diff options
| author | sheldonh <sheldonh@FreeBSD.org> | 1999-09-13 15:44:20 +0000 |
|---|---|---|
| committer | sheldonh <sheldonh@FreeBSD.org> | 1999-09-13 15:44:20 +0000 |
| commit | d8a93d30ec0f7b9de2d59dab07ac29c6f7f8f663 (patch) | |
| tree | f61d8b7d858e07792674c281853167482e6806c5 /etc/rc.firewall | |
| parent | 019fd9cb5fe17ed3ce93a28306ec3009d2a512f7 (diff) | |
| download | FreeBSD-src-d8a93d30ec0f7b9de2d59dab07ac29c6f7f8f663.zip FreeBSD-src-d8a93d30ec0f7b9de2d59dab07ac29c6f7f8f663.tar.gz | |
Apply a consistent style to most of the etc scripts. Particularly, use
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.
Changes discussed on freebsd-hackers.
Submitted by: Doug Barton <Doug@gorean.org>
Diffstat (limited to 'etc/rc.firewall')
| -rw-r--r-- | etc/rc.firewall | 253 |
1 files changed, 138 insertions, 115 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall index af93901..db20c2d 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -3,9 +3,9 @@ # $FreeBSD$ # Suck in the configuration variables. -if [ -f /etc/defaults/rc.conf ]; then +if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf -elif [ -f /etc/rc.conf ]; then +elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi @@ -18,7 +18,7 @@ fi # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # -# For ``client'' and ``simple'' the entries below should be customized +# For ``client'' and ``simple'' the entries below should be customized # appropriately. ############ @@ -44,20 +44,25 @@ fi # http://www.awl.com/ # -if [ -n "$1" ]; then - firewall_type=$1 +if [ -n "${1}" ]; then + firewall_type="${1}" fi ############ # Set quiet mode if requested -if [ "${firewall_quiet}" = "YES" ]; then +# +case ${firewall_quiet} in +[Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" -else + ;; +*) fwcmd="/sbin/ipfw" -fi + ;; +esac ############ # Flush out the list before we begin. +# ${fwcmd} -f flush ############ @@ -65,127 +70,145 @@ ${fwcmd} -f flush # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). -if [ "${natd_enable}" = "YES" -a "${natd_interface}" != "X" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} -fi +# +case ${natd_enable} in +[Yy][Ee][Ss]) + if [ -n "${natd_interface}" ]; then + ${fwcmd} add divert natd all from any to any via ${natd_interface} + fi + ;; +esac ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. - +# # ${fwcmd} add 65000 pass all from any to any ############ # Only in rare cases do you want to change these rules +# ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # Prototype setups. -if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then - +# +case ${firewall_type} in +[Oo][Pp][Ee][Nn]) ${fwcmd} add 65000 pass all from any to any + ;; +[Cc][Ll][Ii][Ee][Nn][Tt]) -elif [ "${firewall_type}" = "client" ]; then - - ############ - # This is a prototype setup that will protect your system somewhat against - # people from outside your own network. - ############ - - # set these to your network and netmask and ip - net="192.168.4.0" - mask="255.255.255.0" - ip="192.168.4.17" - - # Allow any traffic to or from my own net. - ${fwcmd} add pass all from ${ip} to ${net}:${mask} - ${fwcmd} add pass all from ${net}:${mask} to ${ip} - - # Allow TCP through if setup succeeded - ${fwcmd} add pass tcp from any to any established - - # Allow setup of incoming email - ${fwcmd} add pass tcp from any to ${ip} 25 setup - - # Allow setup of outgoing TCP connections only - ${fwcmd} add pass tcp from ${ip} to any setup - - # Disallow setup of all other TCP connections - ${fwcmd} add deny tcp from any to any setup - - # Allow DNS queries out in the world - ${fwcmd} add pass udp from any 53 to ${ip} - ${fwcmd} add pass udp from ${ip} to any 53 - - # Allow NTP queries out in the world - ${fwcmd} add pass udp from any 123 to ${ip} - ${fwcmd} add pass udp from ${ip} to any 123 - - # Everything else is denied as default. - -elif [ "${firewall_type}" = "simple" ]; then - - ############ - # This is a prototype setup for a simple firewall. Configure this machine - # as a named server and ntp server, and point all the machines on the inside - # at this machine for those services. - ############ - - # set these to your outside interface network and netmask and ip - oif="ed0" - onet="192.168.4.0" - omask="255.255.255.0" - oip="192.168.4.17" - - # set these to your inside interface network and netmask and ip - iif="ed1" - inet="192.168.3.0" - imask="255.255.255.0" - iip="192.168.3.17" - - # Stop spoofing - ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} - ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} - - # Stop RFC1918 nets on the outside interface - ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} - ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} - ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} - - # Allow TCP through if setup succeeded - ${fwcmd} add pass tcp from any to any established - - # Allow setup of incoming email - ${fwcmd} add pass tcp from any to ${oip} 25 setup - - # Allow access to our DNS - ${fwcmd} add pass tcp from any to ${oip} 53 setup - - # Allow access to our WWW - ${fwcmd} add pass tcp from any to ${oip} 80 setup - - # Reject&Log all setup of incoming connections from the outside - ${fwcmd} add deny log tcp from any to any in via ${oif} setup - - # Allow setup of any other TCP connection - ${fwcmd} add pass tcp from any to any setup - - # Allow DNS queries out in the world - ${fwcmd} add pass udp from any 53 to ${oip} - ${fwcmd} add pass udp from ${oip} to any 53 - - # Allow NTP queries out in the world - ${fwcmd} add pass udp from any 123 to ${oip} - ${fwcmd} add pass udp from ${oip} to any 123 - - # Everything else is denied as default. - -elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then - ${fwcmd} ${firewall_type} -fi + ############ + # This is a prototype setup that will protect your system somewhat + # against people from outside your own network. + ############ + + # set these to your network and netmask and ip + net="192.168.4.0" + mask="255.255.255.0" + ip="192.168.4.17" + + # Allow any traffic to or from my own net. + ${fwcmd} add pass all from ${ip} to ${net}:${mask} + ${fwcmd} add pass all from ${net}:${mask} to ${ip} + + # Allow TCP through if setup succeeded + ${fwcmd} add pass tcp from any to any established + + # Allow setup of incoming email + ${fwcmd} add pass tcp from any to ${ip} 25 setup + + # Allow setup of outgoing TCP connections only + ${fwcmd} add pass tcp from ${ip} to any setup + + # Disallow setup of all other TCP connections + ${fwcmd} add deny tcp from any to any setup + + # Allow DNS queries out in the world + ${fwcmd} add pass udp from any 53 to ${ip} + ${fwcmd} add pass udp from ${ip} to any 53 + + # Allow NTP queries out in the world + ${fwcmd} add pass udp from any 123 to ${ip} + ${fwcmd} add pass udp from ${ip} to any 123 + + # Everything else is denied by default, unless the + # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel + # config file. + ;; + +[Ss][Ii][Mm][Pp][Ll][Ee]) + + ############ + # This is a prototype setup for a simple firewall. Configure this + # machine as a named server and ntp server, and point all the machines + # on the inside at this machine for those services. + ############ + + # set these to your outside interface network and netmask and ip + oif="ed0" + onet="192.168.4.0" + omask="255.255.255.0" + oip="192.168.4.17" + + # set these to your inside interface network and netmask and ip + iif="ed1" + inet="192.168.3.0" + imask="255.255.255.0" + iip="192.168.3.17" + + # Stop spoofing + ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} + ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} + + # Stop RFC1918 nets on the outside interface + ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} + ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} + ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} + + # Allow TCP through if setup succeeded + ${fwcmd} add pass tcp from any to any established + + # Allow setup of incoming email + ${fwcmd} add pass tcp from any to ${oip} 25 setup + + # Allow access to our DNS + ${fwcmd} add pass tcp from any to ${oip} 53 setup + + # Allow access to our WWW + ${fwcmd} add pass tcp from any to ${oip} 80 setup + + # Reject&Log all setup of incoming connections from the outside + ${fwcmd} add deny log tcp from any to any in via ${oif} setup + + # Allow setup of any other TCP connection + ${fwcmd} add pass tcp from any to any setup + + # Allow DNS queries out in the world + ${fwcmd} add pass udp from any 53 to ${oip} + ${fwcmd} add pass udp from ${oip} to any 53 + + # Allow NTP queries out in the world + ${fwcmd} add pass udp from any 123 to ${oip} + ${fwcmd} add pass udp from ${oip} to any 123 + + # Everything else is denied by default, unless the + # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel + # config file. + ;; + +[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) + ;; +*) + if [ -r "${firewall_type}" ]; then + ${fwcmd} ${firewall_type} + fi + ;; +esac |
