summaryrefslogtreecommitdiffstats
path: root/etc/rc.firewall
diff options
context:
space:
mode:
authordanny <danny@FreeBSD.org>1997-09-11 10:59:02 +0000
committerdanny <danny@FreeBSD.org>1997-09-11 10:59:02 +0000
commit347e2e3c367cf81b878169973f92ca840bdc2f79 (patch)
treed4778f03cfb9ffe99f176497f48c54a1dddcdbe9 /etc/rc.firewall
parent03e311c03496f6d71419c283ba3b3b5106a68144 (diff)
downloadFreeBSD-src-347e2e3c367cf81b878169973f92ca840bdc2f79.zip
FreeBSD-src-347e2e3c367cf81b878169973f92ca840bdc2f79.tar.gz
Reviewed by: msmith, alex
Cosmetic changes to the loading of firewall rules and lkm.
Diffstat (limited to 'etc/rc.firewall')
-rw-r--r--etc/rc.firewall104
1 files changed, 60 insertions, 44 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall
index b0e29ba..5bfaedc 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -1,17 +1,18 @@
############
# Setup system for firewall service.
-# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $
+# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $
############
+# Define the firewall type in /etc/rc.conf. Valid values are:
+# open - will allow anyone in
+# client - will try to protect just this machine
+# simple - will try to protect a whole network
+# closed - totally disables IP services except via lo0 interface
+# UNKNOWN - disables the loading of firewall rules.
+# filename - will load the rules in the given filename (full path required)
#
-# >>Warning<<
-# This file is not very old yet, and have been put together without much
-# testing of the contents.
-
-# Set this to be the type of firewall you want: open, client, simple or NONE.
-# ``open'' will allow anyone in, ``client'' will try to protect just one
-# machine and ``simple'' will try to protect a whole network (entries should
-# be customized appropriately below). To let no one in, use NONE.
+# For ``client'' and ``simple'' the entries below should be customized
+# appropriately.
############
#
@@ -36,9 +37,21 @@
# http://www.awl.com/
#
+if [ "x$1" != "x" ]; then
+ firewall_type=$1
+fi
+
+############
+# Set quiet mode if requested
+if [ "x$firewall_quiet" = "xYES" ]; then
+ fwcmd="/sbin/ipfw -q"
+else
+ fwcmd="/sbin/ipfw"
+fi
+
############
# Flush out the list before we begin.
-/sbin/ipfw -f flush
+$fwcmd -f flush
############
# If you just configured ipfw in the kernel as a tool to solve network
@@ -46,19 +59,23 @@
# they you will want to change the default policy to open. You can also
# do this as your only action by setting the firewall_type to ``open''.
-# /sbin/ipfw add 65000 pass all from any to any
+# $fwcmd add 65000 pass all from any to any
############
# Only in rare cases do you want to change this rule
-/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
+$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1
# Prototype setups.
-if [ "${firewall}" = "open" ]; then
+if [ "${firewall_type}" = "open" ]; then
+
+ $fwcmd add 65000 pass all from any to any
- /sbin/ipfw add 65000 pass all from any to any
+elif [ "${firewall_type}" = "simple" ]; then
-elif [ "${firewall}" = "client" ]; then
+ $fwcmd add 65000 pass all from any to any via lo0
+
+elif [ "${firewall_type}" = "client" ]; then
############
# This is a prototype setup that will protect your system somewhat against
@@ -71,32 +88,32 @@ elif [ "${firewall}" = "client" ]; then
ip="192.168.4.17"
# Allow any traffic to or from my own net.
- /sbin/ipfw add pass all from ${ip} to ${net}:${mask}
- /sbin/ipfw add pass all from ${net}:${mask} to ${ip}
+ $fwcmd add pass all from ${ip} to ${net}:${mask}
+ $fwcmd add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
- /sbin/ipfw add pass tcp from any to any established
+ $fwcmd add pass tcp from any to any established
# Allow setup of incoming email
- /sbin/ipfw add pass tcp from any to ${ip} 25 setup
+ $fwcmd add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
- /sbin/ipfw add pass tcp from ${ip} to any setup
+ $fwcmd add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
- /sbin/ipfw add deny tcp from any to any setup
+ $fwcmd add deny tcp from any to any setup
# Allow DNS queries out in the world
- /sbin/ipfw add pass udp from any 53 to ${ip}
- /sbin/ipfw add pass udp from ${ip} to any 53
+ $fwcmd add pass udp from any 53 to ${ip}
+ $fwcmd add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
- /sbin/ipfw add pass udp from any 123 to ${ip}
- /sbin/ipfw add pass udp from ${ip} to any 123
+ $fwcmd add pass udp from any 123 to ${ip}
+ $fwcmd add pass udp from ${ip} to any 123
# Everything else is denied as default.
-elif [ "${firewall}" = "simple" ]; then
+elif [ "${firewall_type}" = "simple" ]; then
############
# This is a prototype setup for a simple firewall. Configure this machine
@@ -117,43 +134,42 @@ elif [ "${firewall}" = "simple" ]; then
iip="192.168.3.17"
# Stop spoofing
- /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
- /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
+ $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
+ $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
- /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
- /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
- /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
+ $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
+ $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
+ $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
# Allow TCP through if setup succeeded
- /sbin/ipfw add pass tcp from any to any established
+ $fwcmd add pass tcp from any to any established
# Allow setup of incoming email
- /sbin/ipfw add pass tcp from any to ${oip} 25 setup
+ $fwcmd add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
- /sbin/ipfw add pass tcp from any to ${oip} 53 setup
+ $fwcmd add pass tcp from any to ${oip} 53 setup
# Allow access to our WWW
- /sbin/ipfw add pass tcp from any to ${oip} 80 setup
+ $fwcmd add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
- /sbin/ipfw add deny log tcp from any to any in via ${oif} setup
+ $fwcmd add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
- /sbin/ipfw add pass tcp from any to any setup
+ $fwcmd add pass tcp from any to any setup
# Allow DNS queries out in the world
- /sbin/ipfw add pass udp from any 53 to ${oip}
- /sbin/ipfw add pass udp from ${oip} to any 53
+ $fwcmd add pass udp from any 53 to ${oip}
+ $fwcmd add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
- /sbin/ipfw add pass udp from any 123 to ${oip}
- /sbin/ipfw add pass udp from ${oip} to any 123
+ $fwcmd add pass udp from any 123 to ${oip}
+ $fwcmd add pass udp from ${oip} to any 123
# Everything else is denied as default.
-elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then
-
- /sbin/ipfw ${firewall}
+elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then
+ $fwcmd ${firewall}
fi
OpenPOWER on IntegriCloud