summaryrefslogtreecommitdiff
blob: 013400bfcf86625cb9140a22ff8584327361fbb2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/sbin/runscript
# Copyright 2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

# This is a nice client firewall script which should suit most desktop users.
# We allow auth and ssh in by default.

PORTS_IN=${PORTS_IN-auth ssh}

opts="panic showstatus"

depend() {
	before net
	provide firewall
}

ipfw() {
	/sbin/ipfw -f -q "$@"
}

init() {
	# Load the kernel module
	if ! sysctl net.inet.ip.fw.enable=1 >/dev/null 2>/dev/null ; then
		if ! kldload ipfw ; then
			eend 1 "Unable to load firewall module"
			return 1
		fi
	fi

	ipfw flush

	ipfw add allow all from any to any via lo0
	ipfw add allow all from any to 127.0.0.0/8
	ipfw add deny ip from 127.0.0.0/8 to any

	ipfw add allow ipv6-icmp from :: to ff02::/16
	ipfw add allow ipv6-icmp from fe80::/10 to fe80::/10
	ipfw add allow ipv6-icmp from fe80::/10 to ff02::/16
}

start() {
	local x= log=
	ebegin "Starting firewall rules"
	if ! init ; then
		eend 1 "Failed to flush firewall ruleset"
		return 1
	fi

	[ "${LOG_DENY}" = "yes" ] && log="log"

	# Use a statefull firewall
	ipfw add check-state

	# Open our configured ports
	if [ -n "${PORTS_IN}" ] ; then
		local pin=
		for x in ${PORTS_IN} ; do
		    pin="${pin}${pin:+,}${x}"
		done
		ipfw add allow tcp from any to me ${pin} established keep-state
		ipfw add allow tcp from any to me6 ${pin} established keep-state
		ipfw add allow tcp from any to me ${pin} setup keep-state
		ipfw add allow tcp from any to me6 ${pin} setup keep-state
		ipfw add allow udp from any to me ${pin} established
		ipfw add allow udp from any to me ${pin} keep-state
		ipfw add allow udp from any to me6 ${pin} established
		ipfw add allow udp from any to me6 ${pin} keep-state
	fi

	# Nice flexable rules that disallow incoming except for stuff we
	# have asked for, and allow all outgoing.
	ipfw add allow tcp from me to any established keep-state
	ipfw add allow tcp from me to any setup keep-state
	ipfw add allow tcp from me6 to any established keep-state 
	ipfw add allow tcp from me6 to any setup keep-state 
	ipfw add deny ${log} tcp from any to any
	ipfw add allow udp from me to any established 
	ipfw add allow udp from me to any keep-state
	ipfw add allow udp from me6 to any established
	ipfw add allow udp from me6 to any keep-state
	ipfw add deny ${log} udp from any to any

	# Be a good firewall and allow some ICMP traffic.
	# Remove 8 if you really want to disallow ping.
	ipfw add allow icmp from any to any icmptypes 0,3,8,11,12
	ipfw add allow ip6 from any to any proto ipv6-icmp 

	eend 0
}

stop() {
	ebegin "Stopping firewall rules"
	# We don't unload the kernel module as that action
	# can cause memory leaks as of FreeBSD 6.x
	sysctl net.inet.ip.fw.enable=0 >/dev/null
	eend $?
}

panic() {
	ebegin "Stopping firewall rules - hard"
	if ! init ; then
		eend 1 "Failed to flush firewall ruleset"
		return 1
	fi
	eend 0
}

showstatus() {
	ipfw show
}