3 # Copyright (c) 2004 The DragonFly Project. All rights reserved.
5 # This code is derived from software contributed to The DragonFly Project
6 # by Andreas Hauser <andy-dragonfly@splashground.de>
8 # Redistribution and use in source and binary forms, with or without
9 # modification, are permitted provided that the following conditions
12 # 1. Redistributions of source code must retain the above copyright
13 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in
16 # the documentation and/or other materials provided with the
18 # 3. Neither the name of The DragonFly Project nor the names of its
19 # contributors may be used to endorse or promote products derived
20 # from this software without specific, prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
25 # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
26 # COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
27 # INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
28 # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
29 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
30 # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
31 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
32 # OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 # $DragonFly: src/etc/rc.firewall,v 1.6 2007/06/02 09:16:49 swildner Exp $
37 # A simple packetfilter configurable via /etc/rc.conf
39 # Variables in rc.conf:
42 # UNKNOWN - disables the loading of firewall rules.
43 # open - will allow anyone in
44 # client - enables the packetfilter
45 # simple - enables the packetfilter
46 # closed - totally disables IP services except via lo0 interface
47 # filename - will load the rules in the given filename (full path required)
49 # firewall_trusted_nets
50 # firewall_trusted_interfaces
51 # firewall_allowed_icmp_types
52 # firewall_open_tcp_ports
53 # firewall_open_udp_ports
55 if [ -z "${source_rc_confs_defined}" ]; then
56 if [ -r /etc
/defaults
/rc.conf
]; then
57 .
/etc
/defaults
/rc.conf
59 elif [ -r /etc
/rc.conf
]; then
64 case ${firewall_quiet} in
73 case ${firewall_logging} in
82 # we handle start, stop, firewall_type and nothing as argument
97 case ${natd_enable} in
99 if [ -n "${natd_interface}" ]; then
100 ${fwcmd} add divert natd all from any to any via
${natd_interface}
106 ${fwcmd} add pass all from any to any via lo0
107 ${fwcmd} add deny
${log} all from any to
127.0.0.0/8
108 ${fwcmd} add deny
${log} ip from
127.0.0.0/8 to any
112 # XXX we don't have verrevpath yet
113 # ${fwcmd} add deny ${log} ip from any to any not verrevpath in
114 echo no verrevpath yet
, so no anti-spoof
119 ${fwcmd} add allow icmp from any to any icmptypes
${type}
123 allow_trusted_nets
() {
125 ${fwcmd} add pass all from me to
${net}
126 ${fwcmd} add pass all from
${net} to me
130 allow_trusted_interfaces
() {
131 for interface
in $
*; do
132 ${fwcmd} add pass all from any to any via
${interface}
136 allow_connections
() {
137 ${fwcmd} add pass tcp from any to any established
138 ${fwcmd} add pass all from any to any frag
139 ${fwcmd} add pass tcp from me to any setup
140 ${fwcmd} add pass udp from me to any keep-state
145 ${fwcmd} add pass tcp from any to me
${port} setup
151 ${fwcmd} add pass udp from any to me
${port}
152 ${fwcmd} add pass udp from me
${port} to any
156 deny_not_routed_nets
()
158 # These nets should not be routed
159 nets
="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8 \
160 169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
161 for net
in ${nets} ; do
162 ${fwcmd} add deny
${log} all from
$net to any
167 ${fwcmd} add
65000 deny
${log} all from any to any
171 ${fwcmd} add
65000 pass all from any to any
177 case ${firewall_type} in
186 [Cc
][Ll
][Ii
][Ee
][Nn
][Tt
]|
[Ss
][Ii
][Mm
][Pp
][Ll
][Ee
]|
"")
190 allow_trusted_nets
${firewall_trusted_nets}
191 allow_trusted_interfaces
${firewall_trusted_interfaces}
193 allow_icmp_types
${firewall_allowed_icmp_types}
195 open_tcp_ports
${firewall_open_tcp_ports}
196 open_udp_ports
${firewall_open_udp_ports}
200 [Cc
][Ll
][Oo
][Ss
][Ee
][Dd
])
205 [Uu
][Nn
][Kk
][Nn
][Oo
][Ww
][Nn
])
209 if [ -r "${firewall_type}" ]; then
210 ${fwcmd} ${firewall_flags} ${firewall_type}