d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
933f6f8689
freebsd-dev/release/picobsd/custom/mfs/etc/rc.firewall
Greg Lehey 0f33c9fb91 Add 'custom' directory with significantly restructured build (now 
using make instead of custom scripts) and two floppies instead of
one.  The resultant floppy can do everything that the individual
floppies (dial, net, install, isp, router) could do, modulo some bit
rot that has occurred since PicoBSD last compiled.  It also includes
all the programs on the fixit floppy, which could thus also die.

/bin currently contains the following files:

-sh             dump            ln              ns              sps
[               ed              login           ping            stty
badsect         ex              ls              ps              swapon
cat             expr            mkdir           pwd             sync
chgrp           fdisk           mknod           pwd_mkdb        sysctl
chmod           find            more            rdump         syslogd
chown           fsck            mount           reboot          tar
chroot          ftp             mount_cd9660    restore         telnet
clri            getty           mount_msdos     rlogin                telnetd
cp              grep            mount_nfs       rm              test
date            gunzip          mount_std       rmdir         traceroute
dd              gzip            msg             route           umount
dev_mkdb        hostname        mt              routed          vi
df              ifconfig        mv              rrestore        view
dhclient        inetd           natd            rsh             vm
dhclient-script init            netstat         sed             w
disklabel       kget            newfs           sh              zcat
dmesg           kill            nfs             sleep

Structure is in place for using the same build for the other
directories, but I'm no longer sure we need this.  The current first
floppy will run fine by itself, but the size of a compressed kernel
has increased by nearly 50% since 3.2, and there's not much space for
anything useful on the remainder of the floppy.  The current method
creates a larger mfs and can read as many floppies as the user can
stand.  The footprint appears to be round 14 MB.
1999-12-10 21:52:18 +00:00

173 lines
5.0 KiB
Plaintext
Raw Blame History

############
# Setup system for firewall service.
# $FreeBSD$
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - will allow anyone in
# client - will try to protect just this machine
# simple - will try to protect a whole network
# closed - totally disables IP services except via lo0 interface
# UNKNOWN - disables the loading of firewall rules.
# filename - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.
############
#
# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
# Building Internet Firewalls
# Brent Chapman and Elizabeth Zwicky
#
# O'Reilly & Associates, Inc
# ISBN 1-56592-124-0
# http://www.ora.com/
#
# For a more advanced treatment of Internet Security read:
#
# Firewalls & Internet Security
# Repelling the wily hacker
# William R. Cheswick, Steven M. Bellowin
#
# Addison-Wesley
# ISBN 0-201-6337-4
# http://www.awl.com/
#
if [ "x$1" != "x" ]; then
firewall_type=$1
fi
############
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
fwcmd="/sbin/ipfw -q"
else
fwcmd="/sbin/ipfw"
fi
############
# Flush out the list before we begin.
$fwcmd -f flush
############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# they you will want to change the default policy to open. You can also
# do this as your only action by setting the firewall_type to ``open''.
# $fwcmd add 65000 pass all from any to any
############
# Only in rare cases do you want to change these rules
$fwcmd add 1000 pass all from any to any via lo0
$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
# Prototype setups.
if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
$fwcmd add 65000 pass all from any to any
elif [ "${firewall_type}" = "client" ]; then
############
# This is a prototype setup that will protect your system somewhat against
# people from outside your own network.
############
# set these to your network and netmask and ip
net="192.168.4.0"
mask="255.255.255.0"
ip="192.168.4.17"
# Allow any traffic to or from my own net.
$fwcmd add pass all from ${ip} to ${net}:${mask}
$fwcmd add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
$fwcmd add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
$fwcmd add deny tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${ip}
$fwcmd add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${ip}
$fwcmd add pass udp from ${ip} to any 123
# Everything else is denied as default.
elif [ "${firewall_type}" = "simple" ]; then
############
# This is a prototype setup for a simple firewall. Configure this machine
# as a named server and ntp server, and point all the machines on the inside
# at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="192.168.4.0"
omask="255.255.255.0"
oip="192.168.4.17"
# set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.168.3.0"
imask="255.255.255.0"
iip="192.168.3.17"
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi
Reference in New Issue View Git Blame Copy Permalink