diff options
author | phk <phk@FreeBSD.org> | 1996-04-03 17:13:59 +0000 |
---|---|---|
committer | phk <phk@FreeBSD.org> | 1996-04-03 17:13:59 +0000 |
commit | abe01fc216610ef595aa803c7743529793feb35e (patch) | |
tree | 0c72fbbefd760872a0e9194084568b7d567a09b3 /etc/rc.firewall | |
parent | 8a4381b139489559851a24f7e7088354b0acf624 (diff) | |
download | FreeBSD-src-abe01fc216610ef595aa803c7743529793feb35e.zip FreeBSD-src-abe01fc216610ef595aa803c7743529793feb35e.tar.gz |
Add skeleton firewall setup(s). Comments very welcome.
Diffstat (limited to 'etc/rc.firewall')
-rw-r--r-- | etc/rc.firewall | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall new file mode 100644 index 0000000..026334c --- /dev/null +++ b/etc/rc.firewall @@ -0,0 +1,133 @@ +############ +# Setup system for firewall service. +# $Id$ + +############ +# +# >>Warning<< +# This file is not very old yet, and have been put together without much +# test of the contents. + +############ +# +# If you don't know enough about packet filtering, we suggest that you +# take time to read this book: +# +# Firewalls & Internet Security +# Repelling the wily hacker +# William R. Cheswick, Steven M. Bellowin +# +# Addison-Wesley +# ISBN 0-201-6337-4 +# + +############ +# If you just configured ipfw in the kernel as a tool to solve network +# problems or you just want to disallow some particular kinds of traffic +# they you will want to change the default policy to open. + +# /sbin/ipfw add 65000 pass all from any to any + +############ +# Only in rare cases do you want to change this rule +/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 + +############ +# This is a prototype setup that will protect your system somewhat against +# people from outside your own network. +# +# To enable simply change "false" to "true" in the if line and set the +# variables to your network parameters + +if false ; then + # set these to your network and netmask and ip + net="192.168.4.0" + mask="255.255.255.0" + ip="192.168.4.17" + + # Allow any traffic to or from my own net. + /sbin/ipfw add pass all from ${ip} to ${net}:${mask} + /sbin/ipfw add pass all from ${net}:${mask} to ${ip} + + # Allow TCP through if setup succeeded + /sbin/ipfw add deny tcp from any to any established + + # Allow setup of incoming email + /sbin/ipfw add pass tcp from any to ${ip} 25 setup + + # Allow setup of outgoing TCP connections only + /sbin/ipfw add pass tcp from ${ip} to any setup + + # Disallow setup of all other TCP connections + /sbin/ipfw add deny tcp from any to any setup + + # Allow DNS queries out in the world + /sbin/ipfw add pass udp from any 53 to ${ip} + /sbin/ipfw add pass udp from ${ip} to any 53 + + # Allow NTP queries out in the world + /sbin/ipfw add pass udp from any 123 to ${ip} + /sbin/ipfw add pass udp from ${ip} to any 123 + + # Everyting else is denied as default. +fi + +############ +# This is a prototype setup for a simple firewall. Configure this machine +# as a named server and ntp server, and point all the machines on the inside +# at this machine for those services. +# +# To enable simply change "false" to "true" in the if line and set the +# variables to your network parameters + +if false ; then + # set these to your outside interface network and netmask and ip + oif="ed0" + onet="192.168.4.0" + omask="255.255.255.0" + oip="192.168.4.17" + + # set these to your inside interface network and netmask and ip + iif="ed1" + inet="192.168.3.0" + imask="255.255.255.0" + iip="192.168.3.17" + + # Stop spoofing + /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} + /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} + + # Stop RFC1918 nets on the outside interface + /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + + # Allow TCP through if setup succeeded + /sbin/ipfw add deny tcp from any to any established + + # Allow setup of incoming email + /sbin/ipfw add pass tcp from any to ${oip} 25 setup + + # Allow access to our DNS + /sbin/ipfw add pass tcp from any to ${oip} 53 setup + + # Allow access to our WWW + /sbin/ipfw add pass tcp from any to ${oip} 80 setup + + # Reject&Log all setup of incoming connections from the outside + /sbin/ipfw add deny log tcp from any to any in via ${oif} setup + + # Allow setup of any other TCP connection + /sbin/ipfw add pass tcp from any to any setup + + # Allow DNS queries out in the world + /sbin/ipfw add pass udp from any 53 to ${oip} + /sbin/ipfw add pass udp from ${oip} to any 53 + + # Allow NTP queries out in the world + /sbin/ipfw add pass udp from any 123 to ${oip} + /sbin/ipfw add pass udp from ${oip} to any 123 + + # Everyting else is denied as default. +fi + |