Date: Sun, 6 Jan 2002 17:48:30 +0100 From: Matthias Schuendehuette <msch@snafu.de> To: freebsd-stable@freebsd.org Subject: Enhancement for rc.firewall Message-ID: <E16NGao-0006ym-00@smart.eusc.inter.net>
next in thread | raw e-mail | index | archive | help
Hello,
I did an enhancement for /etc/rc.firewall and perhaps someone
appreciates it (and commits it? :-).
I added a 'dialup'-configuration based and inspired by Marc Silver and
his "Dialup firewalling with FreeBSD" article in /usr/share/doc...
If this is a totally forbidden way to publish such enhancements, please
let me know.
Ciao/BSD - Matthias
--- /usr/src/etc/rc.firewall Sat Dec 29 09:25:53 2001
+++ /etc/rc.firewall Sun Jan 6 17:37:46 2002
@@ -45,6 +45,7 @@
# client - will try to protect just this machine
# simple - will try to protect a whole network
# closed - totally disables IP services except via lo0 interface
+# dialup - will try to protect in case of dialup internet
connection
# UNKNOWN - disables the loading of firewall rules.
# filename - will load the rules in the given filename (full path
required)
#
@@ -279,6 +280,86 @@
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
+ ;;
+
+[Dd][Ii][Aa][Ll][Uu][Pp])
+ ########
+ # Configuration for a DialUp-Firewall
+ ########
+
+ # set these to your outside interface
+ oif="isp*"
+
+ # set these to your inside interface network and netmask and ip
+ iif="xl0"
+ iip="192.168.200.1"
+ imask="255.255.255.0"
+ inet="192.168.200.0"
+
+ # Special Rule to enable 'isp*' dialout triggering with 'ping'
+ # until it gets a valid dynamic IP-Address
+ # Remove in case of static IP-Address!
+ #${fwcmd} add allow icmp from 0.0.0.0/31 to any via ${oif}
+
+ # General Rules (TCP/UDP/ICMP)
+
+ # Stop spoofing
+ ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
+
+ # Stop RFC1918 nets on the outside interface
+ ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
+ ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
+ ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
+
+ # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
+ # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
+ # on the outside interface
+ ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
+ ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
+ ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
+ ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
+ ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
+
+ # Allow any traffic to or from my own net, even with broadcasts.
+ ${fwcmd} add allow ip from ${inet}:${imask} to ${inet}:${imask} via
${iif}
+
+ # Rules for TCP traffic
+
+ # Allow all connections that I initiate.
+ $fwcmd add allow tcp from any to any out xmit ${oif} setup
+
+ # Examples for outside connections to some local services
+ #
+ # HTTP
+ # $fwcmd add allow tcp from any to any 80 via ${oif} setup
+ #
+ # SSH
+ # $fwcmd add allow tcp from any to any 22 via ${oif} setup
+
+ # Once connections are made, allow them to stay open.
+ $fwcmd add allow tcp from any to any via ${oif} established
+
+ # This sends a RESET to all ident packets.
+ $fwcmd add reset log tcp from any to any 113 in recv ${oif}
+
+ # Rules for UDP traffic
+
+ # Allow DNS
+ $fwcmd add allow udp from any to any 53 out xmit ${oif}
+ $fwcmd add allow udp from any 53 to any in recv ${oif}
+
+ # Allow NTP
+ $fwcmd add allow udp from any to any 123 out xmit ${oif}
+ $fwcmd add allow udp from any 123 to any in recv ${oif}
+
+ # Rules for ICMP traffic
+
+ # Allow all ICMP traffic
+ $fwcmd add allow icmp from any to any
+
+ # Disallow and log all the rest
+ $fwcmd add deny log ip from any to any
+
;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
--
***************************************************************************
* Matthias Schuendehuette msch@snafu.de *
* Solmsstrasse 44 *
* D-10961 Berlin Engineering Systems Support and Operation *
* Germany (Powered by FreeBSD 4.5-PRERELEASE) *
***************************************************************************
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E16NGao-0006ym-00>