1#!/bin/sh 2# 3# Copyright (c) 2004 The DragonFly Project. All rights reserved. 4# 5# This code is derived from software contributed to The DragonFly Project 6# by Andreas Hauser <andy-dragonfly@splashground.de> 7# 8# Redistribution and use in source and binary forms, with or without 9# modification, are permitted provided that the following conditions 10# are met: 11# 12# 1. Redistributions of source code must retain the above copyright 13# notice, this list of conditions and the following disclaimer. 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in 16# the documentation and/or other materials provided with the 17# distribution. 18# 3. Neither the name of The DragonFly Project nor the names of its 19# contributors may be used to endorse or promote products derived 20# from this software without specific, prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 25# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 26# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 27# INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 28# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 30# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 31# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 32# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33# SUCH DAMAGE. 34# 35# $DragonFly: src/etc/rc.firewall,v 1.3 2004/10/22 20:26:03 dillon Exp $ 36 37# A simple packetfilter configurable via /etc/rc.conf 38# 39# Variables in rc.conf: 40# 41# firewall_type 42# UNKNOWN - disables the loading of firewall rules. 43# open - will allow anyone in 44# client - enables the packetfilter 45# simple - enables the packetfilter 46# closed - totally disables IP services except via lo0 interface 47# filename - will load the rules in the given filename (full path required) 48# 49# firewall_trusted_nets 50# firewall_trusted_interfaces 51# firewall_allowed_icmp_types 52# firewall_open_tcp_ports 53# firewall_open_udp_ports 54 55if [ -z "${source_rc_confs_defined}" ]; then 56 if [ -r /etc/defaults/rc.conf ]; then 57 . /etc/defaults/rc.conf 58 source_rc_confs 59 elif [ -r /etc/rc.conf ]; then 60 . /etc/rc.conf 61 fi 62fi 63 64case ${firewall_quiet} in 65[Yy][Ee][Ss]) 66 fwcmd="/sbin/ipfw -q" 67 ;; 68*) 69 fwcmd="/sbin/ipfw" 70 ;; 71esac 72 73case ${firewall_logging} in 74[Yy][Ee][Ss]) 75 log="log" 76 ;; 77*) 78 log="" 79 ;; 80esac 81 82# we handle start, stop, firewall_type and nothing as argument 83if [ -n "$1" ]; then 84 case $1 in 85 start) 86 ;; 87 stop) 88 firewall_type="open" 89 ;; 90 *) 91 firewall_type="$1" 92 ;; 93 esac 94fi 95 96allow_loopback() { 97 ${fwcmd} add pass all from any to any via lo0 98 ${fwcmd} add deny ${log} all from any to 127.0.0.0/8 99 ${fwcmd} add deny ${log} ip from 127.0.0.0/8 to any 100} 101 102deny_spoof() { 103 # XXX we don't have verrevpath yet 104 # ${fwcmd} add deny ${log} ip from any to any not verrevpath in 105 echo no verrevpath yet, so no anti-spoof 106} 107 108allow_icmp_types() { 109 for type in $*; do 110 ${fwcmd} add allow icmp from any to any icmptypes ${type} 111 done 112} 113 114allow_trusted_nets() { 115 for net in $*; do 116 ${fwcmd} add pass all from me to ${net} 117 ${fwcmd} add pass all from ${net} to me 118 done 119} 120 121allow_trusted_interfaces() { 122 for interface in $*; do 123 ${fwcmd} add pass all from any to any via ${interface} 124 done 125} 126 127allow_connections() { 128 ${fwcmd} add pass tcp from any to any established 129 ${fwcmd} add pass all from any to any frag 130 ${fwcmd} add pass tcp from me to any setup 131 ${fwcmd} add pass udp from me to any keep-state 132} 133 134open_tcp_ports() { 135 for port in $*; do 136 ${fwcmd} add pass tcp from any to me ${port} setup 137 done 138} 139 140open_udp_ports() { 141 for port in $*; do 142 ${fwcmd} add pass udp from any to me ${port} 143 ${fwcmd} add pass udp from me ${port} to any 144 done 145} 146 147deny_not_routed_nets() 148{ 149 # These nets should not be routed 150 nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \ 151 169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4" 152 for net in ${nets} ; do 153 ${fwcmd} add deny ${log} all from any to $net 154 done 155} 156 157deny_rest() { 158 ${fwcmd} add 65000 deny ${log} all from any to any 159} 160 161 162 163${fwcmd} -f flush 164 165case ${firewall_type} in 166 [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) 167 case ${natd_enable} in 168 [Yy][Ee][Ss]) 169 if [ -n "${natd_interface}" ]; then 170 ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} 171 fi 172 ;; 173 esac 174esac 175 176case ${firewall_type} in 177 [Oo][Pp][Ee][Nn]) 178 allow_loopback 179 deny_spoof 180 ${fwcmd} add 1 pass all from any to any 181 ;; 182 183 # historical names 184 [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"") 185 allow_loopback 186 deny_spoof 187 allow_trusted_nets ${firewall_trusted_nets} 188 allow_trusted_interfaces ${firewall_trusted_interfaces} 189 allow_connections 190 deny_not_routed_nets 191 allow_icmp_types ${firewall_allowed_icmp_types} 192 open_tcp_ports ${firewall_open_tcp_ports} 193 open_udp_ports ${firewall_open_udp_ports} 194 deny_rest 195 ;; 196 197 [Cc][Ll][Oo][Ss][Ee][Dd]) 198 setup_loopback 199 deny_rest 200 ;; 201 202 [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 203 ;; 204 205 *) 206 if [ -r "${firewall_type}" ]; then 207 ${fwcmd} ${firewall_flags} ${firewall_type} 208 fi 209 ;; 210esac 211