1#!/bin/sh 2############ 3# Setup system for IPv6 firewall service. 4# $FreeBSD: src/etc/rc.firewall6,v 1.1.2.11 2003/02/10 05:45:06 trhodes Exp $ 5# $DragonFly: src/etc/rc.firewall6,v 1.3 2008/08/10 21:29:16 hasso Exp $ 6 7# Suck in the configuration variables. 8if [ -z "${source_rc_confs_defined}" ]; then 9 if [ -r /etc/defaults/rc.conf ]; then 10 . /etc/defaults/rc.conf 11 source_rc_confs 12 elif [ -r /etc/rc.conf ]; then 13 . /etc/rc.conf 14 fi 15fi 16 17############ 18# Define the firewall type in /etc/rc.conf. Valid values are: 19# open - will allow anyone in 20# client - will try to protect just this machine 21# simple - will try to protect a whole network 22# closed - totally disables IP services except via lo0 interface 23# UNKNOWN - disables the loading of firewall rules. 24# filename - will load the rules in the given filename (full path required) 25# 26# For ``client'' and ``simple'' the entries below should be customized 27# appropriately. 28 29############ 30# 31# If you don't know enough about packet filtering, we suggest that you 32# take time to read this book: 33# 34# Building Internet Firewalls, 2nd Edition 35# Brent Chapman and Elizabeth Zwicky 36# 37# O'Reilly & Associates, Inc 38# ISBN 1-56592-871-7 39# http://www.ora.com/ 40# http://www.oreilly.com/catalog/fire2/ 41# 42# For a more advanced treatment of Internet Security read: 43# 44# Firewalls & Internet Security 45# Repelling the wily hacker 46# William R. Cheswick, Steven M. Bellowin 47# 48# Addison-Wesley 49# ISBN 0-201-63357-4 50# http://www.awl.com/ 51# http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html 52# 53 54setup_local () { 55 ############ 56 # Only in rare cases do you want to change these rules 57 # 58 ${fw6cmd} add 100 pass all from any to any via lo0 59 # 60 # ND 61 # 62 # DAD 63 ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 64 # RS, RA, NS, NA, redirect... 65 ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 66 ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 67} 68 69if [ -n "${1}" ]; then 70 ipv6_firewall_type="${1}" 71fi 72 73############ 74# Set quiet mode if requested 75# 76case ${ipv6_firewall_quiet} in 77[Yy][Ee][Ss]) 78 fw6cmd="/sbin/ip6fw -q" 79 ;; 80*) 81 fw6cmd="/sbin/ip6fw" 82 ;; 83esac 84 85############ 86# Flush out the list before we begin. 87# 88${fw6cmd} -f flush 89 90############ 91# If you just configured ipfw in the kernel as a tool to solve network 92# problems or you just want to disallow some particular kinds of traffic 93# then you will want to change the default policy to open. You can also 94# do this as your only action by setting the ipv6_firewall_type to ``open''. 95# 96# ${fw6cmd} add 65000 pass all from any to any 97 98 99# Prototype setups. 100# 101case ${ipv6_firewall_type} in 102[Oo][Pp][Ee][Nn]) 103 setup_local 104 ${fw6cmd} add 65000 pass all from any to any 105 ;; 106 107[Cc][Ll][Ii][Ee][Nn][Tt]) 108 ############ 109 # This is a prototype setup that will protect your system somewhat 110 # against people from outside your own network. 111 ############ 112 113 # set these to your network and prefixlen and ip 114 # 115 # This needs more work 116 # 117 net="2001:db8:2:1::" 118 prefixlen="64" 119 ip="2001:db8:2:1::1" 120 121 setup_local 122 123 # Allow any traffic to or from my own net. 124 ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} 125 ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} 126 127 # Allow any link-local multicast traffic 128 ${fw6cmd} add pass all from fe80::/10 to ff02::/16 129 ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 130 131 # Allow TCP through if setup succeeded 132 ${fw6cmd} add pass tcp from any to any established 133 134 # Allow IP fragments to pass through 135 ${fw6cmd} add pass all from any to any frag 136 137 # Allow setup of incoming email 138 ${fw6cmd} add pass tcp from any to ${ip} 25 setup 139 140 # Allow setup of outgoing TCP connections only 141 ${fw6cmd} add pass tcp from ${ip} to any setup 142 143 # Disallow setup of all other TCP connections 144 ${fw6cmd} add deny tcp from any to any setup 145 146 # Allow DNS queries out in the world 147 ${fw6cmd} add pass udp from any 53 to ${ip} 148 ${fw6cmd} add pass udp from ${ip} to any 53 149 150 # Allow NTP queries out in the world 151 ${fw6cmd} add pass udp from any 123 to ${ip} 152 ${fw6cmd} add pass udp from ${ip} to any 123 153 154 # Allow ICMPv6 destination unreach 155 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 156 157 # Allow NS/NA/toobig (don't filter it out) 158 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 159 160 # Everything else is denied by default, unless the 161 # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 162 # config file. 163 ;; 164 165[Ss][Ii][Mm][Pp][Ll][Ee]) 166 ############ 167 # This is a prototype setup for a simple firewall. Configure this 168 # machine as a named server and ntp server, and point all the machines 169 # on the inside at this machine for those services. 170 ############ 171 172 # set these to your outside interface network and prefixlen and ip 173 oif="ed0" 174 onet="2001:db8:2:1::" 175 oprefixlen="64" 176 oip="2001:db8:2:1::1" 177 178 # set these to your inside interface network and prefixlen and ip 179 iif="ed1" 180 inet="2001:db8:2:2::" 181 iprefixlen="64" 182 iip="2001:db8:2:2::1" 183 184 setup_local 185 186 # Stop spoofing 187 ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} 188 ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} 189 190 # Stop site-local on the outside interface 191 ${fw6cmd} add deny all from fec0::/10 to any via ${oif} 192 ${fw6cmd} add deny all from any to fec0::/10 via ${oif} 193 194 # Disallow "internal" addresses to appear on the wire. 195 ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} 196 ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} 197 198 # Disallow packets to malicious IPv4 compatible prefix. 199 ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} 200 ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} 201 ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} 202 ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} 203 ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} 204 ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} 205 ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} 206 ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} 207 208 ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} 209 ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} 210 211 # Disallow packets to malicious 6to4 prefix. 212 ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} 213 ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} 214 ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} 215 ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} 216 ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} 217 ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} 218 ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} 219 ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} 220 221 ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} 222 ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} 223 ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} 224 ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} 225 ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} 226 ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} 227 228 ${fw6cmd} add deny all from ff05::/16 to any via ${oif} 229 ${fw6cmd} add deny all from any to ff05::/16 via ${oif} 230 231 # Allow TCP through if setup succeeded 232 ${fw6cmd} add pass tcp from any to any established 233 234 # Allow IP fragments to pass through 235 ${fw6cmd} add pass all from any to any frag 236 237 # Allow setup of incoming email 238 ${fw6cmd} add pass tcp from any to ${oip} 25 setup 239 240 # Allow access to our DNS 241 ${fw6cmd} add pass tcp from any to ${oip} 53 setup 242 ${fw6cmd} add pass udp from any to ${oip} 53 243 ${fw6cmd} add pass udp from ${oip} 53 to any 244 245 # Allow access to our WWW 246 ${fw6cmd} add pass tcp from any to ${oip} 80 setup 247 248 # Reject&Log all setup of incoming connections from the outside 249 ${fw6cmd} add deny log tcp from any to any in via ${oif} setup 250 251 # Allow setup of any other TCP connection 252 ${fw6cmd} add pass tcp from any to any setup 253 254 # Allow DNS queries out in the world 255 ${fw6cmd} add pass udp from any 53 to ${oip} 256 ${fw6cmd} add pass udp from ${oip} to any 53 257 258 # Allow NTP queries out in the world 259 ${fw6cmd} add pass udp from any 123 to ${oip} 260 ${fw6cmd} add pass udp from ${oip} to any 123 261 262 # Allow RIPng 263 #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 264 #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 265 266 # Allow ICMPv6 destination unreach 267 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 268 269 # Allow NS/NA/toobig (don't filter it out) 270 ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 271 272 # Everything else is denied by default, unless the 273 # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 274 # config file. 275 ;; 276 277[Cc][Ll][Oo][Ss][Ee][Dd]) 278 # Only enable the loopback interface 279 ${fw6cmd} add 100 pass all from any to any via lo0 280 ;; 281[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 282 ;; 283*) 284 if [ -r "${ipv6_firewall_type}" ]; then 285 ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type} 286 fi 287 ;; 288esac 289