From ba7665678f35b37968e0734f1086fc8fe7143340 Mon Sep 17 00:00:00 2001 From: ume Date: Wed, 2 Dec 2009 15:05:26 +0000 Subject: Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6 and rc.d/ip6fw. Reviewed by: dougb, jhb MFC after: 1 month --- etc/rc.firewall6 | 295 ------------------------------------------------------- 1 file changed, 295 deletions(-) delete mode 100644 etc/rc.firewall6 (limited to 'etc/rc.firewall6') diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 deleted file mode 100644 index 7498bbc68..0000000 --- a/etc/rc.firewall6 +++ /dev/null @@ -1,295 +0,0 @@ -#!/bin/sh - -############ -# Setup system for IPv6 firewall service. -# $FreeBSD$ - -# Suck in the configuration variables. -if [ -z "${source_rc_confs_defined}" ]; then - if [ -r /etc/defaults/rc.conf ]; then - . /etc/defaults/rc.conf - source_rc_confs - elif [ -r /etc/rc.conf ]; then - . /etc/rc.conf - fi -fi - -############ -# Define the firewall type in /etc/rc.conf. Valid values are: -# open - will allow anyone in -# client - will try to protect just this machine -# simple - will try to protect a whole network -# closed - totally disables IP services except via lo0 interface -# UNKNOWN - disables the loading of firewall rules. -# filename - will load the rules in the given filename (full path required) -# -# For ``client'' and ``simple'' the entries below should be customized -# appropriately. - -############ -# -# If you don't know enough about packet filtering, we suggest that you -# take time to read this book: -# -# Building Internet Firewalls, 2nd Edition -# Brent Chapman and Elizabeth Zwicky -# -# O'Reilly & Associates, Inc -# ISBN 1-56592-871-7 -# http://www.ora.com/ -# http://www.oreilly.com/catalog/fire2/ -# -# For a more advanced treatment of Internet Security read: -# -# Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition -# William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin -# -# Addison-Wesley / Prentice Hall -# ISBN 0-201-63466-X -# http://www.pearsonhighered.com/ -# http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html -# - -setup_local () { - ############ - # Only in rare cases do you want to change these rules - # - ${fw6cmd} add 100 pass ip6 from any to any via lo0 - ${fw6cmd} add 200 deny ip6 from any to ::1 - ${fw6cmd} add 300 deny ip6 from ::1 to any - # - # ND - # - # DAD - ${fw6cmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp - # RS, RA, NS, NA, redirect... - ${fw6cmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp - ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp -} - -if [ -n "${1}" ]; then - ipv6_firewall_type="${1}" -fi - -############ -# Set quiet mode if requested -# -case ${ipv6_firewall_quiet} in -[Yy][Ee][Ss]) - fw6cmd="/sbin/ipfw -q" - ;; -*) - fw6cmd="/sbin/ipfw" - ;; -esac - -############ -# Flush out the list before we begin. -# -${fw6cmd} -f flush - -############ -# If you just configured ipfw in the kernel as a tool to solve network -# problems or you just want to disallow some particular kinds of traffic -# then you will want to change the default policy to open. You can also -# do this as your only action by setting the ipv6_firewall_type to ``open''. -# -# ${fw6cmd} add 65000 pass all from any to any - - -# Prototype setups. -# -case ${ipv6_firewall_type} in -[Oo][Pp][Ee][Nn]) - setup_local - ${fw6cmd} add 65000 pass ip6 from any to any - ;; - -[Cc][Ll][Ii][Ee][Nn][Tt]) - ############ - # This is a prototype setup that will protect your system somewhat - # against people from outside your own network. - ############ - - # set these to your network and prefixlen and ip - # - # This needs more work - # - net="2001:db8:2:1::" - prefixlen="64" - ip="2001:db8:2:1::1" - - setup_local - - # Allow any traffic to or from my own net. - ${fw6cmd} add pass ip6 from ${ip} to ${net}/${prefixlen} - ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ${ip} - - # Allow any link-local multicast traffic - ${fw6cmd} add pass ip6 from fe80::/10 to ff02::/16 - ${fw6cmd} add pass ip6 from ${net}/${prefixlen} to ff02::/16 - - # Allow TCP through if setup succeeded - ${fw6cmd} add pass ip6 from any to any established proto tcp - - # Allow IP fragments to pass through - ${fw6cmd} add pass ip6 from any to any frag - - # Allow setup of incoming email - ${fw6cmd} add pass ip6 from any to ${ip} 25 setup proto tcp - - # Allow setup of outgoing TCP connections only - ${fw6cmd} add pass ip6 from ${ip} to any setup proto tcp - - # Disallow setup of all other TCP connections - ${fw6cmd} add deny ip6 from any to any setup proto tcp - - # Allow DNS queries out in the world - ${fw6cmd} add pass ip6 from any 53 to ${ip} proto udp - ${fw6cmd} add pass ip6 from ${ip} to any 53 proto udp - - # Allow NTP queries out in the world - ${fw6cmd} add pass ip6 from any 123 to ${ip} proto udp - ${fw6cmd} add pass ip6 from ${ip} to any 123 proto udp - - # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp - - # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ - proto ipv6-icmp - - # Everything else is denied by default, unless the - # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel - # config file. - ;; - -[Ss][Ii][Mm][Pp][Ll][Ee]) - ############ - # This is a prototype setup for a simple firewall. Configure this - # machine as a DNS and NTP server, and point all the machines - # on the inside at this machine for those services. - ############ - - # set these to your outside interface network and prefixlen and ip - oif="ed0" - onet="2001:db8:2:1::" - oprefixlen="64" - oip="2001:db8:2:1::1" - - # set these to your inside interface network and prefixlen and ip - iif="ed1" - inet="2001:db8:2:2::" - iprefixlen="64" - iip="2001:db8:2:2::1" - - setup_local - - # Stop spoofing - ${fw6cmd} add deny ip6 from ${inet}/${iprefixlen} to any in via ${oif} - ${fw6cmd} add deny ip6 from ${onet}/${oprefixlen} to any in via ${iif} - - # Stop unique local unicast address on the outside interface - ${fw6cmd} add deny ip6 from fc00::/7 to any via ${oif} - ${fw6cmd} add deny ip6 from any to fc00::/7 via ${oif} - - # Stop site-local on the outside interface - ${fw6cmd} add deny ip6 from fec0::/10 to any via ${oif} - ${fw6cmd} add deny ip6 from any to fec0::/10 via ${oif} - - # Disallow "internal" addresses to appear on the wire. - ${fw6cmd} add deny ip6 from ::ffff:0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::ffff:0.0.0.0/96 via ${oif} - - # Disallow packets to malicious IPv4 compatible prefix. - ${fw6cmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif} - ${fw6cmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif} - ${fw6cmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif} - ${fw6cmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif} - - ${fw6cmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif} - - # Disallow packets to malicious 6to4 prefix. - ${fw6cmd} add deny ip6 from 2002:e000::/20 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:e000::/20 via ${oif} - ${fw6cmd} add deny ip6 from 2002:7f00::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:7f00::/24 via ${oif} - ${fw6cmd} add deny ip6 from 2002:0000::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:0000::/24 via ${oif} - ${fw6cmd} add deny ip6 from 2002:ff00::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:ff00::/24 via ${oif} - - ${fw6cmd} add deny ip6 from 2002:0a00::/24 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:0a00::/24 via ${oif} - ${fw6cmd} add deny ip6 from 2002:ac10::/28 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:ac10::/28 via ${oif} - ${fw6cmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif} - ${fw6cmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif} - - ${fw6cmd} add deny ip6 from ff05::/16 to any via ${oif} - ${fw6cmd} add deny ip6 from any to ff05::/16 via ${oif} - - # Allow TCP through if setup succeeded - ${fw6cmd} add pass tcp from any to any established - - # Allow IP fragments to pass through - ${fw6cmd} add pass ip6 from any to any frag - - # Allow setup of incoming email - ${fw6cmd} add pass ip6 from any to ${oip} 25 setup proto tcp - - # Allow access to our DNS - ${fw6cmd} add pass ip6 from any to ${oip} 53 setup proto tcp - ${fw6cmd} add pass ip6 from any to ${oip} 53 proto udp - ${fw6cmd} add pass ip6 from ${oip} 53 to any proto udp - - # Allow access to our WWW - ${fw6cmd} add pass ip6 from any to ${oip} 80 setup proto tcp - - # Reject&Log all setup of incoming connections from the outside - ${fw6cmd} add deny log ip6 from any to any in via ${oif} setup \ - proto tcp - - # Allow setup of any other TCP connection - ${fw6cmd} add pass ip6 from any to any setup proto tcp - - # Allow DNS queries out in the world - ${fw6cmd} add pass ip6 from any 53 to ${oip} proto udp - ${fw6cmd} add pass ip6 from ${oip} to any 53 proto udp - - # Allow NTP queries out in the world - ${fw6cmd} add pass ip6 from any 123 to ${oip} proto udp - ${fw6cmd} add pass ip6 from ${oip} to any 123 proto udp - - # Allow RIPng - #${fw6cmd} add pass ip6 from fe80::/10 521 to ff02::9 521 proto udp - #${fw6cmd} add pass ip6 from fe80::/10 521 to fe80::/10 521 proto udp - - # Allow ICMPv6 destination unreach - ${fw6cmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp - - # Allow NS/NA/toobig (don't filter it out) - ${fw6cmd} add pass ip6 from any to any icmp6types 2,135,136 \ - proto ipv6-icmp - - # Everything else is denied by default, unless the - # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel - # config file. - ;; - -[Cc][Ll][Oo][Ss][Ee][Dd]) - # Only enable the loopback interface - ${fw6cmd} add 100 pass ip6 from any to any via lo0 - ;; -[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) - ;; -*) - if [ -r "${ipv6_firewall_type}" ]; then - ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type} - fi - ;; -esac -- cgit v1.1