Add an ipfw init script

2007-11-20 16:53:45 +00:00 · 2007-11-20 16:53:45 +00:00 · a12da90fb3
commit a12da90fb3
parent 739d51c349
2 changed files with 170 additions and 1 deletions
--- a/init.d.BSD/Makefile
+++ b/init.d.BSD/Makefile
@ -1,5 +1,5 @@
 DIR = /etc/init.d
-BIN = clock moused powerd rpcbind syscons sysctl syslogd
+BIN = clock ipfw moused powerd rpcbind syscons sysctl syslogd

 TOPDIR = ..
 include $(TOPDIR)/default.mk
--- a/init.d.BSD/ipfw
+++ b/init.d.BSD/ipfw
@ -0,0 +1,169 @@
+#!/sbin/runscript
+# Copyright 2007 Roy Marples
+# All rights reserved
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# This is based on /etc/rc.firewall and /etc/rc.firewall6 from FreeBSD
+
+IP_IN=${IP_IN-any}
+PORTS_IN=${PORTS_IN-auth ssh}
+PORTS_NOLOG=${PORTS_NOLOG-135-139,445 1026,1027 1433,1434}
+
+opts="panic showstatus"
+
+depend() {
+	before net
+	provide firewall
+}
+
+ipfw() {
+	/sbin/ipfw -f -q "$@"
+}
+
+init() {
+	# Load the kernel module
+	if ! sysctl net.inet.ip.fw.enable=1 >/dev/null 2>/dev/null; then
+		if ! kldload ipfw ; then
+			eend 1 "Unable to load firewall module"
+			return 1
+		fi
+	fi
+
+	# Now all rules and give a good base
+	ipfw flush
+
+	ipfw add pass all from any to any via lo0
+	ipfw add deny all from any to 127.0.0.0/8
+	ipfw add deny ip from 127.0.0.0/8 to any
+
+	ipfw add pass ip6 from any to any via lo0
+	ipfw add deny ip6 from any to ::1
+	ipfw add deny ip6 from ::1 to any
+	
+	ipfw add pass ip6 from :: to ff02::/16 proto ipv6-icmp
+	ipfw add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
+	ipfw add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
+}
+
+start() {
+	local i= p= log=
+	ebegin "Starting firewall rules"
+	if ! init ; then
+		eend 1 "Failed to flush firewall ruleset"
+		return 1
+	fi
+
+	# Use a statefull firewall
+	ipfw add check-state
+	ipfw add pass tcp from me to any established
+
+	# Allow any connection out, adding state for each.
+	ipfw add pass tcp  from me  to any setup keep-state
+	ipfw add pass udp  from me  to any       keep-state
+	ipfw add pass icmp from me  to any       keep-state
+
+	ipfw add pass tcp  from me6 to any setup keep-state
+	ipfw add pass udp  from me6 to any       keep-state
+	ipfw add pass icmp from me6 to any       keep-state
+
+	# Allow DHCP.
+	ipfw add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out
+	ipfw add pass udp  from any 67     to me 68 in
+	ipfw add pass udp  from any 67     to 255.255.255.255 68 in
+	# Some servers will ping the IP while trying to decide if it's 
+	# still in use.
+	ipfw add pass icmp from any to any icmptype 8
+
+	# Allow "mandatory" ICMP in.
+	ipfw add pass icmp from any to any icmptype 3,4,11
+
+	# Allow ICMPv6 destination unreach
+	ipfw add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
+
+	# Allow NS/NA/toobig (don't filter it out)
+	ipfw add pass ip6 from any to any icmp6types 2,135,136 proto ipv6-icmp
+	
+	# Add permits for this workstations published services below
+	# Only IPs and nets in firewall_allowservices is allowed in.
+	for i in ${IP_IN}; do
+		for p in ${PORTS_IN}; do
+	    	ipfw add pass tcp from ${i} to me ${p}
+		done
+	done
+
+	# Allow all connections from trusted IPs.
+	# Playing with the content of firewall_trusted could seriously
+	# degrade the level of protection provided by the firewall.
+	for i in ${IP_TRUST}; do
+		ipfw add pass ip from ${i} to me
+	done
+	
+	ipfw add 65000 count ip from any to any
+
+	# Drop packets to ports where we don't want logging
+	for p in ${PORTS_NOLOG}; do
+		ipfw add deny { tcp or udp } from any to any ${p} in
+	done
+
+	# Broadcasts and muticasts
+	ipfw add deny ip from any to 255.255.255.255
+	ipfw add deny ip from any to 224.0.0.0/24 
+
+	# Noise from routers
+	ipfw add deny udp from any to any 520 in
+
+	# Noise from webbrowsing.
+	# The statefull filter is a bit agressive, and will cause some
+	# connection teardowns to be logged.
+	ipfw add deny tcp from any 80,443 to any 1024-65535 in
+
+	# Deny and (if wanted) log the rest unconditionally.
+	if [ "${LOG_DENY}" = "yes" ]; then
+		log="log"
+		sysctl net.inet.ip.fw.verbose=1 >/dev/null
+	fi
+	ipfw add deny ${log} ip from any to any
+
+	eend 0
+}
+
+stop() {
+	ebegin "Stopping firewall rules"
+	# We don't unload the kernel module as that action
+	# can cause memory leaks as of FreeBSD 6.x
+	sysctl net.inet.ip.fw.enable=0 >/dev/null
+	eend $?
+}
+
+panic() {
+	ebegin "Stopping firewall rules - hard"
+	if ! init ; then
+		eend 1 "Failed to flush firewall ruleset"
+		return 1
+	fi
+	eend 0
+}
+
+showstatus() {
+	ipfw show
+}