diff options
author | ume <ume@FreeBSD.org> | 2009-12-02 15:05:26 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2009-12-02 15:05:26 +0000 |
commit | ba7665678f35b37968e0734f1086fc8fe7143340 (patch) | |
tree | d274f4a3f20bd30ff98ae13a63f13accbcd8cba4 /etc | |
parent | b26098335ad13f28d7c5848b7616741f750e786e (diff) | |
download | FreeBSD-src-ba7665678f35b37968e0734f1086fc8fe7143340.zip FreeBSD-src-ba7665678f35b37968e0734f1086fc8fe7143340.tar.gz |
Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.
Reviewed by: dougb, jhb
MFC after: 1 month
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Makefile | 2 | ||||
-rw-r--r-- | etc/defaults/rc.conf | 24 | ||||
-rwxr-xr-x | etc/rc.d/Makefile | 2 | ||||
-rwxr-xr-x | etc/rc.d/ip6fw | 48 | ||||
-rwxr-xr-x | etc/rc.d/ipfw | 13 | ||||
-rw-r--r-- | etc/rc.firewall | 156 | ||||
-rw-r--r-- | etc/rc.firewall6 | 295 |
7 files changed, 175 insertions, 365 deletions
diff --git a/etc/Makefile b/etc/Makefile index 88f0bfb..42221a8 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -15,7 +15,7 @@ BIN1= auth.conf \ inetd.conf libalias.conf login.access login.conf mac.conf motd \ netconfig network.subr networks newsyslog.conf nsswitch.conf \ phones profile protocols \ - rc rc.bsdextended rc.firewall rc.firewall6 rc.initdiskless \ + rc rc.bsdextended rc.firewall rc.initdiskless \ rc.sendmail rc.shutdown \ rc.subr remote rpc services shells \ sysctl.conf syslog.conf diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index c094303..19a9a39 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -118,7 +118,10 @@ firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file -firewall_client_net="192.0.2.0/24" # Network address for "client" firewall. +firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client" + # firewall. +#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for + # "client" firewall. firewall_simple_iif="ed1" # Inside network interface for "simple" # firewall. firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple" @@ -127,12 +130,22 @@ firewall_simple_oif="ed0" # Outside network interface for "simple" # firewall. firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple" # firewall. +#firewall_simple_iif_ipv6="ed1" # Inside IPv6 network interface for "simple" + # firewall. +#firewall_simple_inet_ipv6="2001:db8:2:800::/56" # Inside IPv6 network prefix + # for "simple" firewall. +#firewall_simple_oif_ipv6="ed0" # Outside IPv6 network interface for "simple" + # firewall. +#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix + # for "simple" firewall. firewall_myservices="" # List of TCP ports on which this host # offers services for "workstation" firewall. firewall_allowservices="" # List of IPs which have access to # $firewall_myservices for "workstation" # firewall. -firewall_trusted="" # List of IPs which have full access to this +firewall_trusted="" # List of IPv4s which have full access to this + # host for "workstation" firewall. +firewall_trusted_ipv6="" # List of IPv6s which have full access to this # host for "workstation" firewall. firewall_logdeny="NO" # Set to YES to log default denied incoming # packets for "workstation" firewall. @@ -472,13 +485,6 @@ ipv6_faith_prefix="NO" # Set faith prefix to enable a FAITH # faithd(8) setup. ipv6_ipv4mapping="NO" # Set to "YES" to enable IPv4 mapped IPv6 addr # communication. (like ::ffff:a.b.c.d) -ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall - # functionality -ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall -ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) -ipv6_firewall_quiet="NO" # Set to YES to suppress rule display -ipv6_firewall_logging="NO" # Set to YES to enable events logging -ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter, # see /usr/src/contrib/ipfilter/rules # for examples diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index fbfac8a..7f72303 100755 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -15,7 +15,7 @@ FILES= DAEMON FILESYSTEMS LOGIN NETWORKING SERVERS \ hcsecd \ hostapd hostid hostid_save hostname \ inetd initrandom \ - ip6addrctl ip6fw ipfilter ipfs ipfw ipmon \ + ip6addrctl ipfilter ipfs ipfw ipmon \ ipnat ipsec ipxrouted \ jail \ kadmind kerberos keyserv kldxref kpasswdd \ diff --git a/etc/rc.d/ip6fw b/etc/rc.d/ip6fw deleted file mode 100755 index ca95d36..0000000 --- a/etc/rc.d/ip6fw +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# PROVIDE: ip6fw -# REQUIRE: routing -# KEYWORD: nojail - -. /etc/rc.subr - -name="ip6fw" -rcvar=`set_rcvar ipv6_firewall` -start_cmd="ip6fw_start" -stop_cmd="${SYSCTL_W} net.inet6.ip6.fw.enable=0" -required_modules="ipfw" - -ip6fw_start() -{ - # Specify default rules file if none provided - if [ -z "${ipv6_firewall_script}" ]; then - ipv6_firewall_script=/etc/rc.firewall6 - fi - - # Load rules - # - if [ -r "${ipv6_firewall_script}" ]; then - /bin/sh "${ipv6_firewall_script}" - echo 'IPv6 Firewall rules loaded.' - elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then - warn 'IPv6 firewall rules have not been loaded. Default' \ - ' to DENY all access.' - fi - - # Enable firewall logging - # - if checkyesno ipv6_firewall_logging; then - echo 'IPv6 Firewall logging=YES' - sysctl net.inet.ip.fw.verbose=1 >/dev/null - fi - - # Enable the firewall - # - ${SYSCTL_W} net.inet6.ip6.fw.enable=1 -} - -load_rc_config $name -run_rc_command "$1" diff --git a/etc/rc.d/ipfw b/etc/rc.d/ipfw index 872f278..dd7ab55 100755 --- a/etc/rc.d/ipfw +++ b/etc/rc.d/ipfw @@ -17,6 +17,8 @@ start_precmd="ipfw_prestart" stop_cmd="ipfw_stop" required_modules="ipfw" +set_rcvar_obsolete ipv6_firewall_enable + ipfw_prestart() { if checkyesno dummynet_enable; then @@ -61,7 +63,13 @@ ipfw_start() # Enable the firewall # if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then - warn "failed to enable firewall" + warn "failed to enable IPv4 firewall" + fi + if afexists inet6; then + if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 + then + warn "failed to enable IPv6 firewall" + fi fi } @@ -70,6 +78,9 @@ ipfw_stop() # Disable the firewall # ${SYSCTL_W} net.inet.ip.fw.enable=0 + if afexists inet6; then + ${SYSCTL_W} net.inet6.ip6.fw.enable=0 + fi if [ -f /etc/rc.d/natd ] ; then /etc/rc.d/natd quietstop fi diff --git a/etc/rc.firewall b/etc/rc.firewall index bc700d1..1eddde2 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -85,12 +85,42 @@ setup_loopback () { ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add 400 deny all from any to ::1 + ${fwcmd} add 500 deny all from ::1 to any + fi +} + +setup_ipv6_mandatory () { + [ $ipv6_available -eq 0 ] || return 0 + + ############ + # Only in rare cases do you want to change these rules + # + # ND + # + # DAD + ${fwcmd} add pass ipv6-icmp from :: to ff02::/16 + # RS, RA, NS, NA, redirect... + ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 + ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + + # Allow ICMPv6 destination unreach + ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1 + + # Allow NS/NA/toobig (don't filter it out) + ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136 } if [ -n "${1}" ]; then firewall_type="${1}" fi +. /etc/rc.subr +. /etc/network.subr +afexists inet6 +ipv6_available=$? + ############ # Set quiet mode if requested # @@ -109,6 +139,7 @@ esac ${fwcmd} -f flush setup_loopback +setup_ipv6_mandatory ############ # Network Address Translation. All packets are passed to natd(8) @@ -166,11 +197,13 @@ case ${firewall_type} in # against people from outside your own network. # # Configuration: - # firewall_client_net: Network address of local network. + # firewall_client_net: Network address of local IPv4 network. + # firewall_client_net_ipv6: Network address of local IPv6 network. ############ # set this to your local network net="$firewall_client_net" + net6="$firewall_client_net_ipv6" # Allow limited broadcast traffic from my own net. ${fwcmd} add pass all from ${net} to 255.255.255.255 @@ -178,6 +211,16 @@ case ${firewall_type} in # Allow any traffic to or from my own net. ${fwcmd} add pass all from me to ${net} ${fwcmd} add pass all from ${net} to me + if [ -n "$net6" ]; then + ${fwcmd} add pass all from me6 to ${net6} + ${fwcmd} add pass all from ${net6} to me6 + fi + + if [ -n "$net6" ]; then + # Allow any link-local multicast traffic + ${fwcmd} add pass all from fe80::/10 to ff02::/16 + ${fwcmd} add pass all from ${net6} to ff02::/16 + fi # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -212,23 +255,38 @@ case ${firewall_type} in # on the inside at this machine for those services. # # Configuration: - # firewall_simple_iif: Inside network interface. - # firewall_simple_inet: Inside network address. - # firewall_simple_oif: Outside network interface. - # firewall_simple_onet: Outside network address. + # firewall_simple_iif: Inside IPv4 network interface. + # firewall_simple_inet: Inside IPv4 network address. + # firewall_simple_oif: Outside IPv4 network interface. + # firewall_simple_onet: Outside IPv4 network address. + # firewall_simple_iif_ipv6: Inside IPv6 network interface. + # firewall_simple_inet_ipv6: Inside IPv6 network prefix. + # firewall_simple_oif_ipv6: Outside IPv6 network interface. + # firewall_simple_onet_ipv6: Outside IPv6 network prefix. ############ # set these to your outside interface network oif="$firewall_simple_oif" onet="$firewall_simple_onet" + oif6="${firewall_simple_oif_ipv6:-$firewall_simple_oif}" + onet6="$firewall_simple_onet_ipv6" # set these to your inside interface network iif="$firewall_simple_iif" inet="$firewall_simple_inet" + iif6="${firewall_simple_iif_ipv6:-$firewall_simple_iif}" + inet6="$firewall_simple_inet_ipv6" # Stop spoofing ${fwcmd} add deny all from ${inet} to any in via ${oif} ${fwcmd} add deny all from ${onet} to any in via ${iif} + if [ -n "$inet6" ]; then + ${fwcmd} add deny all from ${inet6} to any in via ${oif6} + if [ -n "$onet6" ]; then + ${fwcmd} add deny all from ${onet6} to any in \ + via ${iif6} + fi + fi # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} @@ -254,7 +312,7 @@ case ${firewall_type} in case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} + ${fwcmd} add divert natd ip4 from any to any via ${natd_interface} fi ;; esac @@ -273,6 +331,55 @@ case ${firewall_type} in ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} + if [ -n "$inet6" ]; then + # Stop unique local unicast address on the outside interface + ${fwcmd} add deny all from fc00::/7 to any via ${oif6} + ${fwcmd} add deny all from any to fc00::/7 via ${oif6} + + # Stop site-local on the outside interface + ${fwcmd} add deny all from fec0::/10 to any via ${oif6} + ${fwcmd} add deny all from any to fec0::/10 via ${oif6} + + # Disallow "internal" addresses to appear on the wire. + ${fwcmd} add deny all from ::ffff:0.0.0.0/96 to any \ + via ${oif6} + ${fwcmd} add deny all from any to ::ffff:0.0.0.0/96 \ + via ${oif6} + + # Disallow packets to malicious IPv4 compatible prefix. + ${fwcmd} add deny all from ::224.0.0.0/100 to any via ${oif6} + ${fwcmd} add deny all from any to ::224.0.0.0/100 via ${oif6} + ${fwcmd} add deny all from ::127.0.0.0/104 to any via ${oif6} + ${fwcmd} add deny all from any to ::127.0.0.0/104 via ${oif6} + ${fwcmd} add deny all from ::0.0.0.0/104 to any via ${oif6} + ${fwcmd} add deny all from any to ::0.0.0.0/104 via ${oif6} + ${fwcmd} add deny all from ::255.0.0.0/104 to any via ${oif6} + ${fwcmd} add deny all from any to ::255.0.0.0/104 via ${oif6} + + ${fwcmd} add deny all from ::0.0.0.0/96 to any via ${oif6} + ${fwcmd} add deny all from any to ::0.0.0.0/96 via ${oif6} + + # Disallow packets to malicious 6to4 prefix. + ${fwcmd} add deny all from 2002:e000::/20 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:e000::/20 via ${oif6} + ${fwcmd} add deny all from 2002:7f00::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:7f00::/24 via ${oif6} + ${fwcmd} add deny all from 2002:0000::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:0000::/24 via ${oif6} + ${fwcmd} add deny all from 2002:ff00::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:ff00::/24 via ${oif6} + + ${fwcmd} add deny all from 2002:0a00::/24 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:0a00::/24 via ${oif6} + ${fwcmd} add deny all from 2002:ac10::/28 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:ac10::/28 via ${oif6} + ${fwcmd} add deny all from 2002:c0a8::/32 to any via ${oif6} + ${fwcmd} add deny all from any to 2002:c0a8::/32 via ${oif6} + + ${fwcmd} add deny all from ff05::/16 to any via ${oif6} + ${fwcmd} add deny all from any to ff05::/16 via ${oif6} + fi + # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established @@ -291,7 +398,11 @@ case ${firewall_type} in ${fwcmd} add pass tcp from any to me 80 setup # Reject&Log all setup of incoming connections from the outside - ${fwcmd} add deny log tcp from any to any in via ${oif} setup + ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp + if [ -n "$inet6" ]; then + ${fwcmd} add deny log ip6 from any to any in via ${oif6} \ + setup proto tcp + fi # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup @@ -313,7 +424,7 @@ case ${firewall_type} in # offers services. # firewall_allowservices: List of IPs which has access to # $firewall_myservices. - # firewall_trusted: List of IPs which has full access + # firewall_trusted: List of IPv4s which has full access # to this host. Be very carefull # when setting this. This option can # seriously degrade the level of @@ -324,25 +435,44 @@ case ${firewall_type} in # firewall_nologports: List of TCP/UDP ports for which # denied incomming packets are not # logged. - + # firewall_trusted_ipv6: List of IPv6s which has full access + # to this host. Be very carefull + # when setting this. This option can + # seriously degrade the level of + # protection provided by the firewall. + # Allow packets for which a state has been built. ${fwcmd} add check-state # For services permitted below. ${fwcmd} add pass tcp from me to any established + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass tcp from me6 to any established + fi # Allow any connection out, adding state for each. ${fwcmd} add pass tcp from me to any setup keep-state ${fwcmd} add pass udp from me to any keep-state ${fwcmd} add pass icmp from me to any keep-state + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass tcp from me6 to any setup keep-state + ${fwcmd} add pass udp from me6 to any keep-state + ${fwcmd} add pass ipv6-icmp from me6 to any keep-state + fi # Allow DHCP. ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out ${fwcmd} add pass udp from any 67 to me 68 in ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass udp from fe80::/10 to me6 546 in + fi # Some servers will ping the IP while trying to decide if it's # still in use. ${fwcmd} add pass icmp from any to any icmptype 8 + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129 + fi # Allow "mandatory" ICMP in. ${fwcmd} add pass icmp from any to any icmptype 3,4,11 @@ -361,6 +491,9 @@ case ${firewall_type} in for i in ${firewall_allowservices} ; do for j in ${firewall_myservices} ; do ${fwcmd} add pass tcp from $i to me $j + if [ $ipv6_available -eq 0 ]; then + ${fwcmd} add pass tcp from $i to me6 $j + fi done done @@ -370,7 +503,10 @@ case ${firewall_type} in for i in ${firewall_trusted} ; do ${fwcmd} add pass ip from $i to me done - + for i in ${firewall_trusted_ipv6} ; do + ${fwcmd} add pass all from $i to me6 + done + ${fwcmd} add 65000 count ip from any to any # Drop packets to ports where we don't want logging diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 deleted file mode 100644 index 7498bbc68..0000000 --- a/etc/rc.firewall6 +++ /dev/null @@ -1,295 +0,0 @@ -#!/bin/sh - -############ -# Setup system for IPv6 firewall service. -# $FreeBSD$ - -# Suck in the configuration variables. -if [ -z "${source_rc_confs_defined}" ]; then - if [ -r /etc/defaults/rc.conf ]; then - . /etc/defaults/rc.conf - source_rc_confs - elif [ -r /etc/rc.conf ]; then - . /etc/rc.conf - fi -fi - -############ -# Define the firewall type in /etc/rc.conf. Valid values are: -# open - will allow anyone in -# client - will try to protect just this machine -# simple - will try to protect a whole network -# closed - totally disables IP services except via lo0 interface -# UNKNOWN - disables the loading of firewall rules. -# filename - will load the rules in the given filename (full path required) -# -# For ``client'' and ``simple'' the entries below should be customized -# appropriately. - -############ -# -# If you don't know enough about packet filtering, we suggest that you -# take time to read this book: -# -# Building Internet Firewalls, 2nd Edition -# Brent Chapman and Elizabeth Zwicky -# -# O'Reilly & Associates, Inc -# ISBN 1-56592-871-7 -# http://www.ora.com/ -# http://www.oreilly.com/catalog/fire2/ -# -# For a more advanced treatment of Internet Security read: -# -# Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition -# William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin -# -# Addison-Wesley / Prentice Hall -# ISBN 0-201-63466-X -# http://www.pearsonhighered.com/ -# http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html -# - -setup_local () { - ############ - # Only in rare cases do you want to change these rules - # - ${fw6cmd} add 100 pass ip6 from any to any via lo0 - ${fw6cmd} add 200 deny ip6 from any to ::1 - ${fw6cmd} add 300 deny ip6 from ::1 to any - # - # ND - # - # DAD - ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp - # RS, RA, NS, NA, redirect... - ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp - ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp -} - -if [ -n "${1}" ]; then - ipv6_firewall_type="${1}" -fi - -############ -# Set quiet mode if requested -# -case ${ipv6_firewall_quiet} in -[Yy][Ee][Ss]) - fw6cmd="/sbin/ipfw -q" - ;; -*) - fw6cmd="/sbin/ipfw" - ;; -esac - -############ -# Flush out the list before we begin. -# -${fw6cmd} -f flush - -############ -# If you just configured ipfw in the kernel as a tool to solve network -# problems or you just want to disallow some particular kinds of traffic -# then you will want to change the default policy to open. You can also -# do this as your only action by setting the ipv6_firewall_type to ``open''. -# -# ${fw6cmd} add 65000 pass all from any to any - - -# Prototype setups. -# -case ${ipv6_firewall_type} in -[Oo][Pp][Ee][Nn]) - setup_local - ${fw6cmd} add 65000 pass ip6 from any to any - ;; - -[Cc][Ll][Ii][Ee][Nn][Tt]) - ############ - # This is a prototype setup that will protect your system somewhat - # against people from outside your own network. - ############ - - # set these to your network and prefixlen and ip - # - # This needs more work - # - net="2001:db8:2:1::" - prefixlen="64" - ip="2001:db8:2:1::1" - - setup_local - - # Allow any traffic to or from my own net. - ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen} - ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip} - - # Allow any link-local multicast traffic - ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 - ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16 - - # Allow TCP through if setup succeeded - ${fw6cmd} add pass ip6 from any to any established proto tcp - - # Allow IP fragments to pass through - ${fw6cmd} add pass ip6 from any to any frag - - # Allow setup of incoming email - ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp - - # Allow setup of outgoing TCP connections only - ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp - - # Disallow setup of all other TCP connections - ${fw6cmd} add deny ip6 from any to any setup proto tcp - - # Allow DNS queries out in the world - ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp - ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp - - # Allow NTP queries out in the world - ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp - ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp - - # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp - - # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ - proto ipv6-icmp - - # Everything else is denied by default, unless the - # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel - # config file. - ;; - -[Ss][Ii][Mm][Pp][Ll][Ee]) - ############ - # This is a prototype setup for a simple firewall. Configure this - # machine as a DNS and NTP server, and point all the machines - # on the inside at this machine for those services. - ############ - - # set these to your outside interface network and prefixlen and ip - oif="ed0" - onet="2001:db8:2:1::" - oprefixlen="64" - oip="2001:db8:2:1::1" - - # set these to your inside interface network and prefixlen and ip - iif="ed1" - inet="2001:db8:2:2::" - iprefixlen="64" - iip="2001:db8:2:2::1" - - setup_local - - # Stop spoofing - ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif} - ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif} - - # Stop unique local unicast address on the outside interface - ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif} - ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif} - - # Stop site-local on the outside interface - ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif} - ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif} - - # Disallow "internal" addresses to appear on the wire. - ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif} - - # Disallow packets to malicious IPv4 compatible prefix. - ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif} - ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif} - ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif} - ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif} - - ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif} - - # Disallow packets to malicious 6to4 prefix. - ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif} - ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif} - ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif} - ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif} - - ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif} - ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif} - ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif} - - ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif} - - # Allow TCP through if setup succeeded - ${fw6cmd} add pass tcp from any to any established - - # Allow IP fragments to pass through - ${fw6cmd} add pass ip6 from any to any frag - - # Allow setup of incoming email - ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp - - # Allow access to our DNS - ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp - ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp - ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp - - # Allow access to our WWW - ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp - - # Reject&Log all setup of incoming connections from the outside - ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \ - proto tcp - - # Allow setup of any other TCP connection - ${fw6cmd} add pass ip6 from any to any setup proto tcp - - # Allow DNS queries out in the world - ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp - ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp - - # Allow NTP queries out in the world - ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp - ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp - - # Allow RIPng - #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp - #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp - - # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp - - # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ - proto ipv6-icmp - - # Everything else is denied by default, unless the - # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel - # config file. - ;; - -[Cc][Ll][Oo][Ss][Ee][Dd]) - # Only enable the loopback interface - ${fw6cmd} add 100 pass ip6 from any to any via lo0 - ;; -[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) - ;; -*) - if [ -r "${ipv6_firewall_type}" ]; then - ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type} - fi - ;; -esac |