etc/rc.firewall6

   1 #!/bin/sh
   2 ############
   3 # Setup system for IPv6 firewall service.
   4 # $FreeBSD: src/etc/rc.firewall6,v 1.1.2.11 2003/02/10 05:45:06 trhodes Exp $
   5 # $DragonFly: src/etc/rc.firewall6,v 1.3 2008/08/10 21:29:16 hasso Exp $
   6
   7 # Suck in the configuration variables.
   8 if [ -z "${source_rc_confs_defined}" ]; then
   9         if [ -r /etc/defaults/rc.conf ]; then
  10                 . /etc/defaults/rc.conf
  11                 source_rc_confs
  12         elif [ -r /etc/rc.conf ]; then
  13                 . /etc/rc.conf
  14         fi
  15 fi
  16
  17 ############
  18 # Define the firewall type in /etc/rc.conf.  Valid values are:
  19 #   open     - will allow anyone in
  20 #   client   - will try to protect just this machine
  21 #   simple   - will try to protect a whole network
  22 #   closed   - totally disables IP services except via lo0 interface
  23 #   UNKNOWN  - disables the loading of firewall rules.
  24 #   filename - will load the rules in the given filename (full path required)
  25 #
  26 # For ``client'' and ``simple'' the entries below should be customized
  27 # appropriately.
  28
  29 ############
  30 #
  31 # If you don't know enough about packet filtering, we suggest that you
  32 # take time to read this book:
  33 #
  34 #       Building Internet Firewalls, 2nd Edition
  35 #       Brent Chapman and Elizabeth Zwicky
  36 #
  37 #       O'Reilly & Associates, Inc
  38 #       ISBN 1-56592-871-7
  39 #       http://www.ora.com/
  40 #       http://www.oreilly.com/catalog/fire2/
  41 #
  42 # For a more advanced treatment of Internet Security read:
  43 #
  44 #       Firewalls & Internet Security
  45 #       Repelling the wily hacker
  46 #       William R. Cheswick, Steven M. Bellowin
  47 #
  48 #       Addison-Wesley
  49 #       ISBN 0-201-63357-4
  50 #       http://www.awl.com/
  51 #       http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html
  52 #
  53
  54 setup_local () {
  55         ############
  56         # Only in rare cases do you want to change these rules
  57         #
  58         ${fw6cmd} add 100 pass all from any to any via lo0
  59         #
  60         # ND
  61         #
  62         # DAD
  63         ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
  64         # RS, RA, NS, NA, redirect...
  65         ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
  66         ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
  67 }
  68
  69 if [ -n "${1}" ]; then
  70         ipv6_firewall_type="${1}"
  71 fi
  72
  73 ############
  74 # Set quiet mode if requested
  75 #
  76 case ${ipv6_firewall_quiet} in
  77 [Yy][Ee][Ss])
  78         fw6cmd="/sbin/ip6fw -q"
  79         ;;
  80 *)
  81         fw6cmd="/sbin/ip6fw"
  82         ;;
  83 esac
  84
  85 ############
  86 # Flush out the list before we begin.
  87 #
  88 ${fw6cmd} -f flush
  89
  90 ############
  91 # If you just configured ipfw in the kernel as a tool to solve network
  92 # problems or you just want to disallow some particular kinds of traffic
  93 # then you will want to change the default policy to open.  You can also
  94 # do this as your only action by setting the ipv6_firewall_type to ``open''.
  95 #
  96 # ${fw6cmd} add 65000 pass all from any to any
  97
  98
  99 # Prototype setups.
 100 #
 101 case ${ipv6_firewall_type} in
 102 [Oo][Pp][Ee][Nn])
 103         setup_local
 104         ${fw6cmd} add 65000 pass all from any to any
 105         ;;
 106
 107 [Cc][Ll][Ii][Ee][Nn][Tt])
 108         ############
 109         # This is a prototype setup that will protect your system somewhat
 110         # against people from outside your own network.
 111         ############
 112
 113         # set these to your network and prefixlen and ip
 114         #
 115         # This needs more work
 116         #
 117         net="2001:db8:2:1::"
 118         prefixlen="64"
 119         ip="2001:db8:2:1::1"
 120
 121         setup_local
 122
 123         # Allow any traffic to or from my own net.
 124         ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen}
 125         ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip}
 126
 127         # Allow any link-local multicast traffic
 128         ${fw6cmd} add pass all from fe80::/10 to ff02::/16
 129         ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16
 130
 131         # Allow TCP through if setup succeeded
 132         ${fw6cmd} add pass tcp from any to any established
 133
 134         # Allow IP fragments to pass through
 135         ${fw6cmd} add pass all from any to any frag
 136
 137         # Allow setup of incoming email
 138         ${fw6cmd} add pass tcp from any to ${ip} 25 setup
 139
 140         # Allow setup of outgoing TCP connections only
 141         ${fw6cmd} add pass tcp from ${ip} to any setup
 142
 143         # Disallow setup of all other TCP connections
 144         ${fw6cmd} add deny tcp from any to any setup
 145
 146         # Allow DNS queries out in the world
 147         ${fw6cmd} add pass udp from any 53 to ${ip}
 148         ${fw6cmd} add pass udp from ${ip} to any 53
 149
 150         # Allow NTP queries out in the world
 151         ${fw6cmd} add pass udp from any 123 to ${ip}
 152         ${fw6cmd} add pass udp from ${ip} to any 123
 153
 154         # Allow ICMPv6 destination unreach
 155         ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
 156
 157         # Allow NS/NA/toobig (don't filter it out)
 158         ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
 159
 160         # Everything else is denied by default, unless the
 161         # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
 162         # config file.
 163         ;;
 164
 165 [Ss][Ii][Mm][Pp][Ll][Ee])
 166         ############
 167         # This is a prototype setup for a simple firewall.  Configure this
 168         # machine as a named server and ntp server, and point all the machines
 169         # on the inside at this machine for those services.
 170         ############
 171
 172         # set these to your outside interface network and prefixlen and ip
 173         oif="ed0"
 174         onet="2001:db8:2:1::"
 175         oprefixlen="64"
 176         oip="2001:db8:2:1::1"
 177
 178         # set these to your inside interface network and prefixlen and ip
 179         iif="ed1"
 180         inet="2001:db8:2:2::"
 181         iprefixlen="64"
 182         iip="2001:db8:2:2::1"
 183
 184         setup_local
 185
 186         # Stop spoofing
 187         ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif}
 188         ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif}
 189
 190         # Stop site-local on the outside interface
 191         ${fw6cmd} add deny all from fec0::/10 to any via ${oif}
 192         ${fw6cmd} add deny all from any to fec0::/10 via ${oif}
 193
 194         # Disallow "internal" addresses to appear on the wire.
 195         ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif}
 196         ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif}
 197
 198         # Disallow packets to malicious IPv4 compatible prefix.
 199         ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif}
 200         ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif}
 201         ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif}
 202         ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif}
 203         ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif}
 204         ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif}
 205         ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif}
 206         ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif}
 207
 208         ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif}
 209         ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif}
 210
 211         # Disallow packets to malicious 6to4 prefix.
 212         ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif}
 213         ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif}
 214         ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif}
 215         ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif}
 216         ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif}
 217         ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif}
 218         ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif}
 219         ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif}
 220
 221         ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif}
 222         ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif}
 223         ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif}
 224         ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif}
 225         ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif}
 226         ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif}
 227
 228         ${fw6cmd} add deny all from ff05::/16 to any via ${oif}
 229         ${fw6cmd} add deny all from any to ff05::/16 via ${oif}
 230
 231         # Allow TCP through if setup succeeded
 232         ${fw6cmd} add pass tcp from any to any established
 233
 234         # Allow IP fragments to pass through
 235         ${fw6cmd} add pass all from any to any frag
 236
 237         # Allow setup of incoming email
 238         ${fw6cmd} add pass tcp from any to ${oip} 25 setup
 239
 240         # Allow access to our DNS
 241         ${fw6cmd} add pass tcp from any to ${oip} 53 setup
 242         ${fw6cmd} add pass udp from any to ${oip} 53
 243         ${fw6cmd} add pass udp from ${oip} 53 to any
 244
 245         # Allow access to our WWW
 246         ${fw6cmd} add pass tcp from any to ${oip} 80 setup
 247
 248         # Reject&Log all setup of incoming connections from the outside
 249         ${fw6cmd} add deny log tcp from any to any in via ${oif} setup
 250
 251         # Allow setup of any other TCP connection
 252         ${fw6cmd} add pass tcp from any to any setup
 253
 254         # Allow DNS queries out in the world
 255         ${fw6cmd} add pass udp from any 53 to ${oip}
 256         ${fw6cmd} add pass udp from ${oip} to any 53
 257
 258         # Allow NTP queries out in the world
 259         ${fw6cmd} add pass udp from any 123 to ${oip}
 260         ${fw6cmd} add pass udp from ${oip} to any 123
 261
 262         # Allow RIPng
 263         #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521
 264         #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521
 265
 266         # Allow ICMPv6 destination unreach
 267         ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
 268
 269         # Allow NS/NA/toobig (don't filter it out)
 270         ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
 271
 272         # Everything else is denied by default, unless the
 273         # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
 274         # config file.
 275         ;;
 276
 277 [Cc][Ll][Oo][Ss][Ee][Dd])
 278         # Only enable the loopback interface
 279         ${fw6cmd} add 100 pass all from any to any via lo0
 280         ;;
 281 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
 282         ;;
 283 *)
 284         if [ -r "${ipv6_firewall_type}" ]; then
 285                 ${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type}
 286         fi
 287         ;;
 288 esac