3 # Setup system for firewall service, with some sample configurations.
4 # Select one using ${firewall_type} which you can set in /etc/rc.conf.local.
6 # If you override this file with your own copy, you can use ${hostname}
7 # as the key for the case statement. On entry, the firewall will be flushed
8 # and $fwcmd will point to the appropriate command (usually /sbin/ipfw)
10 # Sample configurations are:
11 # open - will allow anyone in
12 # client - will try to protect just this machine (should be customized).
13 # simple - will try to protect a whole network (should be customized).
14 # closed - totally disables IP services except via lo0 interface
15 # UNKNOWN - disables the loading of firewall rules.
16 # filename - will load the rules in the given filename (full path required)
20 # Only in rare cases do you want to change these rules
21 $fwcmd add 1000 pass all from any to any via lo0
22 $fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
26 case "${firewall_type}" in
28 $fwcmd add 65000 pass all from any to any
34 # This is a prototype setup that will protect your system somewhat against
35 # people from outside your own network.
38 # set these to your network and netmask and ip
43 # Allow any traffic to or from my own net.
44 $fwcmd add pass all from ${ip} to ${net}:${mask}
45 $fwcmd add pass all from ${net}:${mask} to ${ip}
47 # Allow TCP through if setup succeeded
48 $fwcmd add pass tcp from any to any established
50 # Allow setup of incoming email
51 $fwcmd add pass tcp from any to ${ip} 25 setup
53 # Allow setup of outgoing TCP connections only
54 $fwcmd add pass tcp from ${ip} to any setup
56 # Disallow setup of all other TCP connections
57 $fwcmd add deny tcp from any to any setup
59 # Allow DNS queries out in the world
60 $fwcmd add pass udp from any 53 to ${ip}
61 $fwcmd add pass udp from ${ip} to any 53
63 # Allow NTP queries out in the world
64 $fwcmd add pass udp from any 123 to ${ip}
65 $fwcmd add pass udp from ${ip} to any 123
67 # Everything else is denied as default.
68 $fwcmd add 65000 deny all from any to any
74 # This is a prototype setup for a simple firewall. Configure this machine
75 # as a named server and ntp server, and point all the machines on the inside
76 # at this machine for those services.
79 # set these to your outside interface network and netmask and ip
85 # set these to your inside interface network and netmask and ip
92 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
93 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
95 # Stop RFC1918 nets on the outside interface
96 $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
97 $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
98 $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
100 # Allow TCP through if setup succeeded
101 $fwcmd add pass tcp from any to any established
103 # Allow setup of incoming email
104 $fwcmd add pass tcp from any to ${oip} 25 setup
106 # Allow access to our DNS
107 $fwcmd add pass tcp from any to ${oip} 53 setup
109 # Allow access to our WWW
110 $fwcmd add pass tcp from any to ${oip} 80 setup
112 # Reject&Log all setup of incoming connections from the outside
113 $fwcmd add deny log tcp from any to any in via ${oif} setup
115 # Allow setup of any other TCP connection
116 $fwcmd add pass tcp from any to any setup
118 # Allow DNS queries out in the world
119 $fwcmd add pass udp from any 53 to ${oip}
120 $fwcmd add pass udp from ${oip} to any 53
122 # Allow NTP queries out in the world
123 $fwcmd add pass udp from any 123 to ${oip}
124 $fwcmd add pass udp from ${oip} to any 123
126 # Everything else is denied as default.
127 $fwcmd add 65000 deny all from any to any
131 echo "WARNING: firewall rules not loaded."
134 *) # an absolute pathname ?
135 if [ -f "${firewall_type}" ] ; then
136 $fwcmd ${firewall_type}
138 echo "WARNING: firewall config script (${firewall_type}) not found,"
139 echo " firewall rules not loaded."