Date: Sun, 23 Oct 2005 10:44:22 -0500 From: Eric F Crist <ecrist@secure-computing.net> To: free bsd questions <freebsd-questions@freebsd.org> Subject: RFC: my firewall ruleset(s) Message-ID: <1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65@secure-computing.net>
next in thread | raw e-mail | index | archive | help
--Apple-Mail-1--696276356
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
Hey all. I'm relatively new to shell scripting and I'm looking for
some comments on my firewall script.
Comments on either the ipfw rules themselves or on my scripting lack
of ability would be appreciated.
Thanks.
--Apple-Mail-1--696276356
Content-Transfer-Encoding: 7bit
Content-Type: application/octet-stream; x-unix-mode=0644; name="nerp.firewall"
Content-Disposition: attachment;
filename=nerp.firewall
#!/bin/sh -x
## This is a generic shell script for firewall initialization.
## Created 1/2/2005 15:52 By Eric Crist
## Support/Input from Edward McCabe
################# INSTRUCTIONS #####################
# This firewall script will look for the following #
# variables in your /etc/rc.conf file. If these #
# are not found, the defaults are listed in square #
# brackets here. If there is a *, the script will #
# fail. #
###################################################
# grog_firewall_enable Enable this firewall?
# grog_firewall_oif Outside interface
# grog_firewall_iif Inside interface
# grog_firewall_oif_network Network/Netmask of outside interface (written as 0.0.0.0/8)
# grog_firewall_iif_network Network/Netmask of inside interface (written as 0.0.0.0/8)
# grog_firewall_type What type of firewall to configure?
. /etc/rc.conf
fwcmd=/sbin/ipfw
rulenum1=50 ## Generic allow rules
rulenum2=10000 ## 2nd level allow rules
rulenum3=20000 ## 3rd level allow rules
rulenum4=30000 ## Deny rulesets
## Generic ruleset functions
setup_open_firewall () {
${fwcmd} -f flush
${fwcmd} add ${rulenum1} allow all from any to any
return 0
}
setup_ntp () {
${fwcmd} add ${rulenum1} allow udp from any 123 to any 123; rulenum1=`expr $rulenum1 + 50`
}
setup_loopback () {
${fwcmd} add ${rulenum1} pass all from any to any via lo0; rulenum1=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny all from any to 127.0.0.0/8; rulenum1=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} deny ip from 127.0.0.0/8 to any; rulenum1=`expr $rulenum1 + 50`
}
setup_keepstate () {
${fwcmd} add ${rulenum1} check-state
${fwcmd} add ${rulenum1} allow tcp from ${grog_firewall_oif_network} to any setup keep-state; rulenum1=`expr $rulenum1 + 50`
${fwcmd} add ${rulenum1} allow tcp from ${grog_firewall_iif_network} to any setup keep-state; rulenum1=`expr $rulenum1 + 50`
}
## BEGIN FIREWALL CONFIGURATION ##
if [ "$grog_firewall_enable" = "YES" ]
then
echo "Initializing firewall ruleset for `hostname`, of type $grog_firewall_type."
case $grog_firewall_type in
[Gg][Rr][Oo][Gg])
## Begin Eric's ruleset.
## First, we need to flush current rules.
$fwcmd -f flush
## Let's setup the pulic, internet side, first.
setup_loopback
setup_keepstate
setup_ntp
$fwcmd add $rulenum1 allow ip from any to me established; rulenum1=`expr $rulenum1 + 50`
$fwcmd add $rulenum1 allow ip from me to any; rulenum1=`expr $rulenum1 + 50` ## Allow all traffic out
$fwcmd add $rulenum1 allow ip from any to me 774; rulenum1=`expr $rulenum1 + 50` ## SSH on port 774
$fwcmd add $rulenum1 allow ip from any to me 80; rulenum1=`expr $rulenum1 + 50` ## HTTP on port 80
$fwcmd add $rulenum1 allow ip from any to me 443; rulenum1=`expr $rulenum1 + 50` ## HTTPS on port 443
$fwcmd add $rulenum1 allow ip from any to me 110; rulenum1=`expr $rulenum1 + 50` ## POP3 on port 110
$fwcmd add $rulenum1 allow ip from any to me 995; rulenum1=`expr $rulenum1 + 50` ## POP3S on port 995
$fwcmd add $rulenum1 allow ip from any to me 25; rulenum1=`expr $rulenum1 + 50` ## SMTP on port 25
$fwcmd add $rulenum1 allow ip from any to me 53; rulenum1=`expr $rulenum1 + 50` ## BIND tcp 53
$fwcmd add $rulenum1 allow ip from any to me 81; rulenum1=`expr $rulenum1 + 50` ## Usermin
$fwcmd add $rulenum1 allow ip from any to me 82; rulenum1=`expr $rulenum1 +50` ## Webmin
$fwcmd add $rulenum1 allow udp from any 53 to me; rulenum1=`expr $rulenum1 + 50` ## BIND udp 53
$fwcmd add $rulenum1 allow udp from me to any; rulenum1=`expr $rulenum1 + 50`
$fwcmd add $rulenum1 allow ip from any to me 20-21; rulenum1=`expr $rulenum1 + 50` ## FTP on ports 20, 21
$fwcmd add $rulenum1 deny ip from any 138-139 to any out via $grog_firewall_oif; rulenum1=`expr $rulenum1 + 50` ## Deny 138, 139 to the 'net
$fwcmd add $rulenum1 deny ip from any to me 138-139 in via $grog_firewall_oif; rulenum1=`expr $rulenum1 + 50` ## Deny 138, 139 to the 'net
## No traffic from web in to local network.
$fwcmd add $rulenum1 deny all from any to $grog_firewall_iif_network in via $grog_firewall_oif; rulenum1=`expr $rulenum1 + 50`
## Now let's setup the internal, non-public interface(s).
$fwcmd add $rulenum1 allow ip from $grog_firewall_iif_network to me in via $grog_firewall_iif; rulenum1=`expr $rulenum1 + 50` ## Allow all traffic
$fwcmd add $rulenum1 allow ip from me to $grog_firewall_iif_network out via $grog_firewall_iif; rulenum1=`expr $rulenum1 + 50`
## Time to allow all traffic from/to our own public network
$fwcmd add $rulenum1 allow ip from $grog_firewall_oif_network to me; rulenum1=`expr $rulenum1 + 50`
$fwcmd add $rulenum1 allow ip from me to $grog_firewall_oif_network; rulenum1=`expr $rulenum1 + 50`
;;
[Ee][Uu][Aa])
setup_open_firewall
;;
esac
echo "Initialization of firewall complete at `date`."
exit 0
elif [ "$grog_firewall_enable" = "NO" ]
then
echo "Firewall for `hostname` currently disabled by configuration:"
echo "`more /etc/rc.conf | grep grog_firewall_enable`"
echo "Creating OPEN ruleset:"
setup_open_firewall
exit 0
else
echo "Configuration Error"
exit 1
fi
exit 0
--Apple-Mail-1--696276356
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
_______________________________________________________
Eric F Crist "I am so smart, S.M.R.T!"
Secure Computing Networks -Homer J Simpson
--Apple-Mail-1--696276356--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65>