diff options
| author | danny <danny@FreeBSD.org> | 1997-09-11 10:59:02 +0000 |
|---|---|---|
| committer | danny <danny@FreeBSD.org> | 1997-09-11 10:59:02 +0000 |
| commit | 347e2e3c367cf81b878169973f92ca840bdc2f79 (patch) | |
| tree | d4778f03cfb9ffe99f176497f48c54a1dddcdbe9 /etc/rc.firewall | |
| parent | 03e311c03496f6d71419c283ba3b3b5106a68144 (diff) | |
| download | FreeBSD-src-347e2e3c367cf81b878169973f92ca840bdc2f79.zip FreeBSD-src-347e2e3c367cf81b878169973f92ca840bdc2f79.tar.gz | |
Reviewed by: msmith, alex
Cosmetic changes to the loading of firewall rules and lkm.
Diffstat (limited to 'etc/rc.firewall')
| -rw-r--r-- | etc/rc.firewall | 104 |
1 files changed, 60 insertions, 44 deletions
diff --git a/etc/rc.firewall b/etc/rc.firewall index b0e29ba..5bfaedc 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -1,17 +1,18 @@ ############ # Setup system for firewall service. -# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $ +# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $ ############ +# Define the firewall type in /etc/rc.conf. Valid values are: +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) # -# >>Warning<< -# This file is not very old yet, and have been put together without much -# testing of the contents. - -# Set this to be the type of firewall you want: open, client, simple or NONE. -# ``open'' will allow anyone in, ``client'' will try to protect just one -# machine and ``simple'' will try to protect a whole network (entries should -# be customized appropriately below). To let no one in, use NONE. +# For ``client'' and ``simple'' the entries below should be customized +# appropriately. ############ # @@ -36,9 +37,21 @@ # http://www.awl.com/ # +if [ "x$1" != "x" ]; then + firewall_type=$1 +fi + +############ +# Set quiet mode if requested +if [ "x$firewall_quiet" = "xYES" ]; then + fwcmd="/sbin/ipfw -q" +else + fwcmd="/sbin/ipfw" +fi + ############ # Flush out the list before we begin. -/sbin/ipfw -f flush +$fwcmd -f flush ############ # If you just configured ipfw in the kernel as a tool to solve network @@ -46,19 +59,23 @@ # they you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. -# /sbin/ipfw add 65000 pass all from any to any +# $fwcmd add 65000 pass all from any to any ############ # Only in rare cases do you want to change this rule -/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 +$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 # Prototype setups. -if [ "${firewall}" = "open" ]; then +if [ "${firewall_type}" = "open" ]; then + + $fwcmd add 65000 pass all from any to any - /sbin/ipfw add 65000 pass all from any to any +elif [ "${firewall_type}" = "simple" ]; then -elif [ "${firewall}" = "client" ]; then + $fwcmd add 65000 pass all from any to any via lo0 + +elif [ "${firewall_type}" = "client" ]; then ############ # This is a prototype setup that will protect your system somewhat against @@ -71,32 +88,32 @@ elif [ "${firewall}" = "client" ]; then ip="192.168.4.17" # Allow any traffic to or from my own net. - /sbin/ipfw add pass all from ${ip} to ${net}:${mask} - /sbin/ipfw add pass all from ${net}:${mask} to ${ip} + $fwcmd add pass all from ${ip} to ${net}:${mask} + $fwcmd add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${ip} 25 setup + $fwcmd add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only - /sbin/ipfw add pass tcp from ${ip} to any setup + $fwcmd add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections - /sbin/ipfw add deny tcp from any to any setup + $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 53 + $fwcmd add pass udp from any 53 to ${ip} + $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 123 + $fwcmd add pass udp from any 123 to ${ip} + $fwcmd add pass udp from ${ip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" = "simple" ]; then +elif [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine @@ -117,43 +134,42 @@ elif [ "${firewall}" = "simple" ]; then iip="192.168.3.17" # Stop spoofing - /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} - /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} + $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} + $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface - /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${oip} 25 setup + $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS - /sbin/ipfw add pass tcp from any to ${oip} 53 setup + $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW - /sbin/ipfw add pass tcp from any to ${oip} 80 setup + $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside - /sbin/ipfw add deny log tcp from any to any in via ${oif} setup + $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection - /sbin/ipfw add pass tcp from any to any setup + $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 53 + $fwcmd add pass udp from any 53 to ${oip} + $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 123 + $fwcmd add pass udp from any 123 to ${oip} + $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then - - /sbin/ipfw ${firewall} +elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then + $fwcmd ${firewall} fi |
