Date: Wed, 17 May 2000 09:04:33 -0400 (EDT) From: jim@thehousleys.net To: FreeBSD-gnats-submit@freebsd.org Subject: conf/18621: Adding ip6fw/firewall support for IPv6 to rc.* Message-ID: <200005171304.JAA03963@thehousleys.net>
next in thread | raw e-mail | index | archive | help
>Number: 18621 >Category: conf >Synopsis: Adding ip6fw/firewall support for IPv6 to rc.* >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed May 17 06:10:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Jim Housley >Release: FreeBSD 4.0-STABLE i386 >Organization: The Housleys dot Net >Environment: FreeBSD 4.x & FreeBSD 5.x >Description: The attached patch will and the capibility to /etc/defaults/rc.conf to specify IPv6 firewall variables. /etc/rc.network will call /etc/rc.firewall6 as a default IPv6 firewall script. BTW the sample rules need LOTS of work, but the framework is there. /etc/rc.firewall needs to be modified to allow IPv6 packets to pass by default so the can be handled the the IPv6 firewall. >How-To-Repeat: >Fix: --- rc.firewall Mon May 1 15:00:31 2000 +++ rc.firewall.new Wed May 17 08:47:26 2000 @@ -66,6 +66,15 @@ ${fwcmd} -f flush ############ +# If IPv6 firewall is used we need to a a pass rule for IPv6 +# +case ${firewall_enable} in +[Yy][Ee][Ss]) + ${fwcmd} add 25 allow ipv6 from any to any + ;; +esac + +############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, @@ -74,7 +83,7 @@ case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} + ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac --- rc.firewall6 Wed May 17 08:57:05 2000 +++ rc.firewall6.new Wed May 17 08:51:30 2000 @@ -0,0 +1,132 @@ +############ +# Setup system for firewall service. +# $FreeBSD$ + +# Suck in the configuration variables. +if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf +elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf +fi + +############ +# Define the firewall type in /etc/rc.conf. Valid values are: +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) +# +# For ``client'' and ``simple'' the entries below should be customized +# appropriately. + +############ +# +# If you don't know enough about packet filtering, we suggest that you +# take time to read this book: +# +# Building Internet Firewalls +# Brent Chapman and Elizabeth Zwicky +# +# O'Reilly & Associates, Inc +# ISBN 1-56592-124-0 +# http://www.ora.com/ +# +# For a more advanced treatment of Internet Security read: +# +# Firewalls & Internet Security +# Repelling the wily hacker +# William R. Cheswick, Steven M. Bellowin +# +# Addison-Wesley +# ISBN 0-201-6337-4 +# http://www.awl.com/ +# + +if [ -n "${1}" ]; then + firewall6_type="${1}" +fi + +############ +# Set quiet mode if requested +# +case ${firewall6_quiet} in +[Yy][Ee][Ss]) + fw6cmd="/sbin/ip6fw -q" + ;; +*) + fw6cmd="/sbin/ip6fw" + ;; +esac + +############ +# Flush out the list before we begin. +# +${fw6cmd} -f flush + +############ +# If you just configured ipfw in the kernel as a tool to solve network +# problems or you just want to disallow some particular kinds of traffic +# then you will want to change the default policy to open. You can also +# do this as your only action by setting the firewall6_type to ``open''. +# +# ${fw6cmd} add 65000 pass all from any to any + +############ +# Only in rare cases do you want to change these rules +# +${fw6cmd} add 100 pass all from any to any via lo0 + + +# Prototype setups. +# +case ${firewall6_type} in +[Oo][Pp][Ee][Nn]) + ${fw6cmd} add 65000 pass all from any to any + ;; + +[Cc][Ll][Ii][Ee][Nn][Tt]) + ############ + # This is a prototype setup that will protect your system somewhat + # against people from outside your own network. + ############ + + # set these to your network and netmask and ip + # + # This needs more work + # + ;; + +[Ss][Ii][Mm][Pp][Ll][Ee]) + ############ + # This is a prototype setup for a simple firewall. Configure this + # machine as a named server and ntp server, and point all the machines + # on the inside at this machine for those services. + ############ + + # + # ND + # + # DAD + ${fw6cmd} add pass ipv6-icmp from ff02::/16 to :: + ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 + # RS, RA, NS, NA, redirect... + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 + ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 + + ${fw6cmd} add pass tcp from any to any established + + # RIPng + ${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 + + ;; + +[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) + ;; +*) + if [ -r "${firewall6_type}" ]; then + ${fw6cmd} ${firewall6_flags} ${firewall6_type} + fi + ;; +esac --- rc.network Mon Mar 27 16:39:49 2000 +++ rc.network.new Wed May 17 08:54:29 2000 @@ -228,6 +228,41 @@ ;; esac + case ${firewall6_enable} in + [Yy][Ee][Ss]) + if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then + firewall_in_kernel=1 + echo "Kernel firewall module loaded." + elif [ "${firewall_in_kernel}" -eq 0 ]; then + echo "Warning: firewall kernel module failed to load." + fi + ;; + esac + + # Load the filters if required + # + case ${firewall_in_kernel} in + 1) + if [ -z "${firewall6_script}" ]; then + firewall6_script=/etc/rc.firewall6 + fi + + case ${firewall6_enable} in + [Yy][Ee][Ss]) + if [ -r "${firewall6_script}" ]; then + . "${firewall6_script}" + echo -n 'Firewall rules loaded, starting divert daemons:' + + elif [ "`ip6fw l 65535`" = "65535 deny ip from any to any" ]; then + echo -n "Warning: kernel has firewall functionality, " + echo "but firewall rules are not enabled." + echo " All ip services are disabled." + fi + ;; + esac + ;; + esac + # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then --- defaults/rc.conf Mon Apr 17 09:17:11 2000 +++ defaults/rc.conf.new Wed May 17 08:39:41 2000 @@ -48,6 +48,11 @@ firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_flags="" # Flags passed to ipfw when type is a file +firewall6_enable="NO" # Set to YES to enable firewall functionality +firewall6_script="/etc/rc.firewall6" # Which script to run to set up the firewall +firewall6_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) +firewall6_quiet="NO" # Set to YES to suppress rule display +firewall6_flags="" # Flags passed to ipfw when type is a file natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005171304.JAA03963>