openrc/init.d/ipfw.in

160 lines
4.0 KiB
Plaintext
Raw Normal View History

#!@SBINDIR@/openrc-run
2009-05-01 19:41:40 +05:30
# Copyright (c) 2007-2009 Roy Marples <roy@marples.name>
# Released under the 2-clause BSD license.
2007-11-20 22:23:45 +05:30
# This is based on /etc/rc.firewall and /etc/rc.firewall6 from FreeBSD
ipfw_ip_in=${ipfw_ip_in-any}
ipfw_ports_in=${ipfw_ports_in-auth ssh}
ipfw_ports_nolog=${ipfw_ports_nolog-135-139,445 1026,1027 1433,1434}
2007-11-20 22:23:45 +05:30
extra_commands="panic showstatus"
2007-11-20 22:23:45 +05:30
depend() {
before net
provide firewall
keyword -jail
2007-11-20 22:23:45 +05:30
}
ipfw() {
/sbin/ipfw -f -q "$@"
}
2008-08-29 12:13:54 +05:30
have_ip6() {
sysctl net.ipv6 2>/dev/null
}
2007-11-20 22:23:45 +05:30
init() {
# Load the kernel module
2007-11-28 21:15:03 +05:30
if ! sysctl net.inet.ip.fw.enable=1 >/dev/null 2>&1; then
if ! kldload ipfw; then
2007-11-20 22:23:45 +05:30
eend 1 "Unable to load firewall module"
return 1
fi
fi
# Now all rules and give a good base
ipfw flush
ipfw add pass all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any
if have_ip6; then
2008-08-29 12:13:54 +05:30
ipfw add pass ip6 from any to any via lo0
ipfw add deny ip6 from any to ::1
ipfw add deny ip6 from ::1 to any
2008-08-29 12:13:54 +05:30
ipfw add pass ip6 from :: to ff02::/16 proto ipv6-icmp
ipfw add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
ipfw add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
fi
2007-11-20 22:23:45 +05:30
}
start() {
local i= p= log=
ebegin "Starting firewall rules"
2007-11-28 21:15:03 +05:30
if ! init; then
2007-11-20 22:23:45 +05:30
eend 1 "Failed to flush firewall ruleset"
return 1
fi
# Use a stateful firewall
2007-11-20 22:23:45 +05:30
ipfw add check-state
ipfw add pass tcp from me to any established
# Allow any connection out, adding state for each.
ipfw add pass tcp from me to any setup keep-state
ipfw add pass udp from me to any keep-state
ipfw add pass icmp from me to any keep-state
2008-08-29 12:13:54 +05:30
if have_ip6; then
ipfw add pass tcp from me6 to any setup keep-state
ipfw add pass udp from me6 to any keep-state
ipfw add pass icmp from me6 to any keep-state
fi
2007-11-20 22:23:45 +05:30
# Allow DHCP.
ipfw add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out
ipfw add pass udp from any 67 to me 68 in
ipfw add pass udp from any 67 to 255.255.255.255 68 in
# Some servers will ping the IP while trying to decide if it's
2007-11-20 22:23:45 +05:30
# still in use.
ipfw add pass icmp from any to any icmptype 8
# Allow "mandatory" ICMP in.
ipfw add pass icmp from any to any icmptype 3,4,11
2008-08-29 12:13:54 +05:30
if have_ip6; then
# Allow ICMPv6 destination unreach
ipfw add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
2008-08-29 12:13:54 +05:30
# Allow NS/NA/toobig (don't filter it out)
ipfw add pass ip6 from any to any icmp6types 2,135,136 proto ipv6-icmp
fi
2007-11-20 22:23:45 +05:30
# Add permits for this workstations published services below
# Only IPs and nets in firewall_allowservices is allowed in.
2009-04-27 13:21:18 +05:30
for i in $ipfw_ip_in; do
for p in $ipfw_ports_in; do
ipfw add pass tcp from $i to me $p
2007-11-20 22:23:45 +05:30
done
done
# Allow all connections from trusted IPs.
# Playing with the content of firewall_trusted could seriously
# degrade the level of protection provided by the firewall.
2009-04-27 13:21:18 +05:30
for i in $ipfw_ip_trust; do
ipfw add pass ip from $i to me
2007-11-20 22:23:45 +05:30
done
2007-11-20 22:23:45 +05:30
ipfw add 65000 count ip from any to any
# Drop packets to ports where we don't want logging
2009-04-27 13:21:18 +05:30
for p in $ipfw_ports_nolog; do
ipfw add deny { tcp or udp } from any to any $p in
2007-11-20 22:23:45 +05:30
done
# Broadcasts and muticasts
ipfw add deny ip from any to 255.255.255.255
ipfw add deny ip from any to 224.0.0.0/24
2007-11-20 22:23:45 +05:30
# Noise from routers
ipfw add deny udp from any to any 520 in
# Noise from webbrowsing.
# The stateful filter is a bit aggressive, and will cause some
2007-11-20 22:23:45 +05:30
# connection teardowns to be logged.
ipfw add deny tcp from any 80,443 to any 1024-65535 in
# Deny and (if wanted) log the rest unconditionally.
if yesno ${ipfw_log_deny:-no}; then
2009-04-27 13:21:18 +05:30
log=log
2007-11-20 22:23:45 +05:30
sysctl net.inet.ip.fw.verbose=1 >/dev/null
fi
2009-04-27 13:21:18 +05:30
ipfw add deny $log ip from any to any
2007-11-20 22:23:45 +05:30
eend 0
}
stop() {
ebegin "Stopping firewall rules"
# We don't unload the kernel module as that action
# can cause memory leaks as of FreeBSD 6.x
sysctl net.inet.ip.fw.enable=0 >/dev/null
eend $?
}
panic() {
ebegin "Stopping firewall rules - hard"
2007-11-28 21:15:03 +05:30
if ! init; then
2007-11-20 22:23:45 +05:30
eend 1 "Failed to flush firewall ruleset"
return 1
fi
eend 0
}
showstatus() {
ipfw show
}