2 # Setup system for firewall service.
5 # Suck in the configuration variables.
6 if [ -f /etc/defaults/rc.conf ]; then
7 . /etc/defaults/rc.conf
8 elif [ -f /etc/rc.conf ]; then
13 # Define the firewall type in /etc/rc.conf. Valid values are:
14 # open - will allow anyone in
15 # client - will try to protect just this machine
16 # simple - will try to protect a whole network
17 # closed - totally disables IP services except via lo0 interface
18 # UNKNOWN - disables the loading of firewall rules.
19 # filename - will load the rules in the given filename (full path required)
21 # For ``client'' and ``simple'' the entries below should be customized
26 # If you don't know enough about packet filtering, we suggest that you
27 # take time to read this book:
29 # Building Internet Firewalls
30 # Brent Chapman and Elizabeth Zwicky
32 # O'Reilly & Associates, Inc
36 # For a more advanced treatment of Internet Security read:
38 # Firewalls & Internet Security
39 # Repelling the wily hacker
40 # William R. Cheswick, Steven M. Bellowin
52 # Set quiet mode if requested
53 if [ "${firewall_quiet}" = "YES" ]; then
60 # Flush out the list before we begin.
64 # These rules are required for using natd. All packets are passed to
65 # natd before they encounter your remaining rules. The firewall rules
66 # will then be run again on each packet after translation by natd,
67 # minus any divert rules (see natd(8)).
68 if [ "${natd_enable}" = "YES" -a "${natd_interface}" != "X" ]; then
69 ${fwcmd} add divert natd all from any to any via ${natd_interface}
73 # If you just configured ipfw in the kernel as a tool to solve network
74 # problems or you just want to disallow some particular kinds of traffic
75 # they you will want to change the default policy to open. You can also
76 # do this as your only action by setting the firewall_type to ``open''.
78 # ${fwcmd} add 65000 pass all from any to any
81 # Only in rare cases do you want to change these rules
82 ${fwcmd} add 100 pass all from any to any via lo0
83 ${fwcmd} add 200 deny all from any to 127.0.0.0/8
87 if [ "${firewall_type}" = "open" -o "${firewall_type}" = "OPEN" ]; then
89 ${fwcmd} add 65000 pass all from any to any
91 elif [ "${firewall_type}" = "client" ]; then
94 # This is a prototype setup that will protect your system somewhat against
95 # people from outside your own network.
98 # set these to your network and netmask and ip
103 # Allow any traffic to or from my own net.
104 ${fwcmd} add pass all from ${ip} to ${net}:${mask}
105 ${fwcmd} add pass all from ${net}:${mask} to ${ip}
107 # Allow TCP through if setup succeeded
108 ${fwcmd} add pass tcp from any to any established
110 # Allow setup of incoming email
111 ${fwcmd} add pass tcp from any to ${ip} 25 setup
113 # Allow setup of outgoing TCP connections only
114 ${fwcmd} add pass tcp from ${ip} to any setup
116 # Disallow setup of all other TCP connections
117 ${fwcmd} add deny tcp from any to any setup
119 # Allow DNS queries out in the world
120 ${fwcmd} add pass udp from any 53 to ${ip}
121 ${fwcmd} add pass udp from ${ip} to any 53
123 # Allow NTP queries out in the world
124 ${fwcmd} add pass udp from any 123 to ${ip}
125 ${fwcmd} add pass udp from ${ip} to any 123
127 # Everything else is denied as default.
129 elif [ "${firewall_type}" = "simple" ]; then
132 # This is a prototype setup for a simple firewall. Configure this machine
133 # as a named server and ntp server, and point all the machines on the inside
134 # at this machine for those services.
137 # set these to your outside interface network and netmask and ip
140 omask="255.255.255.0"
143 # set these to your inside interface network and netmask and ip
146 imask="255.255.255.0"
150 ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
151 ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
153 # Stop RFC1918 nets on the outside interface
154 ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
155 ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
156 ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
157 ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
158 ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
159 ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
161 # Allow TCP through if setup succeeded
162 ${fwcmd} add pass tcp from any to any established
164 # Allow setup of incoming email
165 ${fwcmd} add pass tcp from any to ${oip} 25 setup
167 # Allow access to our DNS
168 ${fwcmd} add pass tcp from any to ${oip} 53 setup
170 # Allow access to our WWW
171 ${fwcmd} add pass tcp from any to ${oip} 80 setup
173 # Reject&Log all setup of incoming connections from the outside
174 ${fwcmd} add deny log tcp from any to any in via ${oif} setup
176 # Allow setup of any other TCP connection
177 ${fwcmd} add pass tcp from any to any setup
179 # Allow DNS queries out in the world
180 ${fwcmd} add pass udp from any 53 to ${oip}
181 ${fwcmd} add pass udp from ${oip} to any 53
183 # Allow NTP queries out in the world
184 ${fwcmd} add pass udp from any 123 to ${oip}
185 ${fwcmd} add pass udp from ${oip} to any 123
187 # Everything else is denied as default.
189 elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
190 ${fwcmd} ${firewall_type}