diff options
author | Roy Marples <roy@marples.name> | 2008-03-02 21:13:21 +0000 |
---|---|---|
committer | Roy Marples <roy@marples.name> | 2008-03-02 21:13:21 +0000 |
commit | a12dbdc6c93a7d63591610378e3e570b7c7d2143 (patch) | |
tree | 22cd968f4bb32bedf82e091c9ffee798d247c51e /init.d.FreeBSD/ipfw.in | |
parent | 7c092fbc7904be18510eed08c72cbad974db8adc (diff) |
Don't check for root in prefix.
Diffstat (limited to 'init.d.FreeBSD/ipfw.in')
-rw-r--r-- | init.d.FreeBSD/ipfw.in | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/init.d.FreeBSD/ipfw.in b/init.d.FreeBSD/ipfw.in new file mode 100644 index 00000000..200b9cee --- /dev/null +++ b/init.d.FreeBSD/ipfw.in @@ -0,0 +1,149 @@ +#!/sbin/runscript +# Copyright 2007-2008 Roy Marples <roy@marples.name> +# All rights reserved. Released under the 2-clause BSD license. + +# This is based on /etc/rc.firewall and /etc/rc.firewall6 from FreeBSD + +ipfw_ip_in=${ipfw_ip_in-any} +ipfw_ports_in=${ipfw_ports_in-auth ssh} +ipfw_ports_nolog=${ipfw_ports_nolog-135-139,445 1026,1027 1433,1434} + +opts="panic showstatus" + +depend() { + before net + provide firewall + keyword nojail +} + +ipfw() { + /sbin/ipfw -f -q "$@" +} + +init() { + # Load the kernel module + if ! sysctl net.inet.ip.fw.enable=1 >/dev/null 2>&1; then + if ! kldload ipfw; then + eend 1 "Unable to load firewall module" + return 1 + fi + fi + + # Now all rules and give a good base + ipfw flush + + ipfw add pass all from any to any via lo0 + ipfw add deny all from any to 127.0.0.0/8 + ipfw add deny ip from 127.0.0.0/8 to any + + ipfw add pass ip6 from any to any via lo0 + ipfw add deny ip6 from any to ::1 + ipfw add deny ip6 from ::1 to any + + ipfw add pass ip6 from :: to ff02::/16 proto ipv6-icmp + ipfw add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp + ipfw add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp +} + +start() { + local i= p= log= + ebegin "Starting firewall rules" + if ! init; then + eend 1 "Failed to flush firewall ruleset" + return 1 + fi + + # Use a statefull firewall + ipfw add check-state + ipfw add pass tcp from me to any established + + # Allow any connection out, adding state for each. + ipfw add pass tcp from me to any setup keep-state + ipfw add pass udp from me to any keep-state + ipfw add pass icmp from me to any keep-state + + ipfw add pass tcp from me6 to any setup keep-state + ipfw add pass udp from me6 to any keep-state + ipfw add pass icmp from me6 to any keep-state + + # Allow DHCP. + ipfw add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out + ipfw add pass udp from any 67 to me 68 in + ipfw add pass udp from any 67 to 255.255.255.255 68 in + # Some servers will ping the IP while trying to decide if it's + # still in use. + ipfw add pass icmp from any to any icmptype 8 + + # Allow "mandatory" ICMP in. + ipfw add pass icmp from any to any icmptype 3,4,11 + + # Allow ICMPv6 destination unreach + ipfw add pass ip6 from any to any icmp6types 1 proto ipv6-icmp + + # Allow NS/NA/toobig (don't filter it out) + ipfw add pass ip6 from any to any icmp6types 2,135,136 proto ipv6-icmp + + # Add permits for this workstations published services below + # Only IPs and nets in firewall_allowservices is allowed in. + for i in ${ipfw_ip_in}; do + for p in ${ipfw_ports_in}; do + ipfw add pass tcp from ${i} to me ${p} + done + done + + # Allow all connections from trusted IPs. + # Playing with the content of firewall_trusted could seriously + # degrade the level of protection provided by the firewall. + for i in ${ipfw_ip_trust}; do + ipfw add pass ip from ${i} to me + done + + ipfw add 65000 count ip from any to any + + # Drop packets to ports where we don't want logging + for p in ${ipfw_ports_nolog}; do + ipfw add deny { tcp or udp } from any to any ${p} in + done + + # Broadcasts and muticasts + ipfw add deny ip from any to 255.255.255.255 + ipfw add deny ip from any to 224.0.0.0/24 + + # Noise from routers + ipfw add deny udp from any to any 520 in + + # Noise from webbrowsing. + # The statefull filter is a bit agressive, and will cause some + # connection teardowns to be logged. + ipfw add deny tcp from any 80,443 to any 1024-65535 in + + # Deny and (if wanted) log the rest unconditionally. + if yesno ${ipfw_log_deny:-no}; then + log="log" + sysctl net.inet.ip.fw.verbose=1 >/dev/null + fi + ipfw add deny ${log} ip from any to any + + eend 0 +} + +stop() { + ebegin "Stopping firewall rules" + # We don't unload the kernel module as that action + # can cause memory leaks as of FreeBSD 6.x + sysctl net.inet.ip.fw.enable=0 >/dev/null + eend $? +} + +panic() { + ebegin "Stopping firewall rules - hard" + if ! init; then + eend 1 "Failed to flush firewall ruleset" + return 1 + fi + eend 0 +} + +showstatus() { + ipfw show +} |