*** etc/defaults/rc.conf.orig Tue Jan 18 18:56:08 2000 --- etc/defaults/rc.conf Wed Jan 19 16:54:01 2000 *************** *** 42,57 **** hostname="" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). dhcp_program="/sbin/dhclient" # Path to dhcp client program. dhcp_flags="" # Additional flags to pass to dhcp client. - firewall_enable="NO" # Set to YES to enable firewall functionality - firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall - firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) - firewall_quiet="NO" # Set to YES to suppress rule display - natd_program="/sbin/natd" # path to natd, if you want a different one. - natd_enable="NO" # Enable natd (if firewall_enable == YES). - natd_interface="fxp0" # Public interface or IPaddress to use. - natd_flags="" # Additional flags for natd. tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN --- 42,49 ---- *************** *** 72,80 **** # User ppp configuration. ppp_enable="NO" # Start user-ppp (or NO). ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated". # For details see man page for ppp(8). Default is auto. - ppp_nat="YES" # Use PPP's internal network address translation or NO. ppp_profile="papchap" # Which profile to use from /etc/ppp/ppp.conf. ### Network daemon (miscellaneous) & NFS options: ### syslogd_enable="YES" # Run syslog daemon (or NO). --- 64,71 ---- *************** *** 182,189 **** --- 173,211 ---- ### Miscellaneous network options: ### icmp_bmcastecho="NO" # respond to broadcast ping packets + ############################################################################## + ### Basic Firewall Settings ************************************************** + ****************************************************************************** + firewall_type="IPF" # can be NONE, IPFW or IPF + firewall_script="/etc/rc.firewall" # script that handles all firewall options + firewall_config="/etc/firewall.conf" # path to firewall configuration file + firewall_flags="" # -q silences ipfw, -v makes ipf verbose + + ############################################################################## + ### Automatic Firewall Generation Settings ################################### + ############################################################################## + firewall_generate="NO" # Set to YES to produce new firewall_config + firewall_interface="tun0" # interface which we want to block packets on + firewall_exceptions="22/tcp 53/udp" #exceptions for those interfaces + firewall_exceptions_icmp="3 8 11" # Blank, or see + firewall_netblock="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" #Blank or networks + firewall_blocklog="YES" # Set to NO to disable logging blocked packets + + ############################################################################## + ### Basic NAT Configuration ################################################## + ############################################################################## + nat_type="NONE" # NONE, PPP, NATD, IPNAT, or path to other + nat_script="/etc/rc.nat" # script that handles all nat options + nat_config="/etc/nat.conf" # configuration information for nat + nat_flags="" # Additional flags passed to nat_path. + + ############################################################################## + ### Automatic NAT Generation Settings ######################################## + ############################################################################## + nat_generate="NO" # Set to YES to produce new nat_config + nat_interface="tun0" # Public interface to use. ############################################################## ### System console options ################################# ############################################################## *************** *** 247,251 **** if [ -f $i ]; then . $i fi done - --- 269,272 ---- *** etc/rc.firewall.orig Tue Jan 18 19:59:02 2000 --- etc/rc.firewall Fri Jan 21 12:32:46 2000 *************** *** 1,7 **** ############ # Setup system for firewall service. - # $FreeBSD: src/etc/rc.firewall,v 1.28 1999/12/04 01:27:51 obrien Exp $ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf --- 1,6 ---- *************** *** 9,28 **** . /etc/rc.conf fi ############ - # Define the firewall type in /etc/rc.conf. Valid values are: - # open - will allow anyone in - # client - will try to protect just this machine - # simple - will try to protect a whole network - # closed - totally disables IP services except via lo0 interface - # UNKNOWN - disables the loading of firewall rules. - # filename - will load the rules in the given filename (full path required) - # - # For ``client'' and ``simple'' the entries below should be customized - # appropriately. - - ############ # # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # --- 8,15 ---- *************** *** 42,223 **** # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # ! ! if [ -n "${1}" ]; then ! firewall_type="${1}" ! fi ! ! ############ ! # Set quiet mode if requested # ! case ${firewall_quiet} in ! [Yy][Ee][Ss]) ! fwcmd="/sbin/ipfw -q" ! ;; ! *) ! fwcmd="/sbin/ipfw" ! ;; ! esac ! ! ############ ! # Flush out the list before we begin. # ! ${fwcmd} -f flush ! ! ############ ! # These rules are required for using natd. All packets are passed to ! # natd before they encounter your remaining rules. The firewall rules ! # will then be run again on each packet after translation by natd, ! # minus any divert rules (see natd(8)). ! # ! case ${natd_enable} in ! [Yy][Ee][Ss]) ! if [ -n "${natd_interface}" ]; then ! ${fwcmd} add divert natd all from any to any via ${natd_interface} ! fi ! ;; ! esac ! ! ############ ! # If you just configured ipfw in the kernel as a tool to solve network ! # problems or you just want to disallow some particular kinds of traffic ! # then you will want to change the default policy to open. You can also ! # do this as your only action by setting the firewall_type to ``open''. ! # ! # ${fwcmd} add 65000 pass all from any to any ! ! ############ ! # Only in rare cases do you want to change these rules # ! ${fwcmd} add 100 pass all from any to any via lo0 ! ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ! # If you're using 'options BRIDGE', uncomment the following line to pass ARP ! #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 ! ! # Prototype setups. ! # ! case ${firewall_type} in ! [Oo][Pp][Ee][Nn]) ! ${fwcmd} add 65000 pass all from any to any ! ;; ! ! [Cc][Ll][Ii][Ee][Nn][Tt]) ! ############ ! # This is a prototype setup that will protect your system somewhat ! # against people from outside your own network. ! ############ ! ! # set these to your network and netmask and ip ! net="192.168.4.0" ! mask="255.255.255.0" ! ip="192.168.4.17" ! ! # Allow any traffic to or from my own net. ! ${fwcmd} add pass all from ${ip} to ${net}:${mask} ! ${fwcmd} add pass all from ${net}:${mask} to ${ip} ! ! # Allow TCP through if setup succeeded ! ${fwcmd} add pass tcp from any to any established ! ! # Allow IP fragments to pass through ! ${fwcmd} add pass all from any to any frag ! ! # Allow setup of incoming email ! ${fwcmd} add pass tcp from any to ${ip} 25 setup ! ! # Allow setup of outgoing TCP connections only ! ${fwcmd} add pass tcp from ${ip} to any setup ! ! # Disallow setup of all other TCP connections ! ${fwcmd} add deny tcp from any to any setup ! ! # Allow DNS queries out in the world ! ${fwcmd} add pass udp from any 53 to ${ip} ! ${fwcmd} add pass udp from ${ip} to any 53 ! ! # Allow NTP queries out in the world ! ${fwcmd} add pass udp from any 123 to ${ip} ! ${fwcmd} add pass udp from ${ip} to any 123 ! ! # Everything else is denied by default, unless the ! # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel ! # config file. ! ;; ! ! [Ss][Ii][Mm][Pp][Ll][Ee]) ! ############ ! # This is a prototype setup for a simple firewall. Configure this ! # machine as a named server and ntp server, and point all the machines ! # on the inside at this machine for those services. ! ############ ! ! # set these to your outside interface network and netmask and ip ! oif="ed0" ! onet="192.168.4.0" ! omask="255.255.255.0" ! oip="192.168.4.17" ! ! # set these to your inside interface network and netmask and ip ! iif="ed1" ! inet="192.168.3.0" ! imask="255.255.255.0" ! iip="192.168.3.17" ! ! # Stop spoofing ! ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ! ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} ! ! # Stop RFC1918 nets on the outside interface ! ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} ! ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} ! ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} ! ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} ! ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} ! ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} ! ! # Allow TCP through if setup succeeded ! ${fwcmd} add pass tcp from any to any established ! ! # Allow IP fragments to pass through ! ${fwcmd} add pass all from any to any frag ! ! # Allow setup of incoming email ! ${fwcmd} add pass tcp from any to ${oip} 25 setup ! ! # Allow access to our DNS ! ${fwcmd} add pass tcp from any to ${oip} 53 setup ! ${fwcmd} add pass udp from any to ${oip} 53 ! ${fwcmd} add pass udp from ${oip} 53 to any ! ! # Allow access to our WWW ! ${fwcmd} add pass tcp from any to ${oip} 80 setup ! ! # Reject&Log all setup of incoming connections from the outside ! ${fwcmd} add deny log tcp from any to any in via ${oif} setup ! ! # Allow setup of any other TCP connection ! ${fwcmd} add pass tcp from any to any setup ! ! # Allow DNS queries out in the world ! ${fwcmd} add pass udp from any 53 to ${oip} ! ${fwcmd} add pass udp from ${oip} to any 53 ! ! # Allow NTP queries out in the world ! ${fwcmd} add pass udp from any 123 to ${oip} ! ${fwcmd} add pass udp from ${oip} to any 123 ! ! # Everything else is denied by default, unless the ! # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel ! # config file. ! ;; ! ! [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ! ;; ! *) ! if [ -r "${firewall_type}" ]; then ! ${fwcmd} ${firewall_type} ! fi ;; esac --- 29,151 ---- # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # ! # For information on building ipf based firewalls, read: # ! # http://www.obfuscation.org/ipf/ # ! # For information on building ipfw based firewalls, read: # ! # http://www.freebsd.org/handbook/firewalls.html ! case ${firewall_blocklog} in ! [Yy][Ee][Ss]) ! fwlog="log"; ;; + esac + + case ${firewall_generate} in + [Yy][Ee][Ss]) + echo "Generating ${firewall_config}" + if [ -f ${firewall_config} ] ; then + mv ${firewall_config} ${firewall_config}.old + firewall_config_moved=1 + fi + case ${firewall_type} in # Create syntax translation table + [Ii][Pp][Ff][Ww]) + firewall_ipfnull="#" + ;; + [Ii][Pp][Ff]) + firewall_ipfwnull="#" + ;; + *) + echo "Unknown firewall_type: ${firewall_type}" + if [ "${firewall_config_moved}" ] + then mv ${firewall_config}.old ${firewall_config} + fi + ;; + esac + + #Generate actual rule list + if [ -n "$firewall_ipfnull$firewall_ipfwnull" ]; then + for i in ${firewall_netblock}; do + echo "$firewall_ipfwnull add deny ${fwlog} all from $i to any via ${firewall_interface}" >> ${firewall_config} + echo "$firewall_ipfnull block in ${fwlog} quick on ${firewall_interface} proto ip from $i to any" >> ${firewall_config} + done + + for i in $firewall_exceptions; do + fwport="`echo $i | awk -F / '{print $1}'`" + fwproto="`echo $i | awk -F / '{print $2}'`" + echo "$firewall_ipfwnull add pass all $fwproto from any to any $fwport via ${firewall_interface}" >> ${firewall_config} + echo "$firewall_ipfnull pass out quick on ${firewall_interface} proto $fwproto from any to any port = $fwport " >> ${firewall_config} + done + + for i in ${firewall_exceptions_icmp}; do + echo "$firewall_ipfwnull add pass all icmp $i from any to any via ${firewall_interface}" >> ${firewall_config} + echo "$firewall_ipfnull pass in quick on ${firewall_interface} proto icmp from any to any icmp-type $i" >> ${firewall_config} + done + + #ipfw pass out all traffic, lets syn/ack/rst types back + echo "$firewall_ipfwnull add pass all from any to any out xmit ${firewall_interface}" >> ${firewall_config} + echo "$firewall_ipfwnull add pass all from any to any in recv ${firewall_interface} setup" >> ${firewall_config} + echo "$firewall_ipfwnull add pass all from any to any in recv ${firewall_interface} established" >> ${firewall_config} + #ipf passes out all traffic with state, comes back ok + echo "$firewall_ipfnull pass out quick on ${firewall_interface} proto tcp/udp from any to any keep state" >> ${firewall_config} + echo "$firewall_ipfnull pass out quick on ${firewall_interface} proto icmp from any to any keep state" >> ${firewall_config} + + #Deny everything else on firewall_interface + echo "$firewall_ipfwnull add deny ${fwlog} all from any to any recv ${firewall_interface}" >> ${firewall_config} + echo "$firewall_ipfnull block in ${fwlog} quick on ${firewall_interface} all" >> ${firewall_config} + + #Let everything else in/out + echo "$firewall_ipfwnull add pass all from any to any" >> ${firewall_config} + echo "$firewall_ipfnull pass in quick all" >> ${firewall_config} + echo "$firewall_ipfnull pass out quick all" >> ${firewall_config} + + fi #otherwise we don't want to overwrite firewall_config + #no unroutable subnets first + ;; + + + esac + case ${firewall_type} in + ############################################################################## + ### IPFW ##################################################################### + ############################################################################## + [Ii][Pp][Ff][Ww]) + + #Things to setup before running the real rule list + fwcmd="/sbin/ipfw ${firewall_flags}" + + # Flush out the list before we begin. + ${fwcmd} -f flush + + # These rules are required for using natd. All + # packets are passed to natd before they encounter + # your remaining rules. The firewall rules will then + # be run again on each packet after translation by + # natd, minus any divert rules (see natd(8)). + # + case ${nat_type} in + [Nn][Aa][Tt][Dd]) + if [ -n "${nat_interface}" ]; then + ${fwcmd} add divert natd all from any to any via ${nat_interface} + fi + ;; + esac + + ${fwcmd} ${firewall_flags} ${firewall_config} + ;; + + [Ii][Pp][Ff]) + ############################################################################## + ### IPF ###################################################################### + ############################################################################## + /sbin/ipf ${firewall_flags} -f ${firewall_config} + /usr/sbin/ipmon -s & + ;; + *) #Unknown filter program, run as is with firewall_flags + echo -n " `basename ${firewall_type}`" + ${firewall_type} ${firewall_flags} + ;; esac *** etc/rc.nat.orig Wed Jan 19 17:17:34 2000 --- etc/rc.nat Thu Jan 20 00:13:10 2000 *************** *** 0 **** --- 1,59 ---- + ############ + # Setup system for nat service. + + # Suck in the configuration variables. + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi + + case ${nat_generate} in + [Yy][Ee][Ss]) + echo "Generating ${nat_config}" + if [ -f ${nat_config} ] + then mv ${nat_config} ${nat_config}.old + nat_config_moved=1 + fi + case ${nat_type} in + + [Nn][Aa][Tt][Dd]) + echo "interface ${nat_interface}" > ${nat_config} + ;; + + [Ii][Pp][Nn][Aa][Tt]) + echo "map ${nat_interface} 0/0 -> 0/32 proxy port 21 ftp/tcp" >> ${nat_config} # requires ipf 3.3.3 or later! + echo "map ${nat_interface} 0/0 -> 0/32" >> ${nat_config} + ;; + + *) + echo "Unknown nat_type: ${nat_type}" + if [ "${nat_config_moved}" ] + then mv ${nat_config}.old ${nat_config} + fi + ;; + esac + ;; + esac + + case ${nat_type} in + [Nn][Aa][Tt][Dd) + echo -n ' natd'; + /sbin/natd ${nat_flags} -f ${nat_config} + ;; + + [Ii][Pp][Nn][Aa][Tt]) + echo -n ' ipnat'; + /usr/sbin/ipnat ${nat_flags} -f ${nat_config} + ;; + [Pp][Pp][Pp]) + # Do nothing + ;; + [Nn][Oo][Nn][Ee]) + # Do nothing + ;; + *) #Unknown nat program, run as is with nat_flags + echo -n " `basename ${nat_type}`" + ${nat_type} ${nat_flags} + ;; + esac *** etc/rc.network.orig Tue Jan 18 19:57:05 2000 --- etc/rc.network Thu Jan 20 00:27:57 2000 *************** *** 1,7 **** #!/bin/sh - # - # $FreeBSD: src/etc/rc.network,v 1.69 2000/01/15 14:28:05 green Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file --- 1,6 ---- *************** *** 137,145 **** ifconfig ${ifn} fi done ! # Warm up user ppp if required, must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. --- 136,144 ---- ifconfig ${ifn} fi done ! # Warm up user ppp if required, must happen before nat. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. *************** *** 153,162 **** ppp_command="-${ppp_mode} "; # Switch on alias mode? # ! case ${ppp_nat} in ! [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat"; ;; esac --- 152,161 ---- ppp_command="-${ppp_mode} "; # Switch on alias mode? # ! case ${nat_type} in ! [Pp][Pp][Pp]) ppp_command="${ppp_command} -nat"; ;; esac *************** *** 192,219 **** if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi ! case ${firewall_enable} in ! [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' ! # Network Address Translation daemon # ! case ${natd_enable} in ! [Yy][Ee][Ss]) ! if [ -n "${natd_interface}" ]; then ! if echo ${natd_interface} | \ ! grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then ! natd_ifarg="-a ${natd_interface}" ! else ! natd_ifarg="-n ${natd_interface}" ! fi ! ! echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} ! fi ;; esac echo '.' --- 191,217 ---- if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi ! case ${firewall_type} in ! [Nn][Oo][Nn][Ee) ! #do nothing ! ;; ! *) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' ! # Network Address Translation # ! case "${nat_type}" in ! [Nn][Oo][Nn][Ee) ! #do nothing ! ;; ! ! *) ! . "${nat_script}" ! echo -n " NAT rules loaded" ;; esac echo '.'