From owner-freebsd-stable Sun Jan 6 8:56:39 2002 Delivered-To: freebsd-stable@freebsd.org Received: from smart.eusc.inter.net (smart.eusc.inter.net [213.73.101.5]) by hub.freebsd.org (Postfix) with ESMTP id DFA9337B416 for ; Sun, 6 Jan 2002 08:56:24 -0800 (PST) Received: from tc12-n67-160.de.inter.net ([213.73.67.160] helo=there) by smart.eusc.inter.net with smtp (Exim 3.22 #3) id 16NGao-0006ym-00 for freebsd-stable@freebsd.org; Sun, 06 Jan 2002 17:56:18 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Matthias Schuendehuette Reply-To: msch@snafu.de Organization: Micro$oft-free Zone To: freebsd-stable@freebsd.org Subject: Enhancement for rc.firewall Date: Sun, 6 Jan 2002 17:48:30 +0100 X-Mailer: KMail [version 1.3.1] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I did an enhancement for /etc/rc.firewall and perhaps someone appreciates it (and commits it? :-). I added a 'dialup'-configuration based and inspired by Marc Silver and his "Dialup firewalling with FreeBSD" article in /usr/share/doc... If this is a totally forbidden way to publish such enhancements, please let me know. Ciao/BSD - Matthias --- /usr/src/etc/rc.firewall Sat Dec 29 09:25:53 2001 +++ /etc/rc.firewall Sun Jan 6 17:37:46 2002 @@ -45,6 +45,7 @@ # client - will try to protect just this machine # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface +# dialup - will try to protect in case of dialup internet connection # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # @@ -279,6 +280,86 @@ # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. + ;; + +[Dd][Ii][Aa][Ll][Uu][Pp]) + ######## + # Configuration for a DialUp-Firewall + ######## + + # set these to your outside interface + oif="isp*" + + # set these to your inside interface network and netmask and ip + iif="xl0" + iip="192.168.200.1" + imask="255.255.255.0" + inet="192.168.200.0" + + # Special Rule to enable 'isp*' dialout triggering with 'ping' + # until it gets a valid dynamic IP-Address + # Remove in case of static IP-Address! + #${fwcmd} add allow icmp from 0.0.0.0/31 to any via ${oif} + + # General Rules (TCP/UDP/ICMP) + + # Stop spoofing + ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} + + # Stop RFC1918 nets on the outside interface + ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} + ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} + ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} + + # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, + # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) + # on the outside interface + ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} + ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} + ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} + ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} + ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} + + # Allow any traffic to or from my own net, even with broadcasts. + ${fwcmd} add allow ip from ${inet}:${imask} to ${inet}:${imask} via ${iif} + + # Rules for TCP traffic + + # Allow all connections that I initiate. + $fwcmd add allow tcp from any to any out xmit ${oif} setup + + # Examples for outside connections to some local services + # + # HTTP + # $fwcmd add allow tcp from any to any 80 via ${oif} setup + # + # SSH + # $fwcmd add allow tcp from any to any 22 via ${oif} setup + + # Once connections are made, allow them to stay open. + $fwcmd add allow tcp from any to any via ${oif} established + + # This sends a RESET to all ident packets. + $fwcmd add reset log tcp from any to any 113 in recv ${oif} + + # Rules for UDP traffic + + # Allow DNS + $fwcmd add allow udp from any to any 53 out xmit ${oif} + $fwcmd add allow udp from any 53 to any in recv ${oif} + + # Allow NTP + $fwcmd add allow udp from any to any 123 out xmit ${oif} + $fwcmd add allow udp from any 123 to any in recv ${oif} + + # Rules for ICMP traffic + + # Allow all ICMP traffic + $fwcmd add allow icmp from any to any + + # Disallow and log all the rest + $fwcmd add deny log ip from any to any + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) -- *************************************************************************** * Matthias Schuendehuette msch@snafu.de * * Solmsstrasse 44 * * D-10961 Berlin Engineering Systems Support and Operation * * Germany (Powered by FreeBSD 4.5-PRERELEASE) * *************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message