1#!/bin/sh 2# 3# Copyright (c) 2004 The DragonFly Project. All rights reserved. 4# 5# This code is derived from software contributed to The DragonFly Project 6# by Andreas Hauser <andy-dragonfly@splashground.de> 7# 8# Redistribution and use in source and binary forms, with or without 9# modification, are permitted provided that the following conditions 10# are met: 11# 12# 1. Redistributions of source code must retain the above copyright 13# notice, this list of conditions and the following disclaimer. 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in 16# the documentation and/or other materials provided with the 17# distribution. 18# 3. Neither the name of The DragonFly Project nor the names of its 19# contributors may be used to endorse or promote products derived 20# from this software without specific, prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 25# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 26# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 27# INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 28# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 30# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 31# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 32# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33# SUCH DAMAGE. 34# 35# $DragonFly: src/etc/rc.firewall,v 1.6 2007/06/02 09:16:49 swildner Exp $ 36 37# A simple packetfilter configurable via /etc/rc.conf 38# 39# Variables in rc.conf: 40# 41# firewall_type 42# UNKNOWN - disables the loading of firewall rules. 43# open - will allow anyone in 44# client - enables the packetfilter 45# simple - enables the packetfilter 46# closed - totally disables IP services except via lo0 interface 47# filename - will load the rules in the given filename (full path required) 48# 49# firewall_trusted_nets 50# firewall_trusted_interfaces 51# firewall_allowed_icmp_types 52# firewall_open_tcp_ports 53# firewall_open_udp_ports 54 55if [ -z "${source_rc_confs_defined}" ]; then 56 if [ -r /etc/defaults/rc.conf ]; then 57 . /etc/defaults/rc.conf 58 source_rc_confs 59 elif [ -r /etc/rc.conf ]; then 60 . /etc/rc.conf 61 fi 62fi 63 64case ${firewall_quiet} in 65[Yy][Ee][Ss]) 66 fwcmd="/sbin/ipfw -q" 67 ;; 68*) 69 fwcmd="/sbin/ipfw" 70 ;; 71esac 72 73case ${firewall_logging} in 74[Yy][Ee][Ss]) 75 log="log" 76 ;; 77*) 78 log="" 79 ;; 80esac 81 82# we handle start, stop, firewall_type and nothing as argument 83if [ -n "$1" ]; then 84 case $1 in 85 start) 86 ;; 87 stop) 88 firewall_type="open" 89 ;; 90 *) 91 firewall_type="$1" 92 ;; 93 esac 94fi 95 96divert_nat() { 97 case ${natd_enable} in 98 [Yy][Ee][Ss]) 99 if [ -n "${natd_interface}" ]; then 100 ${fwcmd} add divert natd all from any to any via ${natd_interface} 101 fi 102 esac 103} 104 105allow_loopback() { 106 ${fwcmd} add pass all from any to any via lo0 107 ${fwcmd} add deny ${log} all from any to 127.0.0.0/8 108 ${fwcmd} add deny ${log} ip from 127.0.0.0/8 to any 109} 110 111deny_spoof() { 112 # XXX we don't have verrevpath yet 113 # ${fwcmd} add deny ${log} ip from any to any not verrevpath in 114 echo no verrevpath yet, so no anti-spoof 115} 116 117allow_icmp_types() { 118 for type in $*; do 119 ${fwcmd} add allow icmp from any to any icmptypes ${type} 120 done 121} 122 123allow_trusted_nets() { 124 for net in $*; do 125 ${fwcmd} add pass all from me to ${net} 126 ${fwcmd} add pass all from ${net} to me 127 done 128} 129 130allow_trusted_interfaces() { 131 for interface in $*; do 132 ${fwcmd} add pass all from any to any via ${interface} 133 done 134} 135 136allow_connections() { 137 ${fwcmd} add pass tcp from any to any established 138 ${fwcmd} add pass all from any to any frag 139 ${fwcmd} add pass tcp from me to any setup 140 ${fwcmd} add pass udp from me to any keep-state 141} 142 143open_tcp_ports() { 144 for port in $*; do 145 ${fwcmd} add pass tcp from any to me ${port} setup 146 done 147} 148 149open_udp_ports() { 150 for port in $*; do 151 ${fwcmd} add pass udp from any to me ${port} 152 ${fwcmd} add pass udp from me ${port} to any 153 done 154} 155 156deny_not_routed_nets() 157{ 158 # These nets should not be routed 159 nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \ 160 169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4" 161 for net in ${nets} ; do 162 ${fwcmd} add deny ${log} all from $net to any 163 done 164} 165 166deny_rest() { 167 ${fwcmd} add 65000 deny ${log} all from any to any 168} 169 170allow_rest() { 171 ${fwcmd} add 65000 pass all from any to any 172} 173 174 175${fwcmd} -f flush 176 177case ${firewall_type} in 178 [Oo][Pp][Ee][Nn]) 179 allow_loopback 180 deny_spoof 181 divert_nat 182 allow_rest 183 ;; 184 185 # historical names 186 [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"") 187 allow_loopback 188 deny_spoof 189 divert_nat 190 allow_trusted_nets ${firewall_trusted_nets} 191 allow_trusted_interfaces ${firewall_trusted_interfaces} 192 allow_connections 193 allow_icmp_types ${firewall_allowed_icmp_types} 194 deny_not_routed_nets 195 open_tcp_ports ${firewall_open_tcp_ports} 196 open_udp_ports ${firewall_open_udp_ports} 197 deny_rest 198 ;; 199 200 [Cc][Ll][Oo][Ss][Ee][Dd]) 201 allow_loopback 202 deny_rest 203 ;; 204 205 [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 206 ;; 207 208 *) 209 if [ -r "${firewall_type}" ]; then 210 ${fwcmd} ${firewall_flags} ${firewall_type} 211 fi 212 ;; 213esac 214