Use .Dv and start sentences on a new line.
[dragonfly.git] / etc / rc.firewall
blob226a8400ab649aa59a14626b5380126a2b395146
1 #!/bin/sh
3 # Copyright (c) 2004 The DragonFly Project. All rights reserved.
4 #
5 # This code is derived from software contributed to The DragonFly Project
6 # by Andreas Hauser <andy-dragonfly@splashground.de>
7 #
8 # Redistribution and use in source and binary forms, with or without
9 # modification, are permitted provided that the following conditions
10 # are met:
12 # 1. Redistributions of source code must retain the above copyright
13 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in
16 # the documentation and/or other materials provided with the
17 # distribution.
18 # 3. Neither the name of The DragonFly Project nor the names of its
19 # contributors may be used to endorse or promote products derived
20 # from this software without specific, prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
25 # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
26 # COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
27 # INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
28 # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
29 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
30 # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
31 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
32 # OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 # SUCH DAMAGE.
35 # $DragonFly: src/etc/rc.firewall,v 1.6 2007/06/02 09:16:49 swildner Exp $
37 # A simple packetfilter configurable via /etc/rc.conf
39 # Variables in rc.conf:
41 # firewall_type
42 # UNKNOWN - disables the loading of firewall rules.
43 # open - will allow anyone in
44 # client - enables the packetfilter
45 # simple - enables the packetfilter
46 # closed - totally disables IP services except via lo0 interface
47 # filename - will load the rules in the given filename (full path required)
49 # firewall_trusted_nets
50 # firewall_trusted_interfaces
51 # firewall_allowed_icmp_types
52 # firewall_open_tcp_ports
53 # firewall_open_udp_ports
55 if [ -z "${source_rc_confs_defined}" ]; then
56 if [ -r /etc/defaults/rc.conf ]; then
57 . /etc/defaults/rc.conf
58 source_rc_confs
59 elif [ -r /etc/rc.conf ]; then
60 . /etc/rc.conf
64 case ${firewall_quiet} in
65 [Yy][Ee][Ss])
66 fwcmd="/sbin/ipfw -q"
69 fwcmd="/sbin/ipfw"
71 esac
73 case ${firewall_logging} in
74 [Yy][Ee][Ss])
75 log="log"
78 log=""
80 esac
82 # we handle start, stop, firewall_type and nothing as argument
83 if [ -n "$1" ]; then
84 case $1 in
85 start)
87 stop)
88 firewall_type="open"
91 firewall_type="$1"
93 esac
96 divert_nat() {
97 case ${natd_enable} in
98 [Yy][Ee][Ss])
99 if [ -n "${natd_interface}" ]; then
100 ${fwcmd} add divert natd all from any to any via ${natd_interface}
102 esac
105 allow_loopback() {
106 ${fwcmd} add pass all from any to any via lo0
107 ${fwcmd} add deny ${log} all from any to 127.0.0.0/8
108 ${fwcmd} add deny ${log} ip from 127.0.0.0/8 to any
111 deny_spoof() {
112 # XXX we don't have verrevpath yet
113 # ${fwcmd} add deny ${log} ip from any to any not verrevpath in
114 echo no verrevpath yet, so no anti-spoof
117 allow_icmp_types() {
118 for type in $*; do
119 ${fwcmd} add allow icmp from any to any icmptypes ${type}
120 done
123 allow_trusted_nets() {
124 for net in $*; do
125 ${fwcmd} add pass all from me to ${net}
126 ${fwcmd} add pass all from ${net} to me
127 done
130 allow_trusted_interfaces() {
131 for interface in $*; do
132 ${fwcmd} add pass all from any to any via ${interface}
133 done
136 allow_connections() {
137 ${fwcmd} add pass tcp from any to any established
138 ${fwcmd} add pass all from any to any frag
139 ${fwcmd} add pass tcp from me to any setup
140 ${fwcmd} add pass udp from me to any keep-state
143 open_tcp_ports() {
144 for port in $*; do
145 ${fwcmd} add pass tcp from any to me ${port} setup
146 done
149 open_udp_ports() {
150 for port in $*; do
151 ${fwcmd} add pass udp from any to me ${port}
152 ${fwcmd} add pass udp from me ${port} to any
153 done
156 deny_not_routed_nets()
158 # These nets should not be routed
159 nets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
160 169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
161 for net in ${nets} ; do
162 ${fwcmd} add deny ${log} all from $net to any
163 done
166 deny_rest() {
167 ${fwcmd} add 65000 deny ${log} all from any to any
170 allow_rest() {
171 ${fwcmd} add 65000 pass all from any to any
175 ${fwcmd} -f flush
177 case ${firewall_type} in
178 [Oo][Pp][Ee][Nn])
179 allow_loopback
180 deny_spoof
181 divert_nat
182 allow_rest
185 # historical names
186 [Cc][Ll][Ii][Ee][Nn][Tt]|[Ss][Ii][Mm][Pp][Ll][Ee]|"")
187 allow_loopback
188 deny_spoof
189 divert_nat
190 allow_trusted_nets ${firewall_trusted_nets}
191 allow_trusted_interfaces ${firewall_trusted_interfaces}
192 allow_connections
193 allow_icmp_types ${firewall_allowed_icmp_types}
194 deny_not_routed_nets
195 open_tcp_ports ${firewall_open_tcp_ports}
196 open_udp_ports ${firewall_open_udp_ports}
197 deny_rest
200 [Cc][Ll][Oo][Ss][Ee][Dd])
201 allow_loopback
202 deny_rest
205 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
209 if [ -r "${firewall_type}" ]; then
210 ${fwcmd} ${firewall_flags} ${firewall_type}
213 esac