Attachment #8992 for bug #18621

View | Details | Raw Unified | Return to bug 18621
Collapse All | Expand All




${fwcmd} -f flush

############
# If IPv6 firewall is used we need to a a pass rule for IPv6
#
case ${firewall_enable} in
[Yy][Ee][Ss])
	${fwcmd} add 25 allow ipv6 from any to any
	;;
esac

############
# These rules are required for using natd.  All packets are passed to
# natd before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd,

case ${natd_enable} in
[Yy][Ee][Ss])
	if [ -n "${natd_interface}" ]; then
	      ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
	fi
	;;
esac




############
# Setup system for firewall service.
# $FreeBSD$

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf
elif [ -r /etc/rc.conf ]; then
	. /etc/rc.conf
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open     - will allow anyone in
#   client   - will try to protect just this machine
#   simple   - will try to protect a whole network
#   closed   - totally disables IP services except via lo0 interface
#   UNKNOWN  - disables the loading of firewall rules.
#   filename - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.

############
#
# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
#	Building Internet Firewalls
#	Brent Chapman and Elizabeth Zwicky
#
#	O'Reilly & Associates, Inc
#	ISBN 1-56592-124-0
#	http://www.ora.com/
#
# For a more advanced treatment of Internet Security read:
#
#	Firewalls & Internet Security
#	Repelling the wily hacker
#	William R. Cheswick, Steven M. Bellowin
#
#	Addison-Wesley
#	ISBN 0-201-6337-4
#	http://www.awl.com/
#

if [ -n "${1}" ]; then
	firewall6_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall6_quiet} in
[Yy][Ee][Ss])
	fw6cmd="/sbin/ip6fw -q"
	;;
*)
	fw6cmd="/sbin/ip6fw"
	;;
esac

############
# Flush out the list before we begin.
#
${fw6cmd} -f flush

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall6_type to ``open''.
#
# ${fw6cmd} add 65000 pass all from any to any

############
# Only in rare cases do you want to change these rules
#
${fw6cmd} add 100 pass all from any to any via lo0


# Prototype setups.
#
case ${firewall6_type} in
[Oo][Pp][Ee][Nn])
	${fw6cmd} add 65000 pass all from any to any
	;;

[Cc][Ll][Ii][Ee][Nn][Tt])
	############
	# This is a prototype setup that will protect your system somewhat
	# against people from outside your own network.
	############

	# set these to your network and netmask and ip
	#
	# This needs more work
	#
	;;

[Ss][Ii][Mm][Pp][Ll][Ee])
	############
	# This is a prototype setup for a simple firewall.  Configure this
	# machine as a named server and ntp server, and point all the machines
	# on the inside at this machine for those services.
	############

	#
	# ND
	#
	# DAD
	${fw6cmd} add pass ipv6-icmp from ff02::/16 to ::
	${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
	# RS, RA, NS, NA, redirect...
	${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
	${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
	
	${fw6cmd} add pass tcp from any to any established

	# RIPng
	${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521

	;;

[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
	;;
*)
	if [ -r "${firewall6_type}" ]; then
		${fw6cmd} ${firewall6_flags} ${firewall6_type}
	fi
	;;
esac




		;;
	esac

	case ${firewall6_enable} in
	[Yy][Ee][Ss])
		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
			firewall_in_kernel=1
			echo "Kernel firewall module loaded."
		elif [ "${firewall_in_kernel}" -eq 0 ]; then
			echo "Warning: firewall kernel module failed to load."
		fi
		;;
	esac

	# Load the filters if required
	#
	case ${firewall_in_kernel} in
	1)
		if [ -z "${firewall6_script}" ]; then
			firewall6_script=/etc/rc.firewall6
		fi

		case ${firewall6_enable} in
		[Yy][Ee][Ss])
			if [ -r "${firewall6_script}" ]; then
				. "${firewall6_script}"
				echo -n 'Firewall rules loaded, starting divert daemons:'

			elif [ "`ip6fw l 65535`" = "65535 deny ip from any to any" ]; then
				echo -n "Warning: kernel has firewall functionality, "
				echo "but firewall rules are not enabled."
				echo "		 All ip services are disabled."
			fi
			;;
		esac
		;;
	esac

	# Additional ATM interface configuration
	#
	if [ -n "${atm_pass1_done}" ]; then

Lines 48-53 Link Here

(-)defaults/rc.conf.new (+5 lines)
48	firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)	48	firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
49	firewall_quiet="NO" # Set to YES to suppress rule display	49	firewall_quiet="NO" # Set to YES to suppress rule display
50	firewall_flags="" # Flags passed to ipfw when type is a file	50	firewall_flags="" # Flags passed to ipfw when type is a file
		51	firewall6_enable="NO" # Set to YES to enable firewall functionality
		52	firewall6_script="/etc/rc.firewall6" # Which script to run to set up the firewall
		53	firewall6_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
		54	firewall6_quiet="NO" # Set to YES to suppress rule display
		55	firewall6_flags="" # Flags passed to ipfw when type is a file
51	natd_program="/sbin/natd" # path to natd, if you want a different one.	56	natd_program="/sbin/natd" # path to natd, if you want a different one.
52	natd_enable="NO" # Enable natd (if firewall_enable == YES).	57	natd_enable="NO" # Enable natd (if firewall_enable == YES).
53	natd_interface="fxp0" # Public interface or IPaddress to use.	58	natd_interface="fxp0" # Public interface or IPaddress to use.

Return to bug 18621

Lines 66-71 Link Here

(-)rc.firewall.new (-1 / +10 lines)
66	${fwcmd} -f flush	66	${fwcmd} -f flush
67		67
68	############	68	############
		69	# If IPv6 firewall is used we need to a a pass rule for IPv6
		70	#
		71	case ${firewall_enable} in
		72	[Yy][Ee][Ss])
		73	${fwcmd} add 25 allow ipv6 from any to any
		74	;;
		75	esac
		76
		77	############
69	# These rules are required for using natd. All packets are passed to	78	# These rules are required for using natd. All packets are passed to
70	# natd before they encounter your remaining rules. The firewall rules	79	# natd before they encounter your remaining rules. The firewall rules
71	# will then be run again on each packet after translation by natd,	80	# will then be run again on each packet after translation by natd,
Lines 74-80 Link Here
74	case ${natd_enable} in	83	case ${natd_enable} in
75	[Yy][Ee][Ss])	84	[Yy][Ee][Ss])
76	if [ -n "${natd_interface}" ]; then	85	if [ -n "${natd_interface}" ]; then
77	${fwcmd} add divert natd all from any to any via ${natd_interface}	86	${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
78	fi	87	fi
79	;;	88	;;
80	esac	89	esac

Lines 228-233 Link Here

(-)rc.network.new (+35 lines)
228	;;	228	;;
229	esac	229	esac
230		230
		231	case ${firewall6_enable} in
		232	[Yy][Ee][Ss])
		233	if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
		234	firewall_in_kernel=1
		235	echo "Kernel firewall module loaded."
		236	elif [ "${firewall_in_kernel}" -eq 0 ]; then
		237	echo "Warning: firewall kernel module failed to load."
		238	fi
		239	;;
		240	esac
		241
		242	# Load the filters if required
		243	#
		244	case ${firewall_in_kernel} in
		245	1)
		246	if [ -z "${firewall6_script}" ]; then
		247	firewall6_script=/etc/rc.firewall6
		248	fi
		249
		250	case ${firewall6_enable} in
		251	[Yy][Ee][Ss])
		252	if [ -r "${firewall6_script}" ]; then
		253	. "${firewall6_script}"
		254	echo -n 'Firewall rules loaded, starting divert daemons:'
		255
		256	elif [ "`ip6fw l 65535`" = "65535 deny ip from any to any" ]; then
		257	echo -n "Warning: kernel has firewall functionality, "
		258	echo "but firewall rules are not enabled."
		259	echo " All ip services are disabled."
		260	fi
		261	;;
		262	esac
		263	;;
		264	esac
		265
231	# Additional ATM interface configuration	266	# Additional ATM interface configuration
232	#	267	#
233	if [ -n "${atm_pass1_done}" ]; then	268	if [ -n "${atm_pass1_done}" ]; then

Line 0 Link Here

(-)rc.firewall6.new (+132 lines)
		1	############
		2	# Setup system for firewall service.
		3	# $FreeBSD$
		4
		5	# Suck in the configuration variables.
		6	if [ -r /etc/defaults/rc.conf ]; then
		7	. /etc/defaults/rc.conf
		8	elif [ -r /etc/rc.conf ]; then
		9	. /etc/rc.conf
		10	fi
		11
		12	############
		13	# Define the firewall type in /etc/rc.conf. Valid values are:
		14	# open - will allow anyone in
		15	# client - will try to protect just this machine
		16	# simple - will try to protect a whole network
		17	# closed - totally disables IP services except via lo0 interface
		18	# UNKNOWN - disables the loading of firewall rules.
		19	# filename - will load the rules in the given filename (full path required)
		20	#
		21	# For ``client'' and ``simple'' the entries below should be customized
		22	# appropriately.
		23
		24	############
		25	#
		26	# If you don't know enough about packet filtering, we suggest that you
		27	# take time to read this book:
		28	#
		29	# Building Internet Firewalls
		30	# Brent Chapman and Elizabeth Zwicky
		31	#
		32	# O'Reilly & Associates, Inc
		33	# ISBN 1-56592-124-0
		34	# http://www.ora.com/
		35	#
		36	# For a more advanced treatment of Internet Security read:
		37	#
		38	# Firewalls & Internet Security
		39	# Repelling the wily hacker
		40	# William R. Cheswick, Steven M. Bellowin
		41	#
		42	# Addison-Wesley
		43	# ISBN 0-201-6337-4
		44	# http://www.awl.com/
		45	#
		46
		47	if [ -n "${1}" ]; then
		48	firewall6_type="${1}"
		49	fi
		50
		51	############
		52	# Set quiet mode if requested
		53	#
		54	case ${firewall6_quiet} in
		55	[Yy][Ee][Ss])
		56	fw6cmd="/sbin/ip6fw -q"
		57	;;
		58	*)
		59	fw6cmd="/sbin/ip6fw"
		60	;;
		61	esac
		62
		63	############
		64	# Flush out the list before we begin.
65	#
66	${fw6cmd} -f flush
67
68	############
69	# If you just configured ipfw in the kernel as a tool to solve network
70	# problems or you just want to disallow some particular kinds of traffic
71	# then you will want to change the default policy to open. You can also
72	# do this as your only action by setting the firewall6_type to ``open''.
73	#
74	# ${fw6cmd} add 65000 pass all from any to any
75
76	############
77	# Only in rare cases do you want to change these rules
78	#
79	${fw6cmd} add 100 pass all from any to any via lo0
80
81
82	# Prototype setups.
83	#
84	case ${firewall6_type} in
85	[Oo][Pp][Ee][Nn])
86	${fw6cmd} add 65000 pass all from any to any
87	;;
88
89	[Cc][Ll][Ii][Ee][Nn][Tt])
90	############
91	# This is a prototype setup that will protect your system somewhat
92	# against people from outside your own network.
93	############
94
95	# set these to your network and netmask and ip
96	#
97	# This needs more work
98	#
99	;;
100
101	[Ss][Ii][Mm][Pp][Ll][Ee])
102	############
103	# This is a prototype setup for a simple firewall. Configure this
104	# machine as a named server and ntp server, and point all the machines
105	# on the inside at this machine for those services.
106	############
107
108	#
109	# ND
110	#
111	# DAD
112	${fw6cmd} add pass ipv6-icmp from ff02::/16 to ::
113	${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
114	# RS, RA, NS, NA, redirect...
115	${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
116	${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
117
118	${fw6cmd} add pass tcp from any to any established
119
120	# RIPng
121	${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521
122
123	;;
124
125	[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
126	;;
127	*)
128	if [ -r "${firewall6_type}" ]; then
129	${fw6cmd} ${firewall6_flags} ${firewall6_type}
130	fi
131	;;
132	esac