aboutsummaryrefslogtreecommitdiff
path: root/init.d.FreeBSD/ipfw.in
diff options
context:
space:
mode:
authorRoy Marples <roy@marples.name>2008-03-02 21:13:21 +0000
committerRoy Marples <roy@marples.name>2008-03-02 21:13:21 +0000
commita12dbdc6c93a7d63591610378e3e570b7c7d2143 (patch)
tree22cd968f4bb32bedf82e091c9ffee798d247c51e /init.d.FreeBSD/ipfw.in
parent7c092fbc7904be18510eed08c72cbad974db8adc (diff)
Don't check for root in prefix.
Diffstat (limited to 'init.d.FreeBSD/ipfw.in')
-rw-r--r--init.d.FreeBSD/ipfw.in149
1 files changed, 149 insertions, 0 deletions
diff --git a/init.d.FreeBSD/ipfw.in b/init.d.FreeBSD/ipfw.in
new file mode 100644
index 00000000..200b9cee
--- /dev/null
+++ b/init.d.FreeBSD/ipfw.in
@@ -0,0 +1,149 @@
+#!/sbin/runscript
+# Copyright 2007-2008 Roy Marples <roy@marples.name>
+# All rights reserved. Released under the 2-clause BSD license.
+
+# This is based on /etc/rc.firewall and /etc/rc.firewall6 from FreeBSD
+
+ipfw_ip_in=${ipfw_ip_in-any}
+ipfw_ports_in=${ipfw_ports_in-auth ssh}
+ipfw_ports_nolog=${ipfw_ports_nolog-135-139,445 1026,1027 1433,1434}
+
+opts="panic showstatus"
+
+depend() {
+ before net
+ provide firewall
+ keyword nojail
+}
+
+ipfw() {
+ /sbin/ipfw -f -q "$@"
+}
+
+init() {
+ # Load the kernel module
+ if ! sysctl net.inet.ip.fw.enable=1 >/dev/null 2>&1; then
+ if ! kldload ipfw; then
+ eend 1 "Unable to load firewall module"
+ return 1
+ fi
+ fi
+
+ # Now all rules and give a good base
+ ipfw flush
+
+ ipfw add pass all from any to any via lo0
+ ipfw add deny all from any to 127.0.0.0/8
+ ipfw add deny ip from 127.0.0.0/8 to any
+
+ ipfw add pass ip6 from any to any via lo0
+ ipfw add deny ip6 from any to ::1
+ ipfw add deny ip6 from ::1 to any
+
+ ipfw add pass ip6 from :: to ff02::/16 proto ipv6-icmp
+ ipfw add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
+ ipfw add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
+}
+
+start() {
+ local i= p= log=
+ ebegin "Starting firewall rules"
+ if ! init; then
+ eend 1 "Failed to flush firewall ruleset"
+ return 1
+ fi
+
+ # Use a statefull firewall
+ ipfw add check-state
+ ipfw add pass tcp from me to any established
+
+ # Allow any connection out, adding state for each.
+ ipfw add pass tcp from me to any setup keep-state
+ ipfw add pass udp from me to any keep-state
+ ipfw add pass icmp from me to any keep-state
+
+ ipfw add pass tcp from me6 to any setup keep-state
+ ipfw add pass udp from me6 to any keep-state
+ ipfw add pass icmp from me6 to any keep-state
+
+ # Allow DHCP.
+ ipfw add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out
+ ipfw add pass udp from any 67 to me 68 in
+ ipfw add pass udp from any 67 to 255.255.255.255 68 in
+ # Some servers will ping the IP while trying to decide if it's
+ # still in use.
+ ipfw add pass icmp from any to any icmptype 8
+
+ # Allow "mandatory" ICMP in.
+ ipfw add pass icmp from any to any icmptype 3,4,11
+
+ # Allow ICMPv6 destination unreach
+ ipfw add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
+
+ # Allow NS/NA/toobig (don't filter it out)
+ ipfw add pass ip6 from any to any icmp6types 2,135,136 proto ipv6-icmp
+
+ # Add permits for this workstations published services below
+ # Only IPs and nets in firewall_allowservices is allowed in.
+ for i in ${ipfw_ip_in}; do
+ for p in ${ipfw_ports_in}; do
+ ipfw add pass tcp from ${i} to me ${p}
+ done
+ done
+
+ # Allow all connections from trusted IPs.
+ # Playing with the content of firewall_trusted could seriously
+ # degrade the level of protection provided by the firewall.
+ for i in ${ipfw_ip_trust}; do
+ ipfw add pass ip from ${i} to me
+ done
+
+ ipfw add 65000 count ip from any to any
+
+ # Drop packets to ports where we don't want logging
+ for p in ${ipfw_ports_nolog}; do
+ ipfw add deny { tcp or udp } from any to any ${p} in
+ done
+
+ # Broadcasts and muticasts
+ ipfw add deny ip from any to 255.255.255.255
+ ipfw add deny ip from any to 224.0.0.0/24
+
+ # Noise from routers
+ ipfw add deny udp from any to any 520 in
+
+ # Noise from webbrowsing.
+ # The statefull filter is a bit agressive, and will cause some
+ # connection teardowns to be logged.
+ ipfw add deny tcp from any 80,443 to any 1024-65535 in
+
+ # Deny and (if wanted) log the rest unconditionally.
+ if yesno ${ipfw_log_deny:-no}; then
+ log="log"
+ sysctl net.inet.ip.fw.verbose=1 >/dev/null
+ fi
+ ipfw add deny ${log} ip from any to any
+
+ eend 0
+}
+
+stop() {
+ ebegin "Stopping firewall rules"
+ # We don't unload the kernel module as that action
+ # can cause memory leaks as of FreeBSD 6.x
+ sysctl net.inet.ip.fw.enable=0 >/dev/null
+ eend $?
+}
+
+panic() {
+ ebegin "Stopping firewall rules - hard"
+ if ! init; then
+ eend 1 "Failed to flush firewall ruleset"
+ return 1
+ fi
+ eend 0
+}
+
+showstatus() {
+ ipfw show
+}