From 417527cc24aab508dd12868c6cfc59d73475e86c Mon Sep 17 00:00:00 2001 From: phk Date: Sat, 28 Oct 2006 20:08:12 +0000 Subject: [PATCH] Give rc.firewall a polish and a new method. Factor out the loopback setup Use "me" instead of hardcoded $ip where possible. Add "workstation" which protects just this machine with stateful firewalling. Put the variables for this in rc.conf. Submitted by: Flemming Jacobsen Reviewed by: cperciva --- etc/defaults/rc.conf | 10 ++++ etc/rc.firewall | 123 +++++++++++++++++++++++++++++++++++++------ 2 files changed, 117 insertions(+), 16 deletions(-) diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index f75171a8ef68..10f37df5a395 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -104,6 +104,16 @@ firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file +firewall_myservices="" # List of TCP ports on which this host + # offers services +firewall_allowservices="" # List of IPs which has access to + # $firewall_myservices +firewall_trusted="" # List of IPs which has full access to this host +firewall_logdeny="NO" # Set to YES to log default denied incoming + # packets. +firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports + # for which denied incoming packets are not + # logged. ip_portrange_first="NO" # Set first dynamically allocated port ip_portrange_last="NO" # Set last dynamically allocated port ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd) diff --git a/etc/rc.firewall b/etc/rc.firewall index a288b3c2cb14..132df9ca3abd 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -42,12 +42,14 @@ fi ############ # Define the firewall type in /etc/rc.conf. Valid values are: -# open - will allow anyone in -# client - will try to protect just this machine -# simple - will try to protect a whole network -# closed - totally disables IP services except via lo0 interface -# UNKNOWN - disables the loading of firewall rules. -# filename - will load the rules in the given filename (full path required) +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# workstation - will try to protect just this machine using statefull +# firewalling. See below for rc.conf variables used +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) # # For ``client'' and ``simple'' the entries below should be customized # appropriately. @@ -107,6 +109,8 @@ esac # ${fwcmd} -f flush +setup_loopback + ############ # Network Address Translation. All packets are passed to natd(8) # before they encounter your remaining rules. The firewall rules @@ -140,7 +144,6 @@ esac # case ${firewall_type} in [Oo][Pp][Ee][Nn]) - setup_loopback ${fwcmd} add 65000 pass all from any to any ;; @@ -155,8 +158,6 @@ case ${firewall_type} in mask="255.255.255.0" ip="192.0.2.1" - setup_loopback - # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} @@ -168,19 +169,19 @@ case ${firewall_type} in ${fwcmd} add pass all from any to any frag # Allow setup of incoming email - ${fwcmd} add pass tcp from any to ${ip} 25 setup + ${fwcmd} add pass tcp from any to me 25 setup # Allow setup of outgoing TCP connections only - ${fwcmd} add pass tcp from ${ip} to any setup + ${fwcmd} add pass tcp from me to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world - ${fwcmd} add pass udp from ${ip} to any 53 keep-state + ${fwcmd} add pass udp from me to any 53 keep-state # Allow NTP queries out in the world - ${fwcmd} add pass udp from ${ip} to any 123 keep-state + ${fwcmd} add pass udp from me to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -206,8 +207,6 @@ case ${firewall_type} in imask="255.255.255.240" iip="192.0.2.17" - setup_loopback - # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} @@ -289,8 +288,100 @@ case ${firewall_type} in # config file. ;; +[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) + # Configuration: + # firewall_myservices: List of TCP ports on which this host + # offers services. + # firewall_allowservices: List of IPs which has access to + # $firewall_myservices. + # firewall_trusted: List of IPs which has full access + # to this host. Be very carefull + # when setting this. This option can + # seriously degrade the level of + # protection provided by the firewall. + # firewall_logdeny: Boolean (YES/NO) specifying if the + # default denied packets should be + # logged (in /var/log/security). + # firewall_nologports: List of TCP/UDP ports for which + # denied incomming packets are not + # logged. + + # Allow packets for which a state has been built. + ${fwcmd} add check-state + + # For services permitted below. + ${fwcmd} add pass tcp from me to any established + + # Allow any connection out, adding state for each. + ${fwcmd} add pass tcp from me to any setup keep-state + ${fwcmd} add pass udp from me to any keep-state + ${fwcmd} add pass icmp from me to any keep-state + + # Allow DHCP. + ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out + ${fwcmd} add pass udp from any 67 to me 68 in + ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in + # Some servers will ping the IP while trying to decide if it's + # still in use. + ${fwcmd} add pass icmp from any to any icmptype 8 + + # Allow "mandatory" ICMP in. + ${fwcmd} add pass icmp from any to any icmptype 3,4,11 + + # Add permits for this workstations published services below + # Only IPs and nets in firewall_allowservices is allowed in. + # If you really wish to let anyone use services on your + # workstation, then set "firewall_allowservices='any'" in /etc/rc.conf + # + # Note: We don't use keep-state as that would allow DoS of + # our statetable. + # You can add 'keep-state' to the lines for slightly + # better performance if you fell that DoS of your + # workstation won't be a problem. + # + for i in ${firewall_allowservices} ; do + for j in ${firewall_myservices} ; do + ${fwcmd} add pass tcp from $i to me $j + done + done + + # Allow all connections from trusted IPs. + # Playing with the content of firewall_trusted could seriously + # degrade the level of protection provided by the firewall. + for i in ${firewall_trusted} ; do + ${fwcmd} add pass ip from $i to me + done + + ${fwcmd} add 65000 count ip from any to any + + # Drop packets to ports where we don't want logging + for i in ${firewall_nologports} ; do + ${fwcmd} add deny { tcp or udp } from any to any $i in + done + + # Broadcasts and muticasts + ${fwcmd} add deny ip from any to 255.255.255.255 + ${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX + + # Noise from routers + ${fwcmd} add deny udp from any to any 520 in + + # Noise from webbrowsing. + # The statefull filter is a bit agressive, and will cause some + # connection teardowns to be logged. + ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in + + # Deny and (if wanted) log the rest unconditionally. + log="" + if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then + log="log logamount 500" # The default of 100 is too low. + sysctl net.inet.ip.fw.verbose=1 >/dev/null + fi + ${fwcmd} add deny $log ip from any to any + ;; + [Cc][Ll][Oo][Ss][Ee][Dd]) - setup_loopback + ${fwcmd} add 65000 deny ip from any to any ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;;