 1.134 1996/03/17 20:37:03 phk Exp $ +# $Id: Makefile,v 1.135 1996/03/22 17:28:07 nate Exp $ # -rw-r--r-- BINOWN= root @@ -8,7 +8,8 @@ BIN1= aliases amd.map csh.cshrc csh.login csh.logout dm.conf \ ftpusers gettytab group hosts host.conf hosts.equiv hosts.lpd \ inetd.conf login.access motd modems netstart networks \ newsyslog.conf phones pccard.conf.sample printcap profile protocols \ - rc rc.local rc.pccard rc.serial etc.${MACHINE}/rc.${MACHINE} \ + rc rc.firewall rc.local rc.pccard rc.serial \ + etc.${MACHINE}/rc.${MACHINE} \ remote security services sysconfig shells \ syslog.conf ttys etc.${MACHINE}/disktab rpc make.conf \ ${.CURDIR}/../gnu/usr.bin/man/manpath/manpath.config \ diff --git a/etc/netstart b/etc/netstart index 9cdc1357a5bb..220bc1bfe3b8 100755 --- a/etc/netstart +++ b/etc/netstart @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: netstart,v 1.41 1996/02/09 12:45:37 jkh Exp $ +# $Id: netstart,v 1.42 1996/02/11 04:07:25 jkh Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -23,6 +23,11 @@ if [ -n "$defaultdomainname" -a "x$defaultdomainname" != "xNO" ] ; then domainname $defaultdomainname fi +# If IP filtering +if [ -n "$firewall" -a "x$firewall" != "xNO" -f /etc/rc.firewall ] ; then + sh /etc/rc.firewall +fi + # # XXX This is known to cause an error if /usr is nfs mounted since it # will not be available until after the network is up :-(. Once the diff --git a/etc/rc.firewall b/etc/rc.firewall new file mode 100644 index 000000000000..026334c455d6 --- /dev/null +++ b/etc/rc.firewall @@ -0,0 +1,133 @@ +############ +# Setup system for firewall service. +# $Id$ + +############ +# +# >>Warning<< +# This file is not very old yet, and have been put together without much +# test of the contents. + +############ +# +# If you don't know enough about packet filtering, we suggest that you +# take time to read this book: +# +# Firewalls & Internet Security +# Repelling the wily hacker +# William R. Cheswick, Steven M. Bellowin +# +# Addison-Wesley +# ISBN 0-201-6337-4 +# + +############ +# If you just configured ipfw in the kernel as a tool to solve network +# problems or you just want to disallow some particular kinds of traffic +# they you will want to change the default policy to open. + +# /sbin/ipfw add 65000 pass all from any to any + +############ +# Only in rare cases do you want to change this rule +/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 + +############ +# This is a prototype setup that will protect your system somewhat against +# people from outside your own network. +# +# To enable simply change "false" to "true" in the if line and set the +# variables to your network parameters + +if false ; then + # set these to your network and netmask and ip + net="192.168.4.0" + mask="255.255.255.0" + ip="192.168.4.17" + + # Allow any traffic to or from my own net. + /sbin/ipfw add pass all from ${ip} to ${net}:${mask} + /sbin/ipfw add pass all from ${net}:${mask} to ${ip} + + # Allow TCP through if setup succeeded + /sbin/ipfw add deny tcp from any to any established + + # Allow setup of incoming email + /sbin/ipfw add pass tcp from any to ${ip} 25 setup + + # Allow setup of outgoing TCP connections only + /sbin/ipfw add pass tcp from ${ip} to any setup + + # Disallow setup of all other TCP connections + /sbin/ipfw add deny tcp from any to any setup + + # Allow DNS queries out in the world + /sbin/ipfw add pass udp from any 53 to ${ip} + /sbin/ipfw add pass udp from ${ip} to any 53 + + # Allow NTP queries out in the world + /sbin/ipfw add pass udp from any 123 to ${ip} + /sbin/ipfw add pass udp from ${ip} to any 123 + + # Everyting else is denied as default. +fi + +############ +# This is a prototype setup for a simple firewall. Configure this machine +# as a named server and ntp server, and point all the machines on the inside +# at this machine for those services. +# +# To enable simply change "false" to "true" in the if line and set the +# variables to your network parameters + +if false ; then + # set these to your outside interface network and netmask and ip + oif="ed0" + onet="192.168.4.0" + omask="255.255.255.0" + oip="192.168.4.17" + + # set these to your inside interface network and netmask and ip + iif="ed1" + inet="192.168.3.0" + imask="255.255.255.0" + iip="192.168.3.17" + + # Stop spoofing + /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} + /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} + + # Stop RFC1918 nets on the outside interface + /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + + # Allow TCP through if setup succeeded + /sbin/ipfw add deny tcp from any to any established + + # Allow setup of incoming email + /sbin/ipfw add pass tcp from any to ${oip} 25 setup + + # Allow access to our DNS + /sbin/ipfw add pass tcp from any to ${oip} 53 setup + + # Allow access to our WWW + /sbin/ipfw add pass tcp from any to ${oip} 80 setup + + # Reject&Log all setup of incoming connections from the outside + /sbin/ipfw add deny log tcp from any to any in via ${oif} setup + + # Allow setup of any other TCP connection + /sbin/ipfw add pass tcp from any to any setup + + # Allow DNS queries out in the world + /sbin/ipfw add pass udp from any 53 to ${oip} + /sbin/ipfw add pass udp from ${oip} to any 53 + + # Allow NTP queries out in the world + /sbin/ipfw add pass udp from any 123 to ${oip} + /sbin/ipfw add pass udp from ${oip} to any 123 + + # Everyting else is denied as default. +fi + diff --git a/etc/sysconfig b/etc/sysconfig index 1ea5f0fc671f..2cb5fc412198 100644 --- a/etc/sysconfig +++ b/etc/sysconfig @@ -4,7 +4,7 @@ # This is sysconfig - a file full of useful variables that you can set # to change the default startup behavior of your system. # -# $Id: sysconfig,v 1.41 1996/03/12 15:39:26 nate Exp $ +# $Id: sysconfig,v 1.42 1996/03/14 18:24:07 nate Exp $ ######################### Start Of Local Configuration Section ########### @@ -191,6 +191,9 @@ kerberos_server=NO # If you want this host to be a gateway, set to YES. gateway=NO +# If you want this host to be a firewall or otherwise filter IP, set to YES. +firewall=NO + # Set to YES if you wish to check quotas. NOTE: For now this probably # doesn't work and should be left disabled. check_quotas=NO