diff options
| author | mlaier <mlaier@FreeBSD.org> | 2006-05-12 19:17:34 +0000 |
|---|---|---|
| committer | mlaier <mlaier@FreeBSD.org> | 2006-05-12 19:17:34 +0000 |
| commit | 23ea781ace4085a281de5182a8204c5d78bbcb7a (patch) | |
| tree | 575ed05e633db17f9a9f7be224bd7e1404bb559d /etc | |
| parent | 8ee51ef3f4051cfbc08eb92250470c24b71590c2 (diff) | |
| download | FreeBSD-src-23ea781ace4085a281de5182a8204c5d78bbcb7a.zip FreeBSD-src-23ea781ace4085a281de5182a8204c5d78bbcb7a.tar.gz | |
Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/defaults/periodic.conf | 6 | ||||
| -rwxr-xr-x | etc/periodic/security/600.ip6fwdenied | 53 | ||||
| -rwxr-xr-x | etc/periodic/security/650.ip6fwlimit | 63 | ||||
| -rw-r--r-- | etc/periodic/security/Makefile | 2 | ||||
| -rw-r--r-- | etc/rc.d/ip6fw | 6 | ||||
| -rw-r--r-- | etc/rc.firewall6 | 159 |
6 files changed, 84 insertions, 205 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index 8f9d241..e73024d 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -171,15 +171,9 @@ daily_status_security_pfdenied_enable="YES" # 550.ipfwlimit daily_status_security_ipfwlimit_enable="YES" -# 600.ip6fwdenied -daily_status_security_ip6fwdenied_enable="YES" - # 610.ipf6denied daily_status_security_ipf6denied_enable="YES" -# 650.ip6fwlimit -daily_status_security_ip6fwlimit_enable="YES" - # 700.kernelmsg daily_status_security_kernelmsg_enable="YES" diff --git a/etc/periodic/security/600.ip6fwdenied b/etc/periodic/security/600.ip6fwdenied deleted file mode 100755 index 418ba17..0000000 --- a/etc/periodic/security/600.ip6fwdenied +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -rc=0 - -case "$daily_status_security_ip6fwdenied_enable" in - [Yy][Ee][Ss]) - TMP=`mktemp -t security` - if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then - check_diff new_only ip6fw ${TMP} "${host} ip6fw denied packets:" - fi - rc=$? - rm -f ${TMP};; - *) rc=0;; -esac - -exit $rc diff --git a/etc/periodic/security/650.ip6fwlimit b/etc/periodic/security/650.ip6fwlimit deleted file mode 100755 index eaf4b10..0000000 --- a/etc/periodic/security/650.ip6fwlimit +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show ip6fw rules which have reached the log limit -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 - -case "$daily_status_security_ip6fwlimit_enable" in - [Yy][Ee][Ss]) - TMP=`mktemp -t security` - IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` - if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then - ip6fw -a l | grep " log " | \ - grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ - awk -v limit="$IPFW_LOG_LIMIT" \ - '{if ($2 > limit) {print $0}}' > ${TMP} - if [ -s "${TMP}" ]; then - rc=1 - echo "" - echo 'ip6fw log limit reached:' - cat ${TMP} - fi - fi - rm -f ${TMP};; - *) rc=0;; -esac - -exit $rc diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile index f8f405f..caf772c 100644 --- a/etc/periodic/security/Makefile +++ b/etc/periodic/security/Makefile @@ -8,8 +8,6 @@ FILES= 100.chksetuid \ 510.ipfdenied \ 520.pfdenied \ 550.ipfwlimit \ - 600.ip6fwdenied \ - 650.ip6fwlimit \ 700.kernelmsg \ 800.loginfail \ 900.tcpwrap \ diff --git a/etc/rc.d/ip6fw b/etc/rc.d/ip6fw index 36aa295..6688cbd 100644 --- a/etc/rc.d/ip6fw +++ b/etc/rc.d/ip6fw @@ -20,7 +20,7 @@ ip6fw_prestart() { # Load IPv6 firewall module, if not already loaded if ! ${SYSCTL} net.inet6.ip6.fw.enable > /dev/null 2>&1; then - kldload ip6fw && { + kldload ipfw && { debug 'Kernel IPv6 firewall module loaded.' return 0 } @@ -41,7 +41,7 @@ ip6fw_start() if [ -r "${ipv6_firewall_script}" ]; then . "${ipv6_firewall_script}" echo 'IPv6 Firewall rules loaded.' - elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then + elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then warn 'IPv6 firewall rules have not been loaded. Default' \ ' to DENY all access.' fi @@ -50,7 +50,7 @@ ip6fw_start() # if checkyesno ipv6_firewall_logging; then echo 'IPv6 Firewall logging=YES' - sysctl net.inet6.ip6.fw.verbose=1 >/dev/null + sysctl net.inet.ip.fw.verbose=1 >/dev/null fi # Enable the firewall diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 index c14a09a..d9e7601 100644 --- a/etc/rc.firewall6 +++ b/etc/rc.firewall6 @@ -54,17 +54,17 @@ setup_local () { ############ # Only in rare cases do you want to change these rules # - ${fw6cmd} add 100 pass all from any to any via lo0 - ${fw6cmd} add 200 deny all from any to ::1 - ${fw6cmd} add 300 deny all from ::1 to any + ${fw6cmd} add 100 pass ip6 from any to any via lo0 + ${fw6cmd} add 200 deny ip6 from any to ::1 + ${fw6cmd} add 300 deny ip6 from ::1 to any # # ND # # DAD - ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp # RS, RA, NS, NA, redirect... - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 - ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp } if [ -n "${1}" ]; then @@ -76,10 +76,10 @@ fi # case ${ipv6_firewall_quiet} in [Yy][Ee][Ss]) - fw6cmd="/sbin/ip6fw -q" + fw6cmd="/sbin/ipfw -q" ;; *) - fw6cmd="/sbin/ip6fw" + fw6cmd="/sbin/ipfw" ;; esac @@ -102,7 +102,7 @@ ${fw6cmd} -f flush case ${ipv6_firewall_type} in [Oo][Pp][Ee][Nn]) setup_local - ${fw6cmd} add 65000 pass all from any to any + ${fw6cmd} add 65000 pass ip6 from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) @@ -122,41 +122,42 @@ case ${ipv6_firewall_type} in setup_local # Allow any traffic to or from my own net. - ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} - ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} + ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen} + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip} # Allow any link-local multicast traffic - ${fw6cmd} add pass all from fe80::/10 to ff02::/16 - ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 + ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 + ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16 # Allow TCP through if setup succeeded - ${fw6cmd} add pass tcp from any to any established + ${fw6cmd} add pass ip6 from any to any established proto tcp # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${ip} 25 setup + ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp # Allow setup of outgoing TCP connections only - ${fw6cmd} add pass tcp from ${ip} to any setup + ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp # Disallow setup of all other TCP connections - ${fw6cmd} add deny tcp from any to any setup + ${fw6cmd} add deny ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${ip} - ${fw6cmd} add pass udp from ${ip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp + ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -185,94 +186,96 @@ case ${ipv6_firewall_type} in setup_local # Stop spoofing - ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} - ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} + ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif} + ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif} # Stop unique local unicast address on the outside interface - ${fw6cmd} add deny all from fc00::/7 to any via ${oif} - ${fw6cmd} add deny all from any to fc00::/7 via ${oif} + ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif} # Stop site-local on the outside interface - ${fw6cmd} add deny all from fec0::/10 to any via ${oif} - ${fw6cmd} add deny all from any to fec0::/10 via ${oif} + ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif} + ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. - ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. - ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} - ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} - ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} - ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} - - ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} + ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif} + ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif} + ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif} + + ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. - ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} - ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} - - ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} - ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} - ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} - ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} - - ${fw6cmd} add deny all from ff05::/16 to any via ${oif} - ${fw6cmd} add deny all from any to ff05::/16 via ${oif} + ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif} + ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif} + + ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif} + ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif} + ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif} + ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif} + + ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif} + ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif} # Allow TCP through if setup succeeded ${fw6cmd} add pass tcp from any to any established # Allow IP fragments to pass through - ${fw6cmd} add pass all from any to any frag + ${fw6cmd} add pass ip6 from any to any frag # Allow setup of incoming email - ${fw6cmd} add pass tcp from any to ${oip} 25 setup + ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp # Allow access to our DNS - ${fw6cmd} add pass tcp from any to ${oip} 53 setup - ${fw6cmd} add pass udp from any to ${oip} 53 - ${fw6cmd} add pass udp from ${oip} 53 to any + ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp + ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp + ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp # Allow access to our WWW - ${fw6cmd} add pass tcp from any to ${oip} 80 setup + ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp # Reject&Log all setup of incoming connections from the outside - ${fw6cmd} add deny log tcp from any to any in via ${oif} setup + ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \ + proto tcp # Allow setup of any other TCP connection - ${fw6cmd} add pass tcp from any to any setup + ${fw6cmd} add pass ip6 from any to any setup proto tcp # Allow DNS queries out in the world - ${fw6cmd} add pass udp from any 53 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 53 + ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp # Allow NTP queries out in the world - ${fw6cmd} add pass udp from any 123 to ${oip} - ${fw6cmd} add pass udp from ${oip} to any 123 + ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp + ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp # Allow RIPng - #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 - #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 + #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp + #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 + ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ + proto ipv6-icmp # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -281,7 +284,7 @@ case ${ipv6_firewall_type} in [Cc][Ll][Oo][Ss][Ee][Dd]) # Only enable the loopback interface - ${fw6cmd} add 100 pass all from any to any via lo0 + ${fw6cmd} add 100 pass ip6 from any to any via lo0 ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; |
