diff options
author | ume <ume@FreeBSD.org> | 2000-10-29 19:59:05 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2000-10-29 19:59:05 +0000 |
commit | 03e9a76a97c365de856315bf361e500bfbcb9475 (patch) | |
tree | 52b44ddfb739b1b5e82ae7a97c4a2131a467a51f | |
parent | bdfeee725dd9e85454d3d326a09177192f702333 (diff) | |
download | FreeBSD-src-03e9a76a97c365de856315bf361e500bfbcb9475.zip FreeBSD-src-03e9a76a97c365de856315bf361e500bfbcb9475.tar.gz |
- ipv6_prefix_* and ipv6_ifconfig_* work for end node
- rtsol should be work for only one interface
- new variable ipv6_defaultrouter is added
- option name of rtadvd in comment are corrected
- ipv6_firewall_enable, ipv6_firewall_type, ipv6_firewall_script,
ipv6_firewall_logging are added to introduce rc.firewall6.
IPv6 firewall rule is just starting point and should be brushed up.
This commit includes PR18621, PR21694, PR22051.
PR: conf/18621, conf/21694, conf/22051
Reviewed by: asmodai
-rw-r--r-- | etc/defaults/rc.conf | 15 | ||||
-rw-r--r-- | etc/rc.d/network_ipv6 | 322 | ||||
-rw-r--r-- | etc/rc.firewall6 | 257 | ||||
-rw-r--r-- | etc/rc.network6 | 322 |
4 files changed, 695 insertions, 221 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 0e65914..b761564 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -84,7 +84,6 @@ icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. -#ifconfig_ed0_alias0="inet6 fec0:0000:0000:0005::1 prefixlen 64" # Sample alias entry for IPv6. #ifconfig_ed0_ipx="ipx 0x00010010" # Sample IPX address family entry. # # If you have any sppp(4) interfaces above, you might also want to set @@ -216,6 +215,7 @@ icmp_bmcastecho="NO" # respond to broadcast ping packets ### IPv6 options: ### ipv6_enable="NO" # Set to YES to set up for IPv6. ipv6_network_interfaces="auto" # List of network interfaces (or "auto"). +ipv6_defaultrouter="NO" # Set to IPv6 default gateway (or NO). ipv6_static_routes="" # Set to static route list (or leave empty). #ipv6_static_routes="xxx" # An example to set fec0:0000:0000:0006::/64 # route toward loopback interface. @@ -226,10 +226,12 @@ ipv6_router="/usr/sbin/route6d" # Name of IPv6 routing daemon. ipv6_router_flags="" # Flags to IPv6 routing daemon. #ipv6_router_flags="-l" # Example for route6d with only IPv6 site local # addrs. -#ipv6_network_interfaces="ed0 ep0" # Examples for router. +#ipv6_network_interfaces="ed0 ep0" # Examples for router + # or static configuration for end node. # Choose correct prefix value. #ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002" # Examples for rtr. #ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004" # Examples for rtr. +#ipv6_ifconfig_ed0="fec0:0:0:5::1 prefixlen 64" # Sample alias entry ipv6_default_interface="" # Default output interface for scoped addrs. # Now this works only for IPv6 link local # multicast addrs. @@ -256,8 +258,15 @@ stf_interface_ipv4plen="0" # Prefix length for 6to4 IPv4 addr, stf_interface_ipv6_ifid="0:0:0:1" # IPv6 interface id for stf0. # If you like, you can set "AUTO" for this. stf_interface_ipv6_slaid="0000" # IPv6 Site Level Aggregator for stf0 -ipv6_ipv4mapping="YES"; # Leave empty to disable IPv4 mapped IPv6 addr +ipv6_ipv4mapping="YES" # Leave empty to disable IPv4 mapped IPv6 addr # communication. (like ::ffff:a.b.c.d) +ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall + # functionality +ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall +ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) +ipv6_firewall_quiet="NO" # Set to YES to suppress rule display +ipv6_firewall_logging="NO" # Set to YES to enable events logging +ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file ############################################################## ### System console options ################################# diff --git a/etc/rc.d/network_ipv6 b/etc/rc.d/network_ipv6 index 195c09d..0b5bdf59 100644 --- a/etc/rc.d/network_ipv6 +++ b/etc/rc.d/network_ipv6 @@ -37,26 +37,74 @@ network6_pass1() { echo -n 'Doing IPv6 network setup:' - case ${ipv6_gateway_enable} in + # Initialize IP filtering using ip6fw + # + if /sbin/ip6fw -q flush > /dev/null 2>&1; then + ipv6_firewall_in_kernel=1 + else + ipv6_firewall_in_kernel=0 + fi + + case ${ipv6_firewall_enable} in [Yy][Ee][Ss]) - # - # list of interfaces, and prefix for interfaces - # - case ${ipv6_network_interfaces} in - [Aa][Uu][Tt][Oo]) - ipv6_network_interfaces="`ifconfig -l`" + if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then + ipv6_firewall_in_kernel=1 + echo "Kernel IPv6 firewall module loaded." + elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then + echo "Warning: IPv6 firewall kernel module failed to load." + fi + ;; + esac + + # Load the filters if required + # + case ${ipv6_firewall_in_kernel} in + 1) + if [ -z "${ipv6_firewall_script}" ]; then + ipv6_firewall_script=/etc/rc.firewall6 + fi + + case ${ipv6_firewall_enable} in + [Yy][Ee][Ss]) + if [ -r "${ipv6_firewall_script}" ]; then + . "${ipv6_firewall_script}" + echo -n 'IPv6 Firewall rules loaded.' + elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then + echo -n "Warning: kernel has IPv6 firewall functionality, " + echo "but IPv6 firewall rules are not enabled." + echo " All ipv6 services are disabled." + fi + + case ${ipv6_firewall_logging} in + [Yy][Ee][Ss] | '') + echo 'IPv6 Firewall logging=YES' + sysctl -w net.inet6.ip6.fw.verbose=1 >/dev/null + ;; + *) + ;; + esac + ;; esac ;; - *) - # - # manual configurations - in case ip6_gateway_enable=NO - # you can configure only single interface, - # as specification assumes that - # autoconfigured host has single interface only. - # - case ${ipv6_network_interfaces} in - [Aa][Uu][Tt][Oo]) + esac + + case ${ipv6_network_interfaces} in + [Aa][Uu][Tt][Oo]) + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + # + # list of interfaces, and prefix for interfaces + # + ipv6_network_interfaces="`ifconfig -l`" + ;; + *) + # + # manual configurations - in case ip6_gateway_enable=NO + # you can configure only single interface, + # as specification assumes that + # autoconfigured host has single interface only. + # set `ifconfig -l` ipv6_network_interfaces="$1" ;; @@ -83,46 +131,26 @@ network6_pass1() { done sleep `sysctl -n net.inet6.ip6.dad_count` sleep 1 + ;; + *) + # act as endhost - start with manual configuration + sysctl -w net.inet6.ip6.forwarding=0 + sysctl -w net.inet6.ip6.accept_rtadv=0 + ;; + esac - # setting up interfaces - for i in $ipv6_network_interfaces; do - eval prefix=\$ipv6_prefix_$i - case ${prefix} in - '') - continue; - ;; - esac - for j in ${prefix}; do - case ${prefixcmd_enable} in - [Yy][Ee][Ss]) - prefix $i $j:: - ;; - *) - laddr=`network6_getladdr $i` - hostid=`expr "${laddr}" : \ - 'fe80::\(.*\)%\(.*\)'` - address=$j\:${hostid} - - eval hostid_$i=${hostid} - eval address_$i=${address} - - ifconfig $i inet6 ${address} \ - prefixlen 64 alias - ;; - esac - - # subnet-router anycast address (rfc2373) - ifconfig $i inet6 $j:: prefixlen 64 \ - alias anycast - done + # gifconfig + network6_gif_setup - ifconfig $i inet6 - done + # setting up interfaces + network6_interface_setup - # again, wait for DAD's completion (for global addrs) - sleep `sysctl -n net.inet6.ip6.dad_count` - sleep 1 + # wait for DAD's completion (for global addrs) + sleep `sysctl -n net.inet6.ip6.dad_count` + sleep 1 + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) # Filter out interfaces on which IPv6 addr init failed. ipv6_working_interfaces="" for i in ${ipv6_network_interfaces}; do @@ -137,20 +165,21 @@ network6_pass1() { esac done ipv6_network_interfaces=${ipv6_working_interfaces} + ;; + esac - # gifconfig - network6_gif_setup - - # 6to4 setup - network6_stf_setup + # 6to4 setup + network6_stf_setup - # install the "default interface" to kernel, which will be used - # as the default route when there's no router. - network6_default_interface_setup + # install the "default interface" to kernel, which will be used + # as the default route when there's no router. + network6_default_interface_setup - # setup static routes - network6_static_routes_setup + # setup static routes + network6_static_routes_setup + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) # ipv6_router case ${ipv6_router_enable} in [Yy][Ee][Ss]) @@ -167,7 +196,7 @@ network6_pass1() { # # And if you wish your rtadvd to receive and process # router renumbering messages, specify your Router Renumbering - # security policy by -P option. + # security policy by -R option. # # See `man 3 ipsec_set_policy` for IPsec policy specification # details. @@ -178,25 +207,29 @@ network6_pass1() { case ${rtadvd_enable} in [Yy][Ee][Ss]) # default - for i in ${ipv6_network_interfaces}; do - case $i in - stf*) - continue - ;; - *) - rtadvd_interfaces="${rtadvd_interfaces} ${i}" - ;; - esac - done + case ${rtadvd_interfaces} in + '') + for i in ${ipv6_network_interfaces}; do + case $i in + stf*) + continue + ;; + *) + rtadvd_interfaces="${rtadvd_interfaces} ${i}" + ;; + esac + done + ;; + esac rtadvd ${rtadvd_interfaces} # # Enable Router Renumbering, unicast case # (use correct src/dst addr) - # rtadvd -P "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \ + # rtadvd -R "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \ # ${ipv6_network_interfaces} # Enable Router Renumbering, multicast case # (use correct src addr) - # rtadvd -P "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \ + # rtadvd -R "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \ # ${ipv6_network_interfaces} ;; esac @@ -211,38 +244,6 @@ network6_pass1() { ;; esac ;; - *) - # act as endhost - automatically configured - sysctl -w net.inet6.ip6.forwarding=0 - sysctl -w net.inet6.ip6.accept_rtadv=1 - - case ${ipv6_network_interfaces} in - lo0|gif*|stf*|faith*) - ;; - *) - ifconfig ${ipv6_network_interfaces} up - rtsol ${ipv6_network_interfaces} - ;; - esac - - # wait for DAD's completion (for global addrs) - sleep `sysctl -n net.inet6.ip6.dad_count` - sleep 1 - - # gifconfig - network6_gif_setup - - # 6to4 setup - network6_stf_setup - - # install the "default interface" to kernel, which will be used - # as the default route when there's no router. - # ndp -I ${ipv6_default_interface} - network6_default_interface_setup - - # setup static routes - network6_static_routes_setup - ;; esac case ${ipv6_ipv4mapping} in @@ -263,6 +264,85 @@ network6_pass1() { network6_pass1_done=YES } +network6_interface_setup() { + rtsol_interfaces='' + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + rtsol_available=no + ;; + *) + rtsol_available=yes + prefixcmd_enable=NO + ;; + esac + for i in $ipv6_network_interfaces; do + rtsol_interface=yes + eval prefix=\$ipv6_prefix_$i + if [ -n "${prefix}" ]; then + rtsol_available=no + rtsol_interface=no + for j in ${prefix}; do + case ${prefixcmd_enable} in + [Yy][Ee][Ss]) + prefix $i $j:: + ;; + *) + laddr=`network6_getladdr $i` + hostid=`expr "${laddr}" : \ + 'fe80::\(.*\)%\(.*\)'` + address=$j\:${hostid} + + eval hostid_$i=${hostid} + eval address_$i=${address} + + ifconfig $i inet6 ${address} \ + prefixlen 64 alias + ;; + esac + + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + # subnet-router anycast address + # (rfc2373) + ifconfig $i inet6 $j:: prefixlen 64 \ + alias anycast + ;; + esac + done + fi + eval ipv6_ifconfig=\$ipv6_ifconfig_$i + if [ -n "${ipv6_ifconfig}" ]; then + rtsol_available=no + rtsol_interface=no + ifconfig $i inet6 ${ipv6_ifconfig} alias + fi + + if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ] + then + case ${i} in + lo0|gif*|stf*|faith*) + ;; + *) + rtsol_interfaces="${rtsol_interfaces} ${i}" + ;; + esac + else + ifconfig $i inet6 + fi + done + + if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then + # Act as endhost - automatically configured. + # You can configure only single interface, as + # specification assumes that autoconfigured host has + # single interface only. + sysctl -w net.inet6.ip6.accept_rtadv=1 + set ${rtsol_interfaces} + ifconfig $1 up + rtsol $1 + fi +} + network6_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') @@ -330,6 +410,14 @@ network6_stf_setup() { network6_static_routes_setup() { # Set up any static routes. + case ${ipv6_defaultrouter} in + [Nn][Oo] | '') + ;; + *) + ipv6_static_routes="default ${ipv6_static_routes}" + ipv6_route_default="default ${ipv6_defaultrouter}" + ;; + esac case ${ipv6_static_routes} in [Nn][Oo] | '') ;; @@ -362,16 +450,32 @@ network6_default_interface_setup() { # Disallow unicast packets without outgoing scope identifiers, # or route such packets to a "default" interface, if it is specified. + route add -inet6 fe80:: -prefixlen 10 ::1 -reject case ${ipv6_default_interface} in [Nn][Oo] | '') - route add -inet6 fe80:: -prefixlen 10 ::1 -reject route add -inet6 fec0:: -prefixlen 10 ::1 -reject ;; *) laddr=`network6_getladdr ${ipv6_default_interface}` route add -inet6 fec0:: ${laddr} -prefixlen 10 -interface \ -cloning - ndp -I ${ipv6_default_interface} + + # Disable installing the default interface with the + # case net.inet6.ip6.forwarding=0 and + # net.inet6.ip6.accept_rtadv=0, due to avoid conflict + # between the default router list and the manual + # configured default route. + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + ndp -I ${ipv6_default_interface} + ;; + *) + if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ] + then + ndp -I ${ipv6_default_interface} + fi + ;; + esac ;; esac } diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 new file mode 100644 index 0000000..df2d7a2 --- /dev/null +++ b/etc/rc.firewall6 @@ -0,0 +1,257 @@ +############ +# Setup system for IPv6 firewall service. +# $FreeBSD$ + +# Suck in the configuration variables. +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi + +############ +# Define the firewall type in /etc/rc.conf. Valid values are: +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) +# +# For ``client'' and ``simple'' the entries below should be customized +# appropriately. + +############ +# +# If you don't know enough about packet filtering, we suggest that you +# take time to read this book: +# +# Building Internet Firewalls +# Brent Chapman and Elizabeth Zwicky +# +# O'Reilly & Associates, Inc +# ISBN 1-56592-124-0 +# http://www.ora.com/ +# +# For a more advanced treatment of Internet Security read: +# +# Firewalls & Internet Security +# Repelling the wily hacker +# William R. Cheswick, Steven M. Bellowin +# +# Addison-Wesley +# ISBN 0-201-6337-4 +# http://www.awl.com/ +# + +if [ -n "${1}" ]; then + ipv6_firewall_type="${1}" +fi + +############ +# Set quiet mode if requested +# +case ${ipv6_firewall_quiet} in +[Yy][Ee][Ss]) + fw6cmd="/sbin/ip6fw -q" + ;; +*) + fw6cmd="/sbin/ip6fw" + ;; +esac + +############ +# Flush out the list before we begin. +# +${fw6cmd} -f flush + +############ +# If you just configured ipfw in the kernel as a tool to solve network +# problems or you just want to disallow some particular kinds of traffic +# then you will want to change the default policy to open. You can also +# do this as your only action by setting the ipv6_firewall_type to ``open''. +# +# ${fw6cmd} add 65000 pass all from any to any + +############ +# Only in rare cases do you want to change these rules +# +${fw6cmd} add 100 pass all from any to any via lo0 +# +# ND +# +# DAD +${fw6cmd} add pass ipv6-icmp from ff02::/16 to :: +${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 +# RS, RA, NS, NA, redirect... +${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 +${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + + +# Prototype setups. +# +case ${ipv6_firewall_type} in +[Oo][Pp][Ee][Nn]) + ${fw6cmd} add 65000 pass all from any to any + ;; + +[Cc][Ll][Ii][Ee][Nn][Tt]) + ############ + # This is a prototype setup that will protect your system somewhat + # against people from outside your own network. + ############ + + # set these to your network and prefixlen and ip + # + # This needs more work + # + net="3ffe:505:2:1::" + prefixlen="64" + ip="3ffe:505:2:1::1" + + # Allow any traffic to or from my own net. + ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} + ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} + + # Allow TCP through if setup succeeded + ${fw6cmd} add pass tcp from any to any established + + # Allow IP fragments to pass through + ${fw6cmd} add pass all from any to any frag + + # Allow setup of incoming email + ${fw6cmd} add pass tcp from any to ${ip} 25 setup + + # Allow setup of outgoing TCP connections only + ${fw6cmd} add pass tcp from ${ip} to any setup + + # Disallow setup of all other TCP connections + ${fw6cmd} add deny tcp from any to any setup + + # Allow DNS queries out in the world + ${fw6cmd} add pass udp from any 53 to ${ip} + ${fw6cmd} add pass udp from ${ip} to any 53 + + # Allow NTP queries out in the world + ${fw6cmd} add pass udp from any 123 to ${ip} + ${fw6cmd} add pass udp from ${ip} to any 123 + + # Everything else is denied by default, unless the + # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel + # config file. + ;; + +[Ss][Ii][Mm][Pp][Ll][Ee]) + ############ + # This is a prototype setup for a simple firewall. Configure this + # machine as a named server and ntp server, and point all the machines + # on the inside at this machine for those services. + ############ + + # set these to your outside interface network and prefixlen and ip + oif="ed0" + onet="3ffe:505:2:1::" + oprefixlen="64" + oip="3ffe:505:2:1::1" + + # set these to your inside interface network and prefixlen and ip + iif="ed1" + inet="3ffe:505:2:2::" + iprefixlen="64" + iip="3ffe:505:2:2::1" + + # Stop spoofing + ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} + ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} + + # Stop site-local on the outside interface + ${fw6cmd} add deny all from ff02::/16 to any via ${oif} + ${fw6cmd} add deny all from any to ff02::/16 via ${oif} + + # Disallow "internal" addresses to appear on the wire. + ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} + + # Disallow packets to malicious IPv4 compatible prefix. + ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} + ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} + ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} + ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} + ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} + + ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} + + # Disallow packets to malicious 6to4 prefix. + ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} + ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} + ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} + ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} + ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} + ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} + ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} + ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} + + ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} + ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} + ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} + ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} + ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} + ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} + + ${fw6cmd} add deny all from ff05::/32 to any via ${oif} + ${fw6cmd} add deny all from any to ff05::/32 via ${oif} + + # Allow TCP through if setup succeeded + ${fw6cmd} add pass tcp from any to any established + + # Allow IP fragments to pass through + ${fw6cmd} add pass all from any to any frag + + # Allow setup of incoming email + ${fw6cmd} add pass tcp from any to ${oip} 25 setup + + # Allow access to our DNS + ${fw6cmd} add pass tcp from any to ${oip} 53 setup + ${fw6cmd} add pass udp from any to ${oip} 53 + ${fw6cmd} add pass udp from ${oip} 53 to any + + # Allow access to our WWW + ${fw6cmd} add pass tcp from any to ${oip} 80 setup + + # Reject&Log all setup of incoming connections from the outside + ${fw6cmd} add deny log tcp from any to any in via ${oif} setup + + # Allow setup of any other TCP connection + ${fw6cmd} add pass tcp from any to any setup + + # Allow DNS queries out in the world + ${fw6cmd} add pass udp from any 53 to ${oip} + ${fw6cmd} add pass udp from ${oip} to any 53 + + # Allow NTP queries out in the world + ${fw6cmd} add pass udp from any 123 to ${oip} + ${fw6cmd} add pass udp from ${oip} to any 123 + + # RIPng + #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 + + # Everything else is denied by default, unless the + # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel + # config file. + ;; + +[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) + ;; +*) + if [ -r "${ipv6_firewall_type}" ]; then + ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type} + fi + ;; +esac diff --git a/etc/rc.network6 b/etc/rc.network6 index 195c09d..0b5bdf59 100644 --- a/etc/rc.network6 +++ b/etc/rc.network6 @@ -37,26 +37,74 @@ network6_pass1() { echo -n 'Doing IPv6 network setup:' - case ${ipv6_gateway_enable} in + # Initialize IP filtering using ip6fw + # + if /sbin/ip6fw -q flush > /dev/null 2>&1; then + ipv6_firewall_in_kernel=1 + else + ipv6_firewall_in_kernel=0 + fi + + case ${ipv6_firewall_enable} in [Yy][Ee][Ss]) - # - # list of interfaces, and prefix for interfaces - # - case ${ipv6_network_interfaces} in - [Aa][Uu][Tt][Oo]) - ipv6_network_interfaces="`ifconfig -l`" + if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then + ipv6_firewall_in_kernel=1 + echo "Kernel IPv6 firewall module loaded." + elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then + echo "Warning: IPv6 firewall kernel module failed to load." + fi + ;; + esac + + # Load the filters if required + # + case ${ipv6_firewall_in_kernel} in + 1) + if [ -z "${ipv6_firewall_script}" ]; then + ipv6_firewall_script=/etc/rc.firewall6 + fi + + case ${ipv6_firewall_enable} in + [Yy][Ee][Ss]) + if [ -r "${ipv6_firewall_script}" ]; then + . "${ipv6_firewall_script}" + echo -n 'IPv6 Firewall rules loaded.' + elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then + echo -n "Warning: kernel has IPv6 firewall functionality, " + echo "but IPv6 firewall rules are not enabled." + echo " All ipv6 services are disabled." + fi + + case ${ipv6_firewall_logging} in + [Yy][Ee][Ss] | '') + echo 'IPv6 Firewall logging=YES' + sysctl -w net.inet6.ip6.fw.verbose=1 >/dev/null + ;; + *) + ;; + esac + ;; esac ;; - *) - # - # manual configurations - in case ip6_gateway_enable=NO - # you can configure only single interface, - # as specification assumes that - # autoconfigured host has single interface only. - # - case ${ipv6_network_interfaces} in - [Aa][Uu][Tt][Oo]) + esac + + case ${ipv6_network_interfaces} in + [Aa][Uu][Tt][Oo]) + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + # + # list of interfaces, and prefix for interfaces + # + ipv6_network_interfaces="`ifconfig -l`" + ;; + *) + # + # manual configurations - in case ip6_gateway_enable=NO + # you can configure only single interface, + # as specification assumes that + # autoconfigured host has single interface only. + # set `ifconfig -l` ipv6_network_interfaces="$1" ;; @@ -83,46 +131,26 @@ network6_pass1() { done sleep `sysctl -n net.inet6.ip6.dad_count` sleep 1 + ;; + *) + # act as endhost - start with manual configuration + sysctl -w net.inet6.ip6.forwarding=0 + sysctl -w net.inet6.ip6.accept_rtadv=0 + ;; + esac - # setting up interfaces - for i in $ipv6_network_interfaces; do - eval prefix=\$ipv6_prefix_$i - case ${prefix} in - '') - continue; - ;; - esac - for j in ${prefix}; do - case ${prefixcmd_enable} in - [Yy][Ee][Ss]) - prefix $i $j:: - ;; - *) - laddr=`network6_getladdr $i` - hostid=`expr "${laddr}" : \ - 'fe80::\(.*\)%\(.*\)'` - address=$j\:${hostid} - - eval hostid_$i=${hostid} - eval address_$i=${address} - - ifconfig $i inet6 ${address} \ - prefixlen 64 alias - ;; - esac - - # subnet-router anycast address (rfc2373) - ifconfig $i inet6 $j:: prefixlen 64 \ - alias anycast - done + # gifconfig + network6_gif_setup - ifconfig $i inet6 - done + # setting up interfaces + network6_interface_setup - # again, wait for DAD's completion (for global addrs) - sleep `sysctl -n net.inet6.ip6.dad_count` - sleep 1 + # wait for DAD's completion (for global addrs) + sleep `sysctl -n net.inet6.ip6.dad_count` + sleep 1 + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) # Filter out interfaces on which IPv6 addr init failed. ipv6_working_interfaces="" for i in ${ipv6_network_interfaces}; do @@ -137,20 +165,21 @@ network6_pass1() { esac done ipv6_network_interfaces=${ipv6_working_interfaces} + ;; + esac - # gifconfig - network6_gif_setup - - # 6to4 setup - network6_stf_setup + # 6to4 setup + network6_stf_setup - # install the "default interface" to kernel, which will be used - # as the default route when there's no router. - network6_default_interface_setup + # install the "default interface" to kernel, which will be used + # as the default route when there's no router. + network6_default_interface_setup - # setup static routes - network6_static_routes_setup + # setup static routes + network6_static_routes_setup + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) # ipv6_router case ${ipv6_router_enable} in [Yy][Ee][Ss]) @@ -167,7 +196,7 @@ network6_pass1() { # # And if you wish your rtadvd to receive and process # router renumbering messages, specify your Router Renumbering - # security policy by -P option. + # security policy by -R option. # # See `man 3 ipsec_set_policy` for IPsec policy specification # details. @@ -178,25 +207,29 @@ network6_pass1() { case ${rtadvd_enable} in [Yy][Ee][Ss]) # default - for i in ${ipv6_network_interfaces}; do - case $i in - stf*) - continue - ;; - *) - rtadvd_interfaces="${rtadvd_interfaces} ${i}" - ;; - esac - done + case ${rtadvd_interfaces} in + '') + for i in ${ipv6_network_interfaces}; do + case $i in + stf*) + continue + ;; + *) + rtadvd_interfaces="${rtadvd_interfaces} ${i}" + ;; + esac + done + ;; + esac rtadvd ${rtadvd_interfaces} # # Enable Router Renumbering, unicast case # (use correct src/dst addr) - # rtadvd -P "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \ + # rtadvd -R "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \ # ${ipv6_network_interfaces} # Enable Router Renumbering, multicast case # (use correct src addr) - # rtadvd -P "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \ + # rtadvd -R "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \ # ${ipv6_network_interfaces} ;; esac @@ -211,38 +244,6 @@ network6_pass1() { ;; esac ;; - *) - # act as endhost - automatically configured - sysctl -w net.inet6.ip6.forwarding=0 - sysctl -w net.inet6.ip6.accept_rtadv=1 - - case ${ipv6_network_interfaces} in - lo0|gif*|stf*|faith*) - ;; - *) - ifconfig ${ipv6_network_interfaces} up - rtsol ${ipv6_network_interfaces} - ;; - esac - - # wait for DAD's completion (for global addrs) - sleep `sysctl -n net.inet6.ip6.dad_count` - sleep 1 - - # gifconfig - network6_gif_setup - - # 6to4 setup - network6_stf_setup - - # install the "default interface" to kernel, which will be used - # as the default route when there's no router. - # ndp -I ${ipv6_default_interface} - network6_default_interface_setup - - # setup static routes - network6_static_routes_setup - ;; esac case ${ipv6_ipv4mapping} in @@ -263,6 +264,85 @@ network6_pass1() { network6_pass1_done=YES } +network6_interface_setup() { + rtsol_interfaces='' + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + rtsol_available=no + ;; + *) + rtsol_available=yes + prefixcmd_enable=NO + ;; + esac + for i in $ipv6_network_interfaces; do + rtsol_interface=yes + eval prefix=\$ipv6_prefix_$i + if [ -n "${prefix}" ]; then + rtsol_available=no + rtsol_interface=no + for j in ${prefix}; do + case ${prefixcmd_enable} in + [Yy][Ee][Ss]) + prefix $i $j:: + ;; + *) + laddr=`network6_getladdr $i` + hostid=`expr "${laddr}" : \ + 'fe80::\(.*\)%\(.*\)'` + address=$j\:${hostid} + + eval hostid_$i=${hostid} + eval address_$i=${address} + + ifconfig $i inet6 ${address} \ + prefixlen 64 alias + ;; + esac + + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + # subnet-router anycast address + # (rfc2373) + ifconfig $i inet6 $j:: prefixlen 64 \ + alias anycast + ;; + esac + done + fi + eval ipv6_ifconfig=\$ipv6_ifconfig_$i + if [ -n "${ipv6_ifconfig}" ]; then + rtsol_available=no + rtsol_interface=no + ifconfig $i inet6 ${ipv6_ifconfig} alias + fi + + if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ] + then + case ${i} in + lo0|gif*|stf*|faith*) + ;; + *) + rtsol_interfaces="${rtsol_interfaces} ${i}" + ;; + esac + else + ifconfig $i inet6 + fi + done + + if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then + # Act as endhost - automatically configured. + # You can configure only single interface, as + # specification assumes that autoconfigured host has + # single interface only. + sysctl -w net.inet6.ip6.accept_rtadv=1 + set ${rtsol_interfaces} + ifconfig $1 up + rtsol $1 + fi +} + network6_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') @@ -330,6 +410,14 @@ network6_stf_setup() { network6_static_routes_setup() { # Set up any static routes. + case ${ipv6_defaultrouter} in + [Nn][Oo] | '') + ;; + *) + ipv6_static_routes="default ${ipv6_static_routes}" + ipv6_route_default="default ${ipv6_defaultrouter}" + ;; + esac case ${ipv6_static_routes} in [Nn][Oo] | '') ;; @@ -362,16 +450,32 @@ network6_default_interface_setup() { # Disallow unicast packets without outgoing scope identifiers, # or route such packets to a "default" interface, if it is specified. + route add -inet6 fe80:: -prefixlen 10 ::1 -reject case ${ipv6_default_interface} in [Nn][Oo] | '') - route add -inet6 fe80:: -prefixlen 10 ::1 -reject route add -inet6 fec0:: -prefixlen 10 ::1 -reject ;; *) laddr=`network6_getladdr ${ipv6_default_interface}` route add -inet6 fec0:: ${laddr} -prefixlen 10 -interface \ -cloning - ndp -I ${ipv6_default_interface} + + # Disable installing the default interface with the + # case net.inet6.ip6.forwarding=0 and + # net.inet6.ip6.accept_rtadv=0, due to avoid conflict + # between the default router list and the manual + # configured default route. + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + ndp -I ${ipv6_default_interface} + ;; + *) + if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ] + then + ndp -I ${ipv6_default_interface} + fi + ;; + esac ;; esac } |