Date: Mon, 23 Nov 2009 00:39:35 +0900 From: Hajimu UMEMOTO <ume@FreeBSD.org> To: net@FreeBSD.org, current@FreeBSD.org Subject: [CFR] unified rc.firewall Message-ID: <ygeljhyk1qg.wl%ume@mahoroba.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi,
The ipfw and ip6fw were unified into ipfw2, now. But, we still have
rc.firewall and rc.firewall6. However, there are conflicts with each
other, and it confuses the users, IMHO.
So, I made a patch to unify rc.firewall and rc.firewall6, and obsolete
rc.firewall6 and rc.d/ip6fw.
Please review the attached patch. If there is no objection, I'll
commit it in next weekend.
Sincerely,
[-- Attachment #2 --]
Index: etc/Makefile
diff -u etc/Makefile.orig etc/Makefile
--- etc/Makefile.orig 2009-10-25 10:10:29.000000000 +0900
+++ etc/Makefile 2009-11-22 22:07:19.840275808 +0900
@@ -15,7 +15,7 @@
inetd.conf libalias.conf login.access login.conf mac.conf motd \
netconfig network.subr networks newsyslog.conf nsswitch.conf \
phones profile protocols \
- rc rc.bsdextended rc.firewall rc.firewall6 rc.initdiskless \
+ rc rc.bsdextended rc.firewall rc.initdiskless \
rc.sendmail rc.shutdown \
rc.subr remote rpc services shells \
sysctl.conf syslog.conf \
Index: etc/defaults/rc.conf
diff -u etc/defaults/rc.conf.orig etc/defaults/rc.conf
--- etc/defaults/rc.conf.orig 2009-10-25 10:10:29.000000000 +0900
+++ etc/defaults/rc.conf 2009-11-22 21:25:22.343296205 +0900
@@ -118,7 +118,10 @@
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file
-firewall_client_net="192.0.2.0/24" # Network address for "client" firewall.
+firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
+ # firewall.
+#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for
+ # "client" firewall.
firewall_simple_iif="ed1" # Inside network interface for "simple"
# firewall.
firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple"
@@ -127,12 +130,22 @@
# firewall.
firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
# firewall.
+#firewall_simple_iif_ipv6="ed1" # Inside IPv6 network interface for "simple"
+ # firewall.
+#firewall_simple_inet_ipv6="2001:db8:2:800::/56" # Inside IPv6 network prefix
+ # for "simple" firewall.
+#firewall_simple_oif_ipv6="ed0" # Outside IPv6 network interface for "simple"
+ # firewall.
+#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix
+ # for "simple" firewall.
firewall_myservices="" # List of TCP ports on which this host
# offers services for "workstation" firewall.
firewall_allowservices="" # List of IPs which have access to
# $firewall_myservices for "workstation"
# firewall.
-firewall_trusted="" # List of IPs which have full access to this
+firewall_trusted="" # List of IPv4s which have full access to this
+ # host for "workstation" firewall.
+firewall_trusted_ipv6="" # List of IPv6s which have full access to this
# host for "workstation" firewall.
firewall_logdeny="NO" # Set to YES to log default denied incoming
# packets for "workstation" firewall.
@@ -470,13 +483,18 @@
# faithd(8) setup.
ipv6_ipv4mapping="NO" # Set to "YES" to enable IPv4 mapped IPv6 addr
# communication. (like ::ffff:a.b.c.d)
-ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall
- # functionality
-ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall
-ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6)
-ipv6_firewall_quiet="NO" # Set to YES to suppress rule display
-ipv6_firewall_logging="NO" # Set to YES to enable events logging
-ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file
+#ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall
+ # functionality (DEPRECAED)
+#ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the
+ # IPv6 firewall (DEPRECAED)
+#ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6)
+ # (DEPRECAED)
+#ipv6_firewall_quiet="NO" # Set to YES to suppress rule display
+ # (DEPRECAED)
+#ipv6_firewall_logging="NO" # Set to YES to enable events logging
+ # (DEPRECAED)
+#ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file
+ # (DEPRECAED)
ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter,
# see /usr/src/contrib/ipfilter/rules
# for examples
Index: etc/rc.d/Makefile
diff -u etc/rc.d/Makefile.orig etc/rc.d/Makefile
--- etc/rc.d/Makefile.orig 2009-10-25 10:10:29.000000000 +0900
+++ etc/rc.d/Makefile 2009-11-22 20:42:16.398311126 +0900
@@ -15,7 +15,7 @@
hcsecd \
hostapd hostid hostid_save hostname \
inetd initrandom \
- ip6addrctl ip6fw ipfilter ipfs ipfw ipmon \
+ ip6addrctl ipfilter ipfs ipfw ipmon \
ipnat ipsec ipxrouted \
jail \
kadmind kerberos keyserv kldxref kpasswdd \
Index: etc/rc.d/ipfw
diff -u etc/rc.d/ipfw.orig etc/rc.d/ipfw
--- etc/rc.d/ipfw.orig 2009-11-22 20:43:59.000000000 +0900
+++ etc/rc.d/ipfw 2009-11-22 20:46:17.663938405 +0900
@@ -61,7 +61,13 @@
# Enable the firewall
#
if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
- warn "failed to enable firewall"
+ warn "failed to enable IPv4 firewall"
+ fi
+ if ifconfig lo0 inet6 >/dev/null 2>&1; then
+ if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
+ then
+ warn "failed to enable IPv6 firewall"
+ fi
fi
}
@@ -70,6 +76,9 @@
# Disable the firewall
#
${SYSCTL_W} net.inet.ip.fw.enable=0
+ if ifconfig lo0 inet6 >/dev/null 2>&1; then
+ ${SYSCTL_W} net.inet6.ip6.fw.enable=0
+ fi
if [ -f /etc/rc.d/natd ] ; then
/etc/rc.d/natd quietstop
fi
Index: etc/rc.firewall
diff -u etc/rc.firewall.orig etc/rc.firewall
--- etc/rc.firewall.orig 2009-10-25 10:10:29.000000000 +0900
+++ etc/rc.firewall 2009-11-22 23:44:43.101805845 +0900
@@ -40,6 +40,27 @@
fi
fi
+# afexists af
+# Returns 0 if the address family is enabled in the kernel
+# 1 otherwise.
+afexists()
+{
+ local _af
+ _af=$1
+
+ case ${_af} in
+ inet)
+ sysctl -n net.inet > /dev/null 2>&1
+ ;;
+ inet6)
+ sysctl -n net.inet6 > /dev/null 2>&1
+ ;;
+ *)
+ err 1 "afexists(): Unsupported address family: $_af"
+ ;;
+ esac
+}
+
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - will allow anyone in
@@ -85,6 +106,32 @@
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+ if afexists inet6; then
+ ${fwcmd} add 400 deny ip6 from any to ::1
+ ${fwcmd} add 500 deny ip6 from ::1 to any
+ fi
+}
+
+setup_ipv6_mandatory () {
+ afexists inet6 || return 0
+
+ ############
+ # Only in rare cases do you want to change these rules
+ #
+ # ND
+ #
+ # DAD
+ ${fwcmd} add pass ip6 from :: to ff02::/16 proto ipv6-icmp
+ # RS, RA, NS, NA, redirect...
+ ${fwcmd} add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
+ ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
+
+ # Allow ICMPv6 destination unreach
+ ${fwcmd} add pass ip6 from any to any icmp6types 1 proto ipv6-icmp
+
+ # Allow NS/NA/toobig (don't filter it out)
+ ${fwcmd} add pass ip6 from any to any icmp6types 2,135,136 \
+ proto ipv6-icmp
}
if [ -n "${1}" ]; then
@@ -109,6 +156,7 @@
${fwcmd} -f flush
setup_loopback
+setup_ipv6_mandatory
############
# Network Address Translation. All packets are passed to natd(8)
@@ -166,11 +214,13 @@
# against people from outside your own network.
#
# Configuration:
- # firewall_client_net: Network address of local network.
+ # firewall_client_net: Network address of local IPv4 network.
+ # firewall_client_net_ipv6: Network address of local IPv6 network.
############
# set this to your local network
net="$firewall_client_net"
+ net6="$firewall_client_net_ipv6"
# Allow limited broadcast traffic from my own net.
${fwcmd} add pass all from ${net} to 255.255.255.255
@@ -178,6 +228,16 @@
# Allow any traffic to or from my own net.
${fwcmd} add pass all from me to ${net}
${fwcmd} add pass all from ${net} to me
+ if [ -n "$net6" ]; then
+ ${fwcmd} add pass ip6 from me6 to ${net6}
+ ${fwcmd} add pass ip6 from ${net6} to me6
+ fi
+
+ if [ -n "$net6" ]; then
+ # Allow any link-local multicast traffic
+ ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16
+ ${fwcmd} add pass ip6 from ${net6} to ff02::/16
+ fi
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
@@ -212,23 +272,35 @@
# on the inside at this machine for those services.
#
# Configuration:
- # firewall_simple_iif: Inside network interface.
- # firewall_simple_inet: Inside network address.
- # firewall_simple_oif: Outside network interface.
- # firewall_simple_onet: Outside network address.
+ # firewall_simple_iif: Inside IPv4 network interface.
+ # firewall_simple_inet: Inside IPv4 network address.
+ # firewall_simple_oif: Outside IPv4 network interface.
+ # firewall_simple_onet: Outside IPv4 network address.
+ # firewall_simple_iif_ipv6: Inside IPv6 network interface.
+ # firewall_simple_inet_ipv6: Inside IPv6 network prefix.
+ # firewall_simple_oif_ipv6: Outside IPv6 network interface.
+ # firewall_simple_onet_ipv6: Outside IPv6 network prefix.
############
# set these to your outside interface network
oif="$firewall_simple_oif"
onet="$firewall_simple_onet"
+ oif6="$firewall_simple_oif_ipv6"
+ onet6="$firewall_simple_onet_ipv6"
# set these to your inside interface network
iif="$firewall_simple_iif"
inet="$firewall_simple_inet"
+ iif6="$firewall_simple_iif_ipv6"
+ inet6="$firewall_simple_inet_ipv6"
# Stop spoofing
${fwcmd} add deny all from ${inet} to any in via ${oif}
${fwcmd} add deny all from ${onet} to any in via ${iif}
+ if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then
+ ${fwcmd} add deny ip6 from ${inet6} to any in via ${oif6}
+ ${fwcmd} add deny ip6 from ${onet6} to any in via ${iif6}
+ fi
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
@@ -254,7 +326,7 @@
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via ${natd_interface}
+ ${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
@@ -273,6 +345,55 @@
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
+ if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then
+ # Stop unique local unicast address on the outside interface
+ ${fwcmd} add deny ip6 from fc00::/7 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to fc00::/7 via ${oif6}
+
+ # Stop site-local on the outside interface
+ ${fwcmd} add deny ip6 from fec0::/10 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to fec0::/10 via ${oif6}
+
+ # Disallow "internal" addresses to appear on the wire.
+ ${fwcmd} add deny ip6 from ::ffff:0.0.0.0/96 to any \
+ via ${oif6}
+ ${fwcmd} add deny ip6 from any to ::ffff:0.0.0.0/96 \
+ via ${oif6}
+
+ # Disallow packets to malicious IPv4 compatible prefix.
+ ${fwcmd} add deny ip6 from ::224.0.0.0/100 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to ::224.0.0.0/100 via ${oif6}
+ ${fwcmd} add deny ip6 from ::127.0.0.0/104 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to ::127.0.0.0/104 via ${oif6}
+ ${fwcmd} add deny ip6 from ::0.0.0.0/104 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to ::0.0.0.0/104 via ${oif6}
+ ${fwcmd} add deny ip6 from ::255.0.0.0/104 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to ::255.0.0.0/104 via ${oif6}
+
+ ${fwcmd} add deny ip6 from ::0.0.0.0/96 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to ::0.0.0.0/96 via ${oif6}
+
+ # Disallow packets to malicious 6to4 prefix.
+ ${fwcmd} add deny ip6 from 2002:e000::/20 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to 2002:e000::/20 via ${oif6}
+ ${fwcmd} add deny ip6 from 2002:7f00::/24 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to 2002:7f00::/24 via ${oif6}
+ ${fwcmd} add deny ip6 from 2002:0000::/24 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to 2002:0000::/24 via ${oif6}
+ ${fwcmd} add deny ip6 from 2002:ff00::/24 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to 2002:ff00::/24 via ${oif6}
+
+ ${fwcmd} add deny ip6 from 2002:0a00::/24 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to 2002:0a00::/24 via ${oif6}
+ ${fwcmd} add deny ip6 from 2002:ac10::/28 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to 2002:ac10::/28 via ${oif6}
+ ${fwcmd} add deny ip6 from 2002:c0a8::/32 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to 2002:c0a8::/32 via ${oif6}
+
+ ${fwcmd} add deny ip6 from ff05::/16 to any via ${oif6}
+ ${fwcmd} add deny ip6 from any to ff05::/16 via ${oif6}
+ fi
+
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
@@ -291,7 +412,11 @@
${fwcmd} add pass tcp from any to me 80 setup
# Reject&Log all setup of incoming connections from the outside
- ${fwcmd} add deny log tcp from any to any in via ${oif} setup
+ ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
+ if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then
+ ${fwcmd} add deny log ip6 from any to any in via ${oif6} \
+ setup proto tcp
+ fi
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
@@ -313,7 +438,7 @@
# offers services.
# firewall_allowservices: List of IPs which has access to
# $firewall_myservices.
- # firewall_trusted: List of IPs which has full access
+ # firewall_trusted: List of IPv4s which has full access
# to this host. Be very carefull
# when setting this. This option can
# seriously degrade the level of
@@ -324,17 +449,31 @@
# firewall_nologports: List of TCP/UDP ports for which
# denied incomming packets are not
# logged.
-
+ # firewall_trusted_ipv6: List of IPv6s which has full access
+ # to this host. Be very carefull
+ # when setting this. This option can
+ # seriously degrade the level of
+ # protection provided by the firewall.
+
# Allow packets for which a state has been built.
${fwcmd} add check-state
# For services permitted below.
${fwcmd} add pass tcp from me to any established
+ if afexists inet6; then
+ ${fwcmd} add pass ip6 from any to any proto tcp established
+ fi
# Allow any connection out, adding state for each.
${fwcmd} add pass tcp from me to any setup keep-state
${fwcmd} add pass udp from me to any keep-state
${fwcmd} add pass icmp from me to any keep-state
+ if afexists inet6; then
+ ${fwcmd} add pass ip6 from me6 to any proto tcp setup
+ ${fwcmd} add pass ip6 from me6 to any proto udp keep-state
+ ${fwcmd} add pass ip6 from me6 to any proto ipv6-icmp \
+ keep-state
+ fi
# Allow DHCP.
${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out
@@ -343,6 +482,10 @@
# Some servers will ping the IP while trying to decide if it's
# still in use.
${fwcmd} add pass icmp from any to any icmptype 8
+ if afexists inet6; then
+ ${fwcmd} add pass ip6 from any to any icmp6type 128,129 \
+ proto ipv6-icmp
+ fi
# Allow "mandatory" ICMP in.
${fwcmd} add pass icmp from any to any icmptype 3,4,11
@@ -361,6 +504,9 @@
for i in ${firewall_allowservices} ; do
for j in ${firewall_myservices} ; do
${fwcmd} add pass tcp from $i to me $j
+ if afexists inet6; then
+ ${fwcmd} add pass tcp from $i to me6 $j setup
+ fi
done
done
@@ -370,7 +516,10 @@
for i in ${firewall_trusted} ; do
${fwcmd} add pass ip from $i to me
done
-
+ for i in ${firewall_trusted_ipv6} ; do
+ ${fwcmd} add pass ip6 from $i to me6
+ done
+
${fwcmd} add 65000 count ip from any to any
# Drop packets to ports where we don't want logging
[-- Attachment #3 --]
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ygeljhyk1qg.wl%ume>