summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorume <ume@FreeBSD.org>2009-12-02 15:05:26 +0000
committerume <ume@FreeBSD.org>2009-12-02 15:05:26 +0000
commitba7665678f35b37968e0734f1086fc8fe7143340 (patch)
treed274f4a3f20bd30ff98ae13a63f13accbcd8cba4
parentb26098335ad13f28d7c5848b7616741f750e786e (diff)
downloadFreeBSD-src-ba7665678f35b37968e0734f1086fc8fe7143340.zip
FreeBSD-src-ba7665678f35b37968e0734f1086fc8fe7143340.tar.gz
Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw. Reviewed by: dougb, jhb MFC after: 1 month
-rw-r--r--ObsoleteFiles.inc3
-rw-r--r--etc/Makefile2
-rw-r--r--etc/defaults/rc.conf24
-rwxr-xr-xetc/rc.d/Makefile2
-rwxr-xr-xetc/rc.d/ip6fw48
-rwxr-xr-xetc/rc.d/ipfw13
-rw-r--r--etc/rc.firewall156
-rw-r--r--etc/rc.firewall6295
8 files changed, 178 insertions, 365 deletions
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 6ec1b82..e352840 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -14,6 +14,9 @@
# The file is partitioned: OLD_FILES first, then OLD_LIBS and OLD_DIRS last.
#
+# 20091202: unify rc.firewall and rc.firewall6.
+OLD_FILES+=etc/rc.d/ip6fw
+OLD_FILES+=etc/rc.firewall6
# 20091117: removal of rc.early(8) link
OLD_FILES+=usr/share/man/man8/rc.early.8.gz
# 20091027: pselect.3 implemented as syscall
diff --git a/etc/Makefile b/etc/Makefile
index 88f0bfb..42221a8 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -15,7 +15,7 @@ BIN1= auth.conf \
inetd.conf libalias.conf login.access login.conf mac.conf motd \
netconfig network.subr networks newsyslog.conf nsswitch.conf \
phones profile protocols \
- rc rc.bsdextended rc.firewall rc.firewall6 rc.initdiskless \
+ rc rc.bsdextended rc.firewall rc.initdiskless \
rc.sendmail rc.shutdown \
rc.subr remote rpc services shells \
sysctl.conf syslog.conf
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index c094303..19a9a39 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -118,7 +118,10 @@ firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file
-firewall_client_net="192.0.2.0/24" # Network address for "client" firewall.
+firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
+ # firewall.
+#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for
+ # "client" firewall.
firewall_simple_iif="ed1" # Inside network interface for "simple"
# firewall.
firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple"
@@ -127,12 +130,22 @@ firewall_simple_oif="ed0" # Outside network interface for "simple"
# firewall.
firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
# firewall.
+#firewall_simple_iif_ipv6="ed1" # Inside IPv6 network interface for "simple"
+ # firewall.
+#firewall_simple_inet_ipv6="2001:db8:2:800::/56" # Inside IPv6 network prefix
+ # for "simple" firewall.
+#firewall_simple_oif_ipv6="ed0" # Outside IPv6 network interface for "simple"
+ # firewall.
+#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix
+ # for "simple" firewall.
firewall_myservices="" # List of TCP ports on which this host
# offers services for "workstation" firewall.
firewall_allowservices="" # List of IPs which have access to
# $firewall_myservices for "workstation"
# firewall.
-firewall_trusted="" # List of IPs which have full access to this
+firewall_trusted="" # List of IPv4s which have full access to this
+ # host for "workstation" firewall.
+firewall_trusted_ipv6="" # List of IPv6s which have full access to this
# host for "workstation" firewall.
firewall_logdeny="NO" # Set to YES to log default denied incoming
# packets for "workstation" firewall.
@@ -472,13 +485,6 @@ ipv6_faith_prefix="NO" # Set faith prefix to enable a FAITH
# faithd(8) setup.
ipv6_ipv4mapping="NO" # Set to "YES" to enable IPv4 mapped IPv6 addr
# communication. (like ::ffff:a.b.c.d)
-ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall
- # functionality
-ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall
-ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6)
-ipv6_firewall_quiet="NO" # Set to YES to suppress rule display
-ipv6_firewall_logging="NO" # Set to YES to enable events logging
-ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file
ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter,
# see /usr/src/contrib/ipfilter/rules
# for examples
diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile
index fbfac8a..7f72303 100755
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@@ -15,7 +15,7 @@ FILES= DAEMON FILESYSTEMS LOGIN NETWORKING SERVERS \
hcsecd \
hostapd hostid hostid_save hostname \
inetd initrandom \
- ip6addrctl ip6fw ipfilter ipfs ipfw ipmon \
+ ip6addrctl ipfilter ipfs ipfw ipmon \
ipnat ipsec ipxrouted \
jail \
kadmind kerberos keyserv kldxref kpasswdd \
diff --git a/etc/rc.d/ip6fw b/etc/rc.d/ip6fw
deleted file mode 100755
index ca95d36..0000000
--- a/etc/rc.d/ip6fw
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/sh
-#
-# $FreeBSD$
-#
-
-# PROVIDE: ip6fw
-# REQUIRE: routing
-# KEYWORD: nojail
-
-. /etc/rc.subr
-
-name="ip6fw"
-rcvar=`set_rcvar ipv6_firewall`
-start_cmd="ip6fw_start"
-stop_cmd="${SYSCTL_W} net.inet6.ip6.fw.enable=0"
-required_modules="ipfw"
-
-ip6fw_start()
-{
- # Specify default rules file if none provided
- if [ -z "${ipv6_firewall_script}" ]; then
- ipv6_firewall_script=/etc/rc.firewall6
- fi
-
- # Load rules
- #
- if [ -r "${ipv6_firewall_script}" ]; then
- /bin/sh "${ipv6_firewall_script}"
- echo 'IPv6 Firewall rules loaded.'
- elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then
- warn 'IPv6 firewall rules have not been loaded. Default' \
- ' to DENY all access.'
- fi
-
- # Enable firewall logging
- #
- if checkyesno ipv6_firewall_logging; then
- echo 'IPv6 Firewall logging=YES'
- sysctl net.inet.ip.fw.verbose=1 >/dev/null
- fi
-
- # Enable the firewall
- #
- ${SYSCTL_W} net.inet6.ip6.fw.enable=1
-}
-
-load_rc_config $name
-run_rc_command "$1"
diff --git a/etc/rc.d/ipfw b/etc/rc.d/ipfw
index 872f278..dd7ab55 100755
--- a/etc/rc.d/ipfw
+++ b/etc/rc.d/ipfw
@@ -17,6 +17,8 @@ start_precmd="ipfw_prestart"
stop_cmd="ipfw_stop"
required_modules="ipfw"
+set_rcvar_obsolete ipv6_firewall_enable
+
ipfw_prestart()
{
if checkyesno dummynet_enable; then
@@ -61,7 +63,13 @@ ipfw_start()
# Enable the firewall
#
if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
- warn "failed to enable firewall"
+ warn "failed to enable IPv4 firewall"
+ fi
+ if afexists inet6; then
+ if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
+ then
+ warn "failed to enable IPv6 firewall"
+ fi
fi
}
@@ -70,6 +78,9 @@ ipfw_stop()
# Disable the firewall
#
${SYSCTL_W} net.inet.ip.fw.enable=0
+ if afexists inet6; then
+ ${SYSCTL_W} net.inet6.ip6.fw.enable=0
+ fi
if [ -f /etc/rc.d/natd ] ; then
/etc/rc.d/natd quietstop
fi
diff --git a/etc/rc.firewall b/etc/rc.firewall
index bc700d1..1eddde2 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -85,12 +85,42 @@ setup_loopback () {
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+ if [ $ipv6_available -eq 0 ]; then
+ ${fwcmd} add 400 deny all from any to ::1
+ ${fwcmd} add 500 deny all from ::1 to any
+ fi
+}
+
+setup_ipv6_mandatory () {
+ [ $ipv6_available -eq 0 ] || return 0
+
+ ############
+ # Only in rare cases do you want to change these rules
+ #
+ # ND
+ #
+ # DAD
+ ${fwcmd} add pass ipv6-icmp from :: to ff02::/16
+ # RS, RA, NS, NA, redirect...
+ ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
+ ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
+
+ # Allow ICMPv6 destination unreach
+ ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1
+
+ # Allow NS/NA/toobig (don't filter it out)
+ ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136
}
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
+. /etc/rc.subr
+. /etc/network.subr
+afexists inet6
+ipv6_available=$?
+
############
# Set quiet mode if requested
#
@@ -109,6 +139,7 @@ esac
${fwcmd} -f flush
setup_loopback
+setup_ipv6_mandatory
############
# Network Address Translation. All packets are passed to natd(8)
@@ -166,11 +197,13 @@ case ${firewall_type} in
# against people from outside your own network.
#
# Configuration:
- # firewall_client_net: Network address of local network.
+ # firewall_client_net: Network address of local IPv4 network.
+ # firewall_client_net_ipv6: Network address of local IPv6 network.
############
# set this to your local network
net="$firewall_client_net"
+ net6="$firewall_client_net_ipv6"
# Allow limited broadcast traffic from my own net.
${fwcmd} add pass all from ${net} to 255.255.255.255
@@ -178,6 +211,16 @@ case ${firewall_type} in
# Allow any traffic to or from my own net.
${fwcmd} add pass all from me to ${net}
${fwcmd} add pass all from ${net} to me
+ if [ -n "$net6" ]; then
+ ${fwcmd} add pass all from me6 to ${net6}
+ ${fwcmd} add pass all from ${net6} to me6
+ fi
+
+ if [ -n "$net6" ]; then
+ # Allow any link-local multicast traffic
+ ${fwcmd} add pass all from fe80::/10 to ff02::/16
+ ${fwcmd} add pass all from ${net6} to ff02::/16
+ fi
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
@@ -212,23 +255,38 @@ case ${firewall_type} in
# on the inside at this machine for those services.
#
# Configuration:
- # firewall_simple_iif: Inside network interface.
- # firewall_simple_inet: Inside network address.
- # firewall_simple_oif: Outside network interface.
- # firewall_simple_onet: Outside network address.
+ # firewall_simple_iif: Inside IPv4 network interface.
+ # firewall_simple_inet: Inside IPv4 network address.
+ # firewall_simple_oif: Outside IPv4 network interface.
+ # firewall_simple_onet: Outside IPv4 network address.
+ # firewall_simple_iif_ipv6: Inside IPv6 network interface.
+ # firewall_simple_inet_ipv6: Inside IPv6 network prefix.
+ # firewall_simple_oif_ipv6: Outside IPv6 network interface.
+ # firewall_simple_onet_ipv6: Outside IPv6 network prefix.
############
# set these to your outside interface network
oif="$firewall_simple_oif"
onet="$firewall_simple_onet"
+ oif6="${firewall_simple_oif_ipv6:-$firewall_simple_oif}"
+ onet6="$firewall_simple_onet_ipv6"
# set these to your inside interface network
iif="$firewall_simple_iif"
inet="$firewall_simple_inet"
+ iif6="${firewall_simple_iif_ipv6:-$firewall_simple_iif}"
+ inet6="$firewall_simple_inet_ipv6"
# Stop spoofing
${fwcmd} add deny all from ${inet} to any in via ${oif}
${fwcmd} add deny all from ${onet} to any in via ${iif}
+ if [ -n "$inet6" ]; then
+ ${fwcmd} add deny all from ${inet6} to any in via ${oif6}
+ if [ -n "$onet6" ]; then
+ ${fwcmd} add deny all from ${onet6} to any in \
+ via ${iif6}
+ fi
+ fi
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
@@ -254,7 +312,7 @@ case ${firewall_type} in
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via ${natd_interface}
+ ${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
@@ -273,6 +331,55 @@ case ${firewall_type} in
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
+ if [ -n "$inet6" ]; then
+ # Stop unique local unicast address on the outside interface
+ ${fwcmd} add deny all from fc00::/7 to any via ${oif6}
+ ${fwcmd} add deny all from any to fc00::/7 via ${oif6}
+
+ # Stop site-local on the outside interface
+ ${fwcmd} add deny all from fec0::/10 to any via ${oif6}
+ ${fwcmd} add deny all from any to fec0::/10 via ${oif6}
+
+ # Disallow "internal" addresses to appear on the wire.
+ ${fwcmd} add deny all from ::ffff:0.0.0.0/96 to any \
+ via ${oif6}
+ ${fwcmd} add deny all from any to ::ffff:0.0.0.0/96 \
+ via ${oif6}
+
+ # Disallow packets to malicious IPv4 compatible prefix.
+ ${fwcmd} add deny all from ::224.0.0.0/100 to any via ${oif6}
+ ${fwcmd} add deny all from any to ::224.0.0.0/100 via ${oif6}
+ ${fwcmd} add deny all from ::127.0.0.0/104 to any via ${oif6}
+ ${fwcmd} add deny all from any to ::127.0.0.0/104 via ${oif6}
+ ${fwcmd} add deny all from ::0.0.0.0/104 to any via ${oif6}
+ ${fwcmd} add deny all from any to ::0.0.0.0/104 via ${oif6}
+ ${fwcmd} add deny all from ::255.0.0.0/104 to any via ${oif6}
+ ${fwcmd} add deny all from any to ::255.0.0.0/104 via ${oif6}
+
+ ${fwcmd} add deny all from ::0.0.0.0/96 to any via ${oif6}
+ ${fwcmd} add deny all from any to ::0.0.0.0/96 via ${oif6}
+
+ # Disallow packets to malicious 6to4 prefix.
+ ${fwcmd} add deny all from 2002:e000::/20 to any via ${oif6}
+ ${fwcmd} add deny all from any to 2002:e000::/20 via ${oif6}
+ ${fwcmd} add deny all from 2002:7f00::/24 to any via ${oif6}
+ ${fwcmd} add deny all from any to 2002:7f00::/24 via ${oif6}
+ ${fwcmd} add deny all from 2002:0000::/24 to any via ${oif6}
+ ${fwcmd} add deny all from any to 2002:0000::/24 via ${oif6}
+ ${fwcmd} add deny all from 2002:ff00::/24 to any via ${oif6}
+ ${fwcmd} add deny all from any to 2002:ff00::/24 via ${oif6}
+
+ ${fwcmd} add deny all from 2002:0a00::/24 to any via ${oif6}
+ ${fwcmd} add deny all from any to 2002:0a00::/24 via ${oif6}
+ ${fwcmd} add deny all from 2002:ac10::/28 to any via ${oif6}
+ ${fwcmd} add deny all from any to 2002:ac10::/28 via ${oif6}
+ ${fwcmd} add deny all from 2002:c0a8::/32 to any via ${oif6}
+ ${fwcmd} add deny all from any to 2002:c0a8::/32 via ${oif6}
+
+ ${fwcmd} add deny all from ff05::/16 to any via ${oif6}
+ ${fwcmd} add deny all from any to ff05::/16 via ${oif6}
+ fi
+
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
@@ -291,7 +398,11 @@ case ${firewall_type} in
${fwcmd} add pass tcp from any to me 80 setup
# Reject&Log all setup of incoming connections from the outside
- ${fwcmd} add deny log tcp from any to any in via ${oif} setup
+ ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
+ if [ -n "$inet6" ]; then
+ ${fwcmd} add deny log ip6 from any to any in via ${oif6} \
+ setup proto tcp
+ fi
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
@@ -313,7 +424,7 @@ case ${firewall_type} in
# offers services.
# firewall_allowservices: List of IPs which has access to
# $firewall_myservices.
- # firewall_trusted: List of IPs which has full access
+ # firewall_trusted: List of IPv4s which has full access
# to this host. Be very carefull
# when setting this. This option can
# seriously degrade the level of
@@ -324,25 +435,44 @@ case ${firewall_type} in
# firewall_nologports: List of TCP/UDP ports for which
# denied incomming packets are not
# logged.
-
+ # firewall_trusted_ipv6: List of IPv6s which has full access
+ # to this host. Be very carefull
+ # when setting this. This option can
+ # seriously degrade the level of
+ # protection provided by the firewall.
+
# Allow packets for which a state has been built.
${fwcmd} add check-state
# For services permitted below.
${fwcmd} add pass tcp from me to any established
+ if [ $ipv6_available -eq 0 ]; then
+ ${fwcmd} add pass tcp from me6 to any established
+ fi
# Allow any connection out, adding state for each.
${fwcmd} add pass tcp from me to any setup keep-state
${fwcmd} add pass udp from me to any keep-state
${fwcmd} add pass icmp from me to any keep-state
+ if [ $ipv6_available -eq 0 ]; then
+ ${fwcmd} add pass tcp from me6 to any setup keep-state
+ ${fwcmd} add pass udp from me6 to any keep-state
+ ${fwcmd} add pass ipv6-icmp from me6 to any keep-state
+ fi
# Allow DHCP.
${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out
${fwcmd} add pass udp from any 67 to me 68 in
${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in
+ if [ $ipv6_available -eq 0 ]; then
+ ${fwcmd} add pass udp from fe80::/10 to me6 546 in
+ fi
# Some servers will ping the IP while trying to decide if it's
# still in use.
${fwcmd} add pass icmp from any to any icmptype 8
+ if [ $ipv6_available -eq 0 ]; then
+ ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129
+ fi
# Allow "mandatory" ICMP in.
${fwcmd} add pass icmp from any to any icmptype 3,4,11
@@ -361,6 +491,9 @@ case ${firewall_type} in
for i in ${firewall_allowservices} ; do
for j in ${firewall_myservices} ; do
${fwcmd} add pass tcp from $i to me $j
+ if [ $ipv6_available -eq 0 ]; then
+ ${fwcmd} add pass tcp from $i to me6 $j
+ fi
done
done
@@ -370,7 +503,10 @@ case ${firewall_type} in
for i in ${firewall_trusted} ; do
${fwcmd} add pass ip from $i to me
done
-
+ for i in ${firewall_trusted_ipv6} ; do
+ ${fwcmd} add pass all from $i to me6
+ done
+
${fwcmd} add 65000 count ip from any to any
# Drop packets to ports where we don't want logging
diff --git a/etc/rc.firewall6 b/etc/rc.firewall6
deleted file mode 100644
index 7498bbc68..0000000
--- a/etc/rc.firewall6
+++ /dev/null
@@ -1,295 +0,0 @@
-#!/bin/sh -
-############
-# Setup system for IPv6 firewall service.
-# $FreeBSD$
-
-# Suck in the configuration variables.
-if [ -z "${source_rc_confs_defined}" ]; then
- if [ -r /etc/defaults/rc.conf ]; then
- . /etc/defaults/rc.conf
- source_rc_confs
- elif [ -r /etc/rc.conf ]; then
- . /etc/rc.conf
- fi
-fi
-
-############
-# Define the firewall type in /etc/rc.conf. Valid values are:
-# open - will allow anyone in
-# client - will try to protect just this machine
-# simple - will try to protect a whole network
-# closed - totally disables IP services except via lo0 interface
-# UNKNOWN - disables the loading of firewall rules.
-# filename - will load the rules in the given filename (full path required)
-#
-# For ``client'' and ``simple'' the entries below should be customized
-# appropriately.
-
-############
-#
-# If you don't know enough about packet filtering, we suggest that you
-# take time to read this book:
-#
-# Building Internet Firewalls, 2nd Edition
-# Brent Chapman and Elizabeth Zwicky
-#
-# O'Reilly & Associates, Inc
-# ISBN 1-56592-871-7
-# http://www.ora.com/
-# http://www.oreilly.com/catalog/fire2/
-#
-# For a more advanced treatment of Internet Security read:
-#
-# Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition
-# William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin
-#
-# Addison-Wesley / Prentice Hall
-# ISBN 0-201-63466-X
-# http://www.pearsonhighered.com/
-# http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html
-#
-
-setup_local () {
- ############
- # Only in rare cases do you want to change these rules
- #
- ${fw6cmd} add 100 pass ip6 from any to any via lo0
- ${fw6cmd} add 200 deny ip6 from any to ::1
- ${fw6cmd} add 300 deny ip6 from ::1 to any
- #
- # ND
- #
- # DAD
- ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp
- # RS, RA, NS, NA, redirect...
- ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
- ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
-}
-
-if [ -n "${1}" ]; then
- ipv6_firewall_type="${1}"
-fi
-
-############
-# Set quiet mode if requested
-#
-case ${ipv6_firewall_quiet} in
-[Yy][Ee][Ss])
- fw6cmd="/sbin/ipfw -q"
- ;;
-*)
- fw6cmd="/sbin/ipfw"
- ;;
-esac
-
-############
-# Flush out the list before we begin.
-#
-${fw6cmd} -f flush
-
-############
-# If you just configured ipfw in the kernel as a tool to solve network
-# problems or you just want to disallow some particular kinds of traffic
-# then you will want to change the default policy to open. You can also
-# do this as your only action by setting the ipv6_firewall_type to ``open''.
-#
-# ${fw6cmd} add 65000 pass all from any to any
-
-
-# Prototype setups.
-#
-case ${ipv6_firewall_type} in
-[Oo][Pp][Ee][Nn])
- setup_local
- ${fw6cmd} add 65000 pass ip6 from any to any
- ;;
-
-[Cc][Ll][Ii][Ee][Nn][Tt])
- ############
- # This is a prototype setup that will protect your system somewhat
- # against people from outside your own network.
- ############
-
- # set these to your network and prefixlen and ip
- #
- # This needs more work
- #
- net="2001:db8:2:1::"
- prefixlen="64"
- ip="2001:db8:2:1::1"
-
- setup_local
-
- # Allow any traffic to or from my own net.
- ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen}
- ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip}
-
- # Allow any link-local multicast traffic
- ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16
- ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16
-
- # Allow TCP through if setup succeeded
- ${fw6cmd} add pass ip6 from any to any established proto tcp
-
- # Allow IP fragments to pass through
- ${fw6cmd} add pass ip6 from any to any frag
-
- # Allow setup of incoming email
- ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp
-
- # Allow setup of outgoing TCP connections only
- ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp
-
- # Disallow setup of all other TCP connections
- ${fw6cmd} add deny ip6 from any to any setup proto tcp
-
- # Allow DNS queries out in the world
- ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp
- ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp
-
- # Allow NTP queries out in the world
- ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp
- ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp
-
- # Allow ICMPv6 destination unreach
- ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
-
- # Allow NS/NA/toobig (don't filter it out)
- ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \
- proto ipv6-icmp
-
- # Everything else is denied by default, unless the
- # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
- # config file.
- ;;
-
-[Ss][Ii][Mm][Pp][Ll][Ee])
- ############
- # This is a prototype setup for a simple firewall. Configure this
- # machine as a DNS and NTP server, and point all the machines
- # on the inside at this machine for those services.
- ############
-
- # set these to your outside interface network and prefixlen and ip
- oif="ed0"
- onet="2001:db8:2:1::"
- oprefixlen="64"
- oip="2001:db8:2:1::1"
-
- # set these to your inside interface network and prefixlen and ip
- iif="ed1"
- inet="2001:db8:2:2::"
- iprefixlen="64"
- iip="2001:db8:2:2::1"
-
- setup_local
-
- # Stop spoofing
- ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif}
- ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif}
-
- # Stop unique local unicast address on the outside interface
- ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif}
-
- # Stop site-local on the outside interface
- ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif}
-
- # Disallow "internal" addresses to appear on the wire.
- ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif}
-
- # Disallow packets to malicious IPv4 compatible prefix.
- ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif}
- ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif}
- ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif}
- ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif}
-
- ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif}
-
- # Disallow packets to malicious 6to4 prefix.
- ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif}
- ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif}
- ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif}
- ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif}
-
- ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif}
- ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif}
- ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif}
-
- ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif}
- ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif}
-
- # Allow TCP through if setup succeeded
- ${fw6cmd} add pass tcp from any to any established
-
- # Allow IP fragments to pass through
- ${fw6cmd} add pass ip6 from any to any frag
-
- # Allow setup of incoming email
- ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp
-
- # Allow access to our DNS
- ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp
- ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp
- ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp
-
- # Allow access to our WWW
- ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp
-
- # Reject&Log all setup of incoming connections from the outside
- ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \
- proto tcp
-
- # Allow setup of any other TCP connection
- ${fw6cmd} add pass ip6 from any to any setup proto tcp
-
- # Allow DNS queries out in the world
- ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp
- ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp
-
- # Allow NTP queries out in the world
- ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp
- ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp
-
- # Allow RIPng
- #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp
- #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp
-
- # Allow ICMPv6 destination unreach
- ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
-
- # Allow NS/NA/toobig (don't filter it out)
- ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \
- proto ipv6-icmp
-
- # Everything else is denied by default, unless the
- # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
- # config file.
- ;;
-
-[Cc][Ll][Oo][Ss][Ee][Dd])
- # Only enable the loopback interface
- ${fw6cmd} add 100 pass ip6 from any to any via lo0
- ;;
-[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
- ;;
-*)
- if [ -r "${ipv6_firewall_type}" ]; then
- ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type}
- fi
- ;;
-esac
OpenPOWER on IntegriCloud