Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6

and rc.d/ip6fw.

Reviewed by:	dougb, jhb
MFC after:	1 month

1 files changed, 146 insertions, 10 deletions

diff --git a/etc/rc.firewall b/etc/rc.firewall
index bc700d1..1eddde2 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -85,12 +85,42 @@ setup_loopback () {
 	${fwcmd} add 100 pass all from any to any via lo0
 	${fwcmd} add 200 deny all from any to 127.0.0.0/8
 	${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+	if [ $ipv6_available -eq 0 ]; then
+		${fwcmd} add 400 deny all from any to ::1
+		${fwcmd} add 500 deny all from ::1 to any
+	fi
+}
+
+setup_ipv6_mandatory () {
+	[ $ipv6_available -eq 0 ] || return 0
+
+	############
+	# Only in rare cases do you want to change these rules
+	#
+	# ND
+	#
+	# DAD
+	${fwcmd} add pass ipv6-icmp from :: to ff02::/16
+	# RS, RA, NS, NA, redirect...
+	${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
+	${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
+
+	# Allow ICMPv6 destination unreach
+	${fwcmd} add pass ipv6-icmp from any to any icmp6types 1
+
+	# Allow NS/NA/toobig (don't filter it out)
+	${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136
 }
 
 if [ -n "${1}" ]; then
 	firewall_type="${1}"
 fi
 
+. /etc/rc.subr
+. /etc/network.subr
+afexists inet6
+ipv6_available=$?
+
 ############
 # Set quiet mode if requested
 #
@@ -109,6 +139,7 @@ esac
 ${fwcmd} -f flush
 
 setup_loopback
+setup_ipv6_mandatory
 
 ############
 # Network Address Translation.  All packets are passed to natd(8)
@@ -166,11 +197,13 @@ case ${firewall_type} in
 	# against people from outside your own network.
 	#
 	# Configuration:
-	#  firewall_client_net:		Network address of local network.
+	#  firewall_client_net:		Network address of local IPv4 network.
+	#  firewall_client_net_ipv6:	Network address of local IPv6 network.
 	############
 
 	# set this to your local network
 	net="$firewall_client_net"
+	net6="$firewall_client_net_ipv6"
 
 	# Allow limited broadcast traffic from my own net.
 	${fwcmd} add pass all from ${net} to 255.255.255.255
@@ -178,6 +211,16 @@ case ${firewall_type} in
 	# Allow any traffic to or from my own net.
 	${fwcmd} add pass all from me to ${net}
 	${fwcmd} add pass all from ${net} to me
+	if [ -n "$net6" ]; then
+		${fwcmd} add pass all from me6 to ${net6}
+		${fwcmd} add pass all from ${net6} to me6
+	fi
+
+	if [ -n "$net6" ]; then
+		# Allow any link-local multicast traffic
+		${fwcmd} add pass all from fe80::/10 to ff02::/16
+		${fwcmd} add pass all from ${net6} to ff02::/16
+	fi
 
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established
@@ -212,23 +255,38 @@ case ${firewall_type} in
 	# on the inside at this machine for those services.
 	#
 	# Configuration:
-	#  firewall_simple_iif:		Inside network interface.
-	#  firewall_simple_inet:	Inside network address.
-	#  firewall_simple_oif:		Outside network interface.
-	#  firewall_simple_onet:	Outside network address.
+	#  firewall_simple_iif:		Inside IPv4 network interface.
+	#  firewall_simple_inet:	Inside IPv4 network address.
+	#  firewall_simple_oif:		Outside IPv4 network interface.
+	#  firewall_simple_onet:	Outside IPv4 network address.
+	#  firewall_simple_iif_ipv6:	Inside IPv6 network interface.
+	#  firewall_simple_inet_ipv6:	Inside IPv6 network prefix.
+	#  firewall_simple_oif_ipv6:	Outside IPv6 network interface.
+	#  firewall_simple_onet_ipv6:	Outside IPv6 network prefix.
 	############
 
 	# set these to your outside interface network
 	oif="$firewall_simple_oif"
 	onet="$firewall_simple_onet"
+	oif6="${firewall_simple_oif_ipv6:-$firewall_simple_oif}"
+	onet6="$firewall_simple_onet_ipv6"
 
 	# set these to your inside interface network
 	iif="$firewall_simple_iif"
 	inet="$firewall_simple_inet"
+	iif6="${firewall_simple_iif_ipv6:-$firewall_simple_iif}"
+	inet6="$firewall_simple_inet_ipv6"
 
 	# Stop spoofing
 	${fwcmd} add deny all from ${inet} to any in via ${oif}
 	${fwcmd} add deny all from ${onet} to any in via ${iif}
+	if [ -n "$inet6" ]; then
+		${fwcmd} add deny all from ${inet6} to any in via ${oif6}
+		if [ -n "$onet6" ]; then
+			${fwcmd} add deny all from ${onet6} to any in \
+			    via ${iif6}
+		fi
+	fi
 
 	# Stop RFC1918 nets on the outside interface
 	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
@@ -254,7 +312,7 @@ case ${firewall_type} in
 	case ${natd_enable} in
 	[Yy][Ee][Ss])
 		if [ -n "${natd_interface}" ]; then
-			${fwcmd} add divert natd all from any to any via ${natd_interface}
+			${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
 		fi
 		;;
 	esac
@@ -273,6 +331,55 @@ case ${firewall_type} in
 	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
 	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
 
+	if [ -n "$inet6" ]; then
+		# Stop unique local unicast address on the outside interface
+		${fwcmd} add deny all from fc00::/7 to any via ${oif6}
+		${fwcmd} add deny all from any to fc00::/7 via ${oif6}
+
+		# Stop site-local on the outside interface
+		${fwcmd} add deny all from fec0::/10 to any via ${oif6}
+		${fwcmd} add deny all from any to fec0::/10 via ${oif6}
+
+		# Disallow "internal" addresses to appear on the wire.
+		${fwcmd} add deny all from ::ffff:0.0.0.0/96 to any \
+		    via ${oif6}
+		${fwcmd} add deny all from any to ::ffff:0.0.0.0/96 \
+		    via ${oif6}
+
+		# Disallow packets to malicious IPv4 compatible prefix.
+		${fwcmd} add deny all from ::224.0.0.0/100 to any via ${oif6}
+		${fwcmd} add deny all from any to ::224.0.0.0/100 via ${oif6}
+		${fwcmd} add deny all from ::127.0.0.0/104 to any via ${oif6}
+		${fwcmd} add deny all from any to ::127.0.0.0/104 via ${oif6}
+		${fwcmd} add deny all from ::0.0.0.0/104 to any via ${oif6}
+		${fwcmd} add deny all from any to ::0.0.0.0/104 via ${oif6}
+		${fwcmd} add deny all from ::255.0.0.0/104 to any via ${oif6}
+		${fwcmd} add deny all from any to ::255.0.0.0/104 via ${oif6}
+
+		${fwcmd} add deny all from ::0.0.0.0/96 to any via ${oif6}
+		${fwcmd} add deny all from any to ::0.0.0.0/96 via ${oif6}
+
+		# Disallow packets to malicious 6to4 prefix.
+		${fwcmd} add deny all from 2002:e000::/20 to any via ${oif6}
+		${fwcmd} add deny all from any to 2002:e000::/20 via ${oif6}
+		${fwcmd} add deny all from 2002:7f00::/24 to any via ${oif6}
+		${fwcmd} add deny all from any to 2002:7f00::/24 via ${oif6}
+		${fwcmd} add deny all from 2002:0000::/24 to any via ${oif6}
+		${fwcmd} add deny all from any to 2002:0000::/24 via ${oif6}
+		${fwcmd} add deny all from 2002:ff00::/24 to any via ${oif6}
+		${fwcmd} add deny all from any to 2002:ff00::/24 via ${oif6}
+
+		${fwcmd} add deny all from 2002:0a00::/24 to any via ${oif6}
+		${fwcmd} add deny all from any to 2002:0a00::/24 via ${oif6}
+		${fwcmd} add deny all from 2002:ac10::/28 to any via ${oif6}
+		${fwcmd} add deny all from any to 2002:ac10::/28 via ${oif6}
+		${fwcmd} add deny all from 2002:c0a8::/32 to any via ${oif6}
+		${fwcmd} add deny all from any to 2002:c0a8::/32 via ${oif6}
+
+		${fwcmd} add deny all from ff05::/16 to any via ${oif6}
+		${fwcmd} add deny all from any to ff05::/16 via ${oif6}
+	fi
+
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established
 
@@ -291,7 +398,11 @@ case ${firewall_type} in
 	${fwcmd} add pass tcp from any to me 80 setup
 
 	# Reject&Log all setup of incoming connections from the outside
-	${fwcmd} add deny log tcp from any to any in via ${oif} setup
+	${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
+	if [ -n "$inet6" ]; then
+		${fwcmd} add deny log ip6 from any to any in via ${oif6} \
+		    setup proto tcp
+	fi
 
 	# Allow setup of any other TCP connection
 	${fwcmd} add pass tcp from any to any setup
@@ -313,7 +424,7 @@ case ${firewall_type} in
 	#			 	 offers services.
 	#  firewall_allowservices:	List of IPs which has access to
 	#				 $firewall_myservices.
-	#  firewall_trusted:		List of IPs which has full access 
+	#  firewall_trusted:		List of IPv4s which has full access 
 	#				 to this host. Be very carefull 
 	#				 when setting this. This option can
 	#				 seriously degrade the level of 
@@ -324,25 +435,44 @@ case ${firewall_type} in
 	#  firewall_nologports:		List of TCP/UDP ports for which
 	#				 denied incomming packets are not
 	#				 logged.
-	
+	#  firewall_trusted_ipv6:	List of IPv6s which has full access 
+	#				 to this host. Be very carefull 
+	#				 when setting this. This option can
+	#				 seriously degrade the level of 
+	#				 protection provided by the firewall.
+
 	# Allow packets for which a state has been built.
 	${fwcmd} add check-state
 
 	# For services permitted below.
 	${fwcmd} add pass tcp  from me to any established
+	if [ $ipv6_available -eq 0 ]; then
+		${fwcmd} add pass tcp from me6 to any established
+	fi
 
 	# Allow any connection out, adding state for each.
 	${fwcmd} add pass tcp  from me to any setup keep-state
 	${fwcmd} add pass udp  from me to any       keep-state
 	${fwcmd} add pass icmp from me to any       keep-state
+	if [ $ipv6_available -eq 0 ]; then
+		${fwcmd} add pass tcp from me6 to any setup keep-state
+		${fwcmd} add pass udp from me6 to any keep-state
+		${fwcmd} add pass ipv6-icmp from me6 to any keep-state
+	fi
 
 	# Allow DHCP.
 	${fwcmd} add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out
 	${fwcmd} add pass udp  from any 67     to me 68 in
 	${fwcmd} add pass udp  from any 67     to 255.255.255.255 68 in
+	if [ $ipv6_available -eq 0 ]; then
+		${fwcmd} add pass udp from fe80::/10 to me6 546 in
+	fi
 	# Some servers will ping the IP while trying to decide if it's 
 	# still in use.
 	${fwcmd} add pass icmp from any to any icmptype 8
+	if [ $ipv6_available -eq 0 ]; then
+		${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129
+	fi
 
 	# Allow "mandatory" ICMP in.
 	${fwcmd} add pass icmp from any to any icmptype 3,4,11
@@ -361,6 +491,9 @@ case ${firewall_type} in
 	for i in ${firewall_allowservices} ; do
 	  for j in ${firewall_myservices} ; do
 	    ${fwcmd} add pass tcp from $i to me $j
+	    if [ $ipv6_available -eq 0 ]; then
+	      ${fwcmd} add pass tcp from $i to me6 $j
+	    fi
 	  done
 	done
 
@@ -370,7 +503,10 @@ case ${firewall_type} in
 	for i in ${firewall_trusted} ; do
 	  ${fwcmd} add pass ip from $i to me
 	done
-	
+	for i in ${firewall_trusted_ipv6} ; do
+	  ${fwcmd} add pass all from $i to me6
+	done
+
 	${fwcmd} add 65000 count ip from any to any
 
 	# Drop packets to ports where we don't want logging