freebsd-skq/release/picobsd/floppy.tree/etc/rc.firewall
Luigi Rizzo 107a6eaf0a Major cleanup of PicoBSD startup scripts, which now should be
closer to doing "the right thing".

The structure is now the following:

  * /etc/rc (from MFS) loads the rest of /etc and /root from
    /fd and then from floppy (if present), then transfers control
    to /etc/rc1

  * /etc/rc1 loads defaults from /etc/rc.conf.defaults, tries to
    set the hostname basing on the MAC address of the first ethernet
    interface, and then sources /etc/rc.conf and /etc/rc.conf.local
    for local configurations

  * The rest of the startup process is then performed (rc.network and so on).

Everything except the initial /etc/rc (from MFS) can be overridden with
a local version loaded from floppy. But in most cases, you should only need
to customize the following files in /etc:

	rc.conf    rc.firewall    hosts

Previously there were a number of inconsistencies in the calling
between files, and also a lot of clutter in rc.conf and rc.firewall.
Also, "rc1" was called "rc" and would overwrite the initial /etc/rc
from MFS, making it really hard to figure out what was going on in
case of bugs.
2002-03-08 05:15:08 +00:00

143 lines
4.4 KiB
Plaintext

# $FreeBSD$
# Setup system for firewall service, with some sample configurations.
# Select one using ${firewall_type} which you can set in /etc/rc.conf.local.
#
# If you override this file with your own copy, you can use ${hostname}
# as the key for the case statement. On entry, the firewall will be flushed
# and $fwcmd will point to the appropriate command (usually /sbin/ipfw)
#
# Sample configurations are:
# open - will allow anyone in
# client - will try to protect just this machine (should be customized).
# simple - will try to protect a whole network (should be customized).
# closed - totally disables IP services except via lo0 interface
# UNKNOWN - disables the loading of firewall rules.
# filename - will load the rules in the given filename (full path required)
#
############
# Only in rare cases do you want to change these rules
$fwcmd add 1000 pass all from any to any via lo0
$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
# Prototype setups.
case "${firewall_type}" in
open|OPEN)
$fwcmd add 65000 pass all from any to any
;;
client)
############
# This is a prototype setup that will protect your system somewhat against
# people from outside your own network.
############
# set these to your network and netmask and ip
net="192.168.4.0"
mask="255.255.255.0"
ip="192.168.4.17"
# Allow any traffic to or from my own net.
$fwcmd add pass all from ${ip} to ${net}:${mask}
$fwcmd add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
$fwcmd add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
$fwcmd add deny tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${ip}
$fwcmd add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${ip}
$fwcmd add pass udp from ${ip} to any 123
# Everything else is denied as default.
$fwcmd add 65000 deny all from any to any
;;
simple)
############
# This is a prototype setup for a simple firewall. Configure this machine
# as a named server and ntp server, and point all the machines on the inside
# at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="192.168.4.0"
omask="255.255.255.0"
oip="192.168.4.17"
# set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.168.3.0"
imask="255.255.255.0"
iip="192.168.3.17"
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
$fwcmd add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
$fwcmd add 65000 deny all from any to any
;;
UNKNOWN|"")
echo "WARNING: firewall rules not loaded."
;;
*) # an absolute pathname ?
if [ -f "${firewall_type}" ] ; then
$fwcmd ${firewall_type}
else
echo "WARNING: firewall config script (${firewall_type}) not found,"
echo " firewall rules not loaded."
fi
;;
esac