#!/bin/sh # Based on an example Copyright (c) 1996 Poul-Henning Kamp, # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: src/etc/rc.firewall,v 1.30.2.16 2003/02/10 05:45:06 trhodes Exp $ # # # Setup system for firewall service for a DHCP client, before it makes # contact with a DCHP server. # dir="/etc" # Get comamnd-line arguments first while getopts "t" flag do case $flag in t) # test mode firewall_test="YES" dir="." ;; *) # error; usage message and exit exit 1 ;; esac done shift $(($OPTIND - 1)) # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r ${dir}/defaults/rc.conf ]; then . ${dir}/defaults/rc.conf source_rc_confs elif [ -r ${dir}/rc.conf ]; then . ${dir}/rc.conf fi fi if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac # Set test mode if requested if [ "x$firewall_test" = "xYES" ]; then echo "Test mode" fwcmd="echo ${fwcmd}" fi bcast="255.255.255.255" setup_loopback () { ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any } ############ # Flush out the list before we begin. # ${fwcmd} -f flush setup_loopback # Block packets with IP options set ${fwcmd} add deny log ip from any to any ipoptions rr ${fwcmd} add deny log ip from any to any ipoptions ts ${fwcmd} add deny log ip from any to any ipoptions ssrr ${fwcmd} add deny log ip from any to any ipoptions lsrr # Block fragments ${fwcmd} add deny log all from any to any frag # Allow selected ICMP traffic ${fwcmd} add pass icmp from any to any icmptypes 0,3,4,8,11,12 # Permit us to broadcast DHCP traffic, but don't listen to any # broadcasts, and don't send any other broadcasts ${fwcmd} add pass udp from 0.0.0.0/32 68 to ${bcast} 67 keep-state ${fwcmd} add deny all from any to ${bcast} ${fwcmd} add deny all from ${bcast} to any # Allow DHCP unicasts (for renewals, &c). ${fwcmd} add pass udp from any 67 to any 68 in keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. # But we add a "deny/log" for everything anyway, to log them: ${fwcmd} add deny log all from any to any