Bug 32108 - Proposed Firewall (IPv4) configuration script
Summary: Proposed Firewall (IPv4) configuration script
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 4.4-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2001-11-19 18:10 UTC by Seva Gluschenko
Modified: 2018-05-20 23:54 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Seva Gluschenko 2001-11-19 18:10:01 UTC
	Well, I'm proud to present you a collective mind thought of RiNet NOC
	staff: the existing /etc/rc.firewall script seems to be slightly
	outdated and does not fit well to the modern concept of flexible and
	easily configurable tools. Thus we've developed our own script called
	rc.fw which has some autoconfiguration inside and calls for its own
	configuration, rc.fw.conf by default.

Fix: 

The script itself follows:

#!/bin/sh
#
# RiNet NOC firewall configuration script. Authors:
# Dmitry Morozovsky (DM268-RIPE),
# Seva Gluschenko (GVS-RIPE),
# Oleg Bulyzhin (OBUL-RIPE)

# Autoconf start
case ${firewall_ifnames} in
[Yy][Ee][Ss])
	AWKCMD='BEGIN { if_no = -1; }
	{
		if ($2 ~ /^127/) { next; }
		if ($1 == "inet") {
			printf "if_%s_%d=%s\n", a[1], ad, $2;
			printf "if_%s_m%d=%s\n", a[1], ad++, $4;
		} else {
			split($1, a, /:/);
			printf "if%d=%s\n", ++if_no, a[1];
			ad = 0;
		}
	}'
	;;
*)	
	AWKCMD='BEGIN { if_no = -1; }
		{ if ($2 ~ /^127/) { next; }
		if ($1 == "inet") {
			printf "if%dip%d=%s\n", if_no, ad, $2;
			printf "if%dnm%d=%s\n", a[1], ad++, $4;
		} else {
			split($1, a, /:/);
			printf "if%d=%s\n", ++if_no, a[1];
			ad = 0;
		}
	}'
	;;
esac

eval `/sbin/ifconfig -au inet | awk "$AWKCMD"`

# Portrange guess
eval `/sbin/sysctl net.inet.ip.portrange | cut -f 5 -d . | sed 's/: /=/'`

# Autoconf end

if [ -r /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf
	source_rc_confs
elif [ -r /etc/rc.conf ]; then
	. /etc/rc.conf
fi

# Detect whether we need to load kernel module
# Esp. useful to deploy firewall rules "on the fly"
/sbin/ipfw -q l 2>/dev/null || /sbin/kldload ipfw || {
	echo "Error: IP Firewall is not available"
	exit 1
}

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
	fwcmd="/sbin/ipfw -q"
	;;
*)
	fwcmd="/sbin/ipfw"
	;;
esac

if [ "X${firewall_config}" = "X" ]; then
	CONF="/etc/rc.fw.conf"
else
	CONF="${firewall_config}"
fi

[ -r "${firewall_config}" ] || {
	echo "Error: ${firewall_config} does not exist nor readable"
	exit 1
}

grep -q -w log $CONF && \
	/sbin/sysctl net.inet.ip.fw.verbose=1

${fwcmd} -f flush

while read param
do
	case $param in
	"")	;;
	\#*)	;;
	# :NNN config ...
	\:*)	E="C=\"`echo $param | cut -c 2-`\""
		eval $E
		${fwcmd} queue $C
		;;
	# |NNN config ...
	\|*)	E="C=\"`echo $param | cut -c 2-`\""
		eval $E
		${fwcmd} pipe $C
		;;
	# [NNN] action proto ...
	*)	E="C=\"$param\""
		eval $E
		${fwcmd} add $C
		;;
	esac
done < $CONF

# clear accounting esp. useful for rule 65535
case ${firewall_zero} in
[Yy][Ee][Ss])
	${fwcmd} zero
	;;
esac

# --- END ---
How-To-Repeat: 	The general configuration script, /etc/rc.conf (and maybe
	/etc/defaults/rc.conf, once approved) should point to a new
	firewall invocation script, as follows:
----------
firewall_script="/etc/rc.fw"

The optional configuration variables used in this script are:

firewall_config="/etc/rc.fw.conf"	# path to configuration file
firewall_zero="YES"		# whether to zero counters after all
firewall_quiet="YES"		# whether to omit "-q" switch to ipfw
firewall_ifnames="YES"		# use names of ifaces (NO - numbers)
----------

	The sample /etc/rc.fw.conf may look like
----------
# Variables from rc.conf and hostnames from /etc/hosts are allowed.
#

1000 pass all from any to any via lo0
1010 deny all from 127.0.0.0/8 to 127.0.0.0/8

# sample traffic shaper, see dummynet(4) for details
# also, consider resetting net.inet.ip.fw.one_pass
|1 config bw 64Kbit/s queue 16Kbytes mask src-ip 0xffffffff
pipe 1 ip from 192.168.240.25 to any

# sample queue configuration (WF2Q+ algorithm), again dummynet(4)
:5 config pipe 1 weight 5
queue 5 tcp from any to any smtp
queue 5 tcp from any smtp to any

# use this line when firewall_ifnames set to YES
#2000 deny icmp echo-request from any to any in via ${rl0}
# or this line otherwise
2000 deny icmp echo-request from any to any in via ${if1}
pass icmp from any to any

# Trust internal network
pass ip from any to any via ${if0}
# for firewall_ifnames=YES
#pass ip from any to any via ${de0}

# Allow setup of incoming SSH, SMTP, DNS, HTTP, auth
pass tcp from any to ${if1ip0} 22,25,53,80,113 setup
# for firewall_ifnames=YES
#pass tcp from any to ${if_rl0_0} 22,25,53,80,113 setup

# Trust NTP requests from our neighbourhood
pass udp from ${if1ip0}:${if1nm0} 1024-65535,ntp to any ntp
# for firewall_ifnames=YES
#pass udp from ${if_rl0_0}:${if_rl0_m0} 1024-65535,ntp to any ntp

# Grant access to our unprivileged userland ports
pass tcp from any to any ${first}-${last}
pass tcp from any to any ${hifirst}-${hilast}

# Sample configuration ends here
################################################################
---------

	NOTE! The firewall configuration rules specified here are only the
	examples and maybe should not be used in the production environment.
Comment 1 Bruce M Simpson freebsd_committer freebsd_triage 2007-03-05 10:34:15 UTC
State Changed
From-To: open->suspended

Some of these features are already in but not all of them
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2018-05-20 23:54:08 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"