diff options
| author | mlaier <mlaier@FreeBSD.org> | 2006-05-12 19:17:34 +0000 |
|---|---|---|
| committer | mlaier <mlaier@FreeBSD.org> | 2006-05-12 19:17:34 +0000 |
| commit | 23ea781ace4085a281de5182a8204c5d78bbcb7a (patch) | |
| tree | 575ed05e633db17f9a9f7be224bd7e1404bb559d /etc/rc.firewall6 | |
| parent | 8ee51ef3f4051cfbc08eb92250470c24b71590c2 (diff) | |
| download | FreeBSD-src-23ea781ace4085a281de5182a8204c5d78bbcb7a.zip FreeBSD-src-23ea781ace4085a281de5182a8204c5d78bbcb7a.tar.gz | |
Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.
Diffstat (limited to 'etc/rc.firewall6')
| -rw-r--r-- | etc/rc.firewall6 | 159 |
1 files changed, 81 insertions, 78 deletions
diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 index c14a09a..d9e7601 100644 --- a/etc/rc.firewall6 +++ b/etc/rc.firewall6 @@ -54,17 +54,17 @@ setup_local () { ############ # Only in rare cases do you want to change these rules # - ${fw6cmd} add 100 pass all from any to any via lo0 - ${fw6cmd} add 200 deny all from any to ::1 - ${fw6cmd} add 300 deny all from ::1 to any + ${fw6cmd} add 100 pass ip6 from any to any via lo0 + ${fw6cmd} add 200 deny ip6 from any to ::1 + ${fw6cmd} add 300 deny ip6 from ::1 to any # # ND # # DAD - ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp # RS, RA, NS, NA, redirect... - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp } if [ -n "${1}" ]; then @@ -76,10 +76,10 @@ fi # case ${ipv6_firewall_quiet} in [Yy][Ee][Ss]) - fw6cmd="/sbin/ip6fw -q" + fw6cmd="/sbin/ipfw -q" ;; *) - fw6cmd="/sbin/ip6fw" + fw6cmd="/sbin/ipfw" ;; esac @@ -102,7 +102,7 @@ ${fw6cmd} -f flush case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) setup_local - ${fw6cmd} add 65000 pass all from any to any + ${fw6cmd} add 65000 pass ip6 from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) @@ -122,41 +122,42 @@ case ${ipv6_firewall_type} in setup_local # Allow any traffic to or from my own net. - ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} - ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} + ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen} + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip} # Allow any link-local multicast traffic - ${fw6cmd} add pass all from fe80::/10 to ff02::/16 - ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16 # Allow TCP through if setup succeeded - ${fw6cmd} add pass tcp from any to any established + ${fw6cmd} add pass ip6 from any to any established proto tcp # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${ip} 25 setup + ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp # Allow setup of outgoing TCP connections only - ${fw6cmd} add pass tcp from ${ip} to any setup + ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp # Disallow setup of all other TCP connections - ${fw6cmd} add deny tcp from any to any setup + ${fw6cmd} add deny ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -185,94 +186,96 @@ case ${ipv6_firewall_type} in setup_local # Stop spoofing - ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} - ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} + ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif} + ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif} # Stop unique local unicast address on the outside interface - ${fw6cmd} add deny all from fc00::/7 to any via ${oif} - ${fw6cmd} add deny all from any to fc00::/7 via ${oif} + ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif} # Stop site-local on the outside interface - ${fw6cmd} add deny all from fec0::/10 to any via ${oif} - ${fw6cmd} add deny all from any to fec0::/10 via ${oif} + ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. - ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. - ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} - ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} - ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} - - ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif} + ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif} + + ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. - ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} - ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} - - ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} - ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} - - ${fw6cmd} add deny all from ff05::/16 to any via ${oif} - ${fw6cmd} add deny all from any to ff05::/16 via ${oif} + ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif} + ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif} + + ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif} + ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif} + + ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif} # Allow TCP through if setup succeeded ${fw6cmd} add pass tcp from any to any established # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${oip} 25 setup + ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp # Allow access to our DNS - ${fw6cmd} add pass tcp from any to ${oip} 53 setup - ${fw6cmd} add pass udp from any to ${oip} 53 - ${fw6cmd} add pass udp from ${oip} 53 to any + ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp + ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp + ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp # Allow access to our WWW - ${fw6cmd} add pass tcp from any to ${oip} 80 setup + ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp # Reject&Log all setup of incoming connections from the outside - ${fw6cmd} add deny log tcp from any to any in via ${oif} setup + ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \ + proto tcp # Allow setup of any other TCP connection - ${fw6cmd} add pass tcp from any to any setup + ${fw6cmd} add pass ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp # Allow RIPng - #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 - #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 + #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp + #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -281,7 +284,7 @@ case ${ipv6_firewall_type} in [Cc][Ll][Oo][Ss][Ee][Dd]) # Only enable the loopback interface - ${fw6cmd} add 100 pass all from any to any via lo0 + ${fw6cmd} add 100 pass ip6 from any to any via lo0 ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; |
