1#!/bin/sh 2############ 3# Setup system for IPv6 firewall service. 4# $FreeBSD: src/etc/rc.firewall6,v 1.1.2.11 2003/02/10 05:45:06 trhodes Exp $ 5 6# Suck in the configuration variables. 7if [ -z "${source_rc_confs_defined}" ]; then 8 if [ -r /etc/defaults/rc.conf ]; then 9 . /etc/defaults/rc.conf 10 source_rc_confs 11 elif [ -r /etc/rc.conf ]; then 12 . /etc/rc.conf 13 fi 14fi 15 16############ 17# Define the firewall type in /etc/rc.conf. Valid values are: 18# open - will allow anyone in 19# client - will try to protect just this machine 20# simple - will try to protect a whole network 21# closed - totally disables IP services except via lo0 interface 22# UNKNOWN - disables the loading of firewall rules. 23# filename - will load the rules in the given filename (full path required) 24# 25# For ``client'' and ``simple'' the entries below should be customized 26# appropriately. 27 28############ 29# 30# If you don't know enough about packet filtering, we suggest that you 31# take time to read this book: 32# 33# Building Internet Firewalls, 2nd Edition 34# Brent Chapman and Elizabeth Zwicky 35# 36# O'Reilly & Associates, Inc 37# ISBN 1-56592-871-7 38# http://www.ora.com/ 39# http://www.oreilly.com/catalog/fire2/ 40# 41# For a more advanced treatment of Internet Security read: 42# 43# Firewalls & Internet Security 44# Repelling the wily hacker 45# William R. Cheswick, Steven M. Bellowin 46# 47# Addison-Wesley 48# ISBN 0-201-63357-4 49# http://www.awl.com/ 50# http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html 51# 52 53setup_local () { 54 ############ 55 # Only in rare cases do you want to change these rules 56 # 57 ${fw6cmd} add 100 pass all from any to any via lo0 58 # 59 # ND 60 # 61 # DAD 62 ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 63 # RS, RA, NS, NA, redirect... 64 ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 65 ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 66} 67 68if [ -n "${1}" ]; then 69 ipv6_firewall_type="${1}" 70fi 71 72############ 73# Set quiet mode if requested 74# 75case ${ipv6_firewall_quiet} in 76[Yy][Ee][Ss]) 77 fw6cmd="/sbin/ip6fw -q" 78 ;; 79*) 80 fw6cmd="/sbin/ip6fw" 81 ;; 82esac 83 84############ 85# Flush out the list before we begin. 86# 87${fw6cmd} -f flush 88 89############ 90# If you just configured ipfw in the kernel as a tool to solve network 91# problems or you just want to disallow some particular kinds of traffic 92# then you will want to change the default policy to open. You can also 93# do this as your only action by setting the ipv6_firewall_type to ``open''. 94# 95# ${fw6cmd} add 65000 pass all from any to any 96 97 98# Prototype setups. 99# 100case ${ipv6_firewall_type} in 101[Oo][Pp][Ee][Nn]) 102 setup_local 103 ${fw6cmd} add 65000 pass all from any to any 104 ;; 105 106[Cc][Ll][Ii][Ee][Nn][Tt]) 107 ############ 108 # This is a prototype setup that will protect your system somewhat 109 # against people from outside your own network. 110 ############ 111 112 # set these to your network and prefixlen and ip 113 # 114 # This needs more work 115 # 116 net="3ffe:505:2:1::" 117 prefixlen="64" 118 ip="3ffe:505:2:1::1" 119 120 setup_local 121 122 # Allow any traffic to or from my own net. 123 ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} 124 ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} 125 126 # Allow any link-local multicast traffic 127 ${fw6cmd} add pass all from fe80::/10 to ff02::/16 128 ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 129 130 # Allow TCP through if setup succeeded 131 ${fw6cmd} add pass tcp from any to any established 132 133 # Allow IP fragments to pass through 134 ${fw6cmd} add pass all from any to any frag 135 136 # Allow setup of incoming email 137 ${fw6cmd} add pass tcp from any to ${ip} 25 setup 138 139 # Allow setup of outgoing TCP connections only 140 ${fw6cmd} add pass tcp from ${ip} to any setup 141 142 # Disallow setup of all other TCP connections 143 ${fw6cmd} add deny tcp from any to any setup 144 145 # Allow DNS queries out in the world 146 ${fw6cmd} add pass udp from any 53 to ${ip} 147 ${fw6cmd} add pass udp from ${ip} to any 53 148 149 # Allow NTP queries out in the world 150 ${fw6cmd} add pass udp from any 123 to ${ip} 151 ${fw6cmd} add pass udp from ${ip} to any 123 152 153 # Allow ICMPv6 destination unreach 154 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 155 156 # Allow NS/NA/toobig (don't filter it out) 157 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 158 159 # Everything else is denied by default, unless the 160 # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 161 # config file. 162 ;; 163 164[Ss][Ii][Mm][Pp][Ll][Ee]) 165 ############ 166 # This is a prototype setup for a simple firewall. Configure this 167 # machine as a named server and ntp server, and point all the machines 168 # on the inside at this machine for those services. 169 ############ 170 171 # set these to your outside interface network and prefixlen and ip 172 oif="ed0" 173 onet="3ffe:505:2:1::" 174 oprefixlen="64" 175 oip="3ffe:505:2:1::1" 176 177 # set these to your inside interface network and prefixlen and ip 178 iif="ed1" 179 inet="3ffe:505:2:2::" 180 iprefixlen="64" 181 iip="3ffe:505:2:2::1" 182 183 setup_local 184 185 # Stop spoofing 186 ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} 187 ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} 188 189 # Stop site-local on the outside interface 190 ${fw6cmd} add deny all from fec0::/10 to any via ${oif} 191 ${fw6cmd} add deny all from any to fec0::/10 via ${oif} 192 193 # Disallow "internal" addresses to appear on the wire. 194 ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} 195 ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} 196 197 # Disallow packets to malicious IPv4 compatible prefix. 198 ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} 199 ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} 200 ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} 201 ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} 202 ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} 203 ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} 204 ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} 205 ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} 206 207 ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} 208 ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} 209 210 # Disallow packets to malicious 6to4 prefix. 211 ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} 212 ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} 213 ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} 214 ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} 215 ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} 216 ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} 217 ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} 218 ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} 219 220 ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} 221 ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} 222 ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} 223 ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} 224 ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} 225 ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} 226 227 ${fw6cmd} add deny all from ff05::/16 to any via ${oif} 228 ${fw6cmd} add deny all from any to ff05::/16 via ${oif} 229 230 # Allow TCP through if setup succeeded 231 ${fw6cmd} add pass tcp from any to any established 232 233 # Allow IP fragments to pass through 234 ${fw6cmd} add pass all from any to any frag 235 236 # Allow setup of incoming email 237 ${fw6cmd} add pass tcp from any to ${oip} 25 setup 238 239 # Allow access to our DNS 240 ${fw6cmd} add pass tcp from any to ${oip} 53 setup 241 ${fw6cmd} add pass udp from any to ${oip} 53 242 ${fw6cmd} add pass udp from ${oip} 53 to any 243 244 # Allow access to our WWW 245 ${fw6cmd} add pass tcp from any to ${oip} 80 setup 246 247 # Reject&Log all setup of incoming connections from the outside 248 ${fw6cmd} add deny log tcp from any to any in via ${oif} setup 249 250 # Allow setup of any other TCP connection 251 ${fw6cmd} add pass tcp from any to any setup 252 253 # Allow DNS queries out in the world 254 ${fw6cmd} add pass udp from any 53 to ${oip} 255 ${fw6cmd} add pass udp from ${oip} to any 53 256 257 # Allow NTP queries out in the world 258 ${fw6cmd} add pass udp from any 123 to ${oip} 259 ${fw6cmd} add pass udp from ${oip} to any 123 260 261 # Allow RIPng 262 #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 263 #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 264 265 # Allow ICMPv6 destination unreach 266 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 267 268 # Allow NS/NA/toobig (don't filter it out) 269 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 270 271 # Everything else is denied by default, unless the 272 # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 273 # config file. 274 ;; 275 276[Cc][Ll][Oo][Ss][Ee][Dd]) 277 # Only enable the loopback interface 278 ${fw6cmd} add 100 pass all from any to any via lo0 279 ;; 280[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 281 ;; 282*) 283 if [ -r "${ipv6_firewall_type}" ]; then 284 ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type} 285 fi 286 ;; 287esac 288