From owner-freebsd-bugs Mon Nov 19 10:10:25 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 849A337B418 for ; Mon, 19 Nov 2001 10:10:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id fAJIA1q54976; Mon, 19 Nov 2001 10:10:01 -0800 (PST) (envelope-from gnats) Received: from staff.rinet.ru (staff.rinet.ru [195.54.192.46]) by hub.freebsd.org (Postfix) with ESMTP id 732AF37B417 for ; Mon, 19 Nov 2001 10:09:23 -0800 (PST) Received: (from gvs@localhost) by staff.rinet.ru (8.11.6/8.11.4) id fAJI9Jt78559; Mon, 19 Nov 2001 21:09:19 +0300 (MSK) (envelope-from gvs) Message-Id: <200111191809.fAJI9Jt78559@staff.rinet.ru> Date: Mon, 19 Nov 2001 21:09:19 +0300 (MSK) From: Seva Gluschenko Reply-To: RiNet NOC To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: conf/32108: Proposed Firewall (IPv4) configuration script Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 32108 >Category: conf >Synopsis: Proposed Firewall (IPv4) configuration script >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Nov 19 10:10:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Seva Gluschenko >Release: FreeBSD 4.4-STABLE i386 >Organization: Cronyx Plus LLC / ru.rinet LIR >Environment: System: FreeBSD staff.rinet.ru 4.4-STABLE FreeBSD 4.4-STABLE #0: Thu Oct 25 06:32:20 MSD 2001 root@:/usr/src/sys/compile/staff i386 >Description: Well, I'm proud to present you a collective mind thought of RiNet NOC staff: the existing /etc/rc.firewall script seems to be slightly outdated and does not fit well to the modern concept of flexible and easily configurable tools. Thus we've developed our own script called rc.fw which has some autoconfiguration inside and calls for its own configuration, rc.fw.conf by default. >How-To-Repeat: The general configuration script, /etc/rc.conf (and maybe /etc/defaults/rc.conf, once approved) should point to a new firewall invocation script, as follows: ---------- firewall_script="/etc/rc.fw" The optional configuration variables used in this script are: firewall_config="/etc/rc.fw.conf" # path to configuration file firewall_zero="YES" # whether to zero counters after all firewall_quiet="YES" # whether to omit "-q" switch to ipfw firewall_ifnames="YES" # use names of ifaces (NO - numbers) ---------- The sample /etc/rc.fw.conf may look like ---------- # Variables from rc.conf and hostnames from /etc/hosts are allowed. # 1000 pass all from any to any via lo0 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 # sample traffic shaper, see dummynet(4) for details # also, consider resetting net.inet.ip.fw.one_pass |1 config bw 64Kbit/s queue 16Kbytes mask src-ip 0xffffffff pipe 1 ip from 192.168.240.25 to any # sample queue configuration (WF2Q+ algorithm), again dummynet(4) :5 config pipe 1 weight 5 queue 5 tcp from any to any smtp queue 5 tcp from any smtp to any # use this line when firewall_ifnames set to YES #2000 deny icmp echo-request from any to any in via ${rl0} # or this line otherwise 2000 deny icmp echo-request from any to any in via ${if1} pass icmp from any to any # Trust internal network pass ip from any to any via ${if0} # for firewall_ifnames=YES #pass ip from any to any via ${de0} # Allow setup of incoming SSH, SMTP, DNS, HTTP, auth pass tcp from any to ${if1ip0} 22,25,53,80,113 setup # for firewall_ifnames=YES #pass tcp from any to ${if_rl0_0} 22,25,53,80,113 setup # Trust NTP requests from our neighbourhood pass udp from ${if1ip0}:${if1nm0} 1024-65535,ntp to any ntp # for firewall_ifnames=YES #pass udp from ${if_rl0_0}:${if_rl0_m0} 1024-65535,ntp to any ntp # Grant access to our unprivileged userland ports pass tcp from any to any ${first}-${last} pass tcp from any to any ${hifirst}-${hilast} # Sample configuration ends here ################################################################ --------- NOTE! The firewall configuration rules specified here are only the examples and maybe should not be used in the production environment. >Fix: The script itself follows: #!/bin/sh # # RiNet NOC firewall configuration script. Authors: # Dmitry Morozovsky (DM268-RIPE), # Seva Gluschenko (GVS-RIPE), # Oleg Bulyzhin (OBUL-RIPE) # Autoconf start case ${firewall_ifnames} in [Yy][Ee][Ss]) AWKCMD='BEGIN { if_no = -1; } { if ($2 ~ /^127/) { next; } if ($1 == "inet") { printf "if_%s_%d=%s\n", a[1], ad, $2; printf "if_%s_m%d=%s\n", a[1], ad++, $4; } else { split($1, a, /:/); printf "if%d=%s\n", ++if_no, a[1]; ad = 0; } }' ;; *) AWKCMD='BEGIN { if_no = -1; } { if ($2 ~ /^127/) { next; } if ($1 == "inet") { printf "if%dip%d=%s\n", if_no, ad, $2; printf "if%dnm%d=%s\n", a[1], ad++, $4; } else { split($1, a, /:/); printf "if%d=%s\n", ++if_no, a[1]; ad = 0; } }' ;; esac eval `/sbin/ifconfig -au inet | awk "$AWKCMD"` # Portrange guess eval `/sbin/sysctl net.inet.ip.portrange | cut -f 5 -d . | sed 's/: /=/'` # Autoconf end if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi # Detect whether we need to load kernel module # Esp. useful to deploy firewall rules "on the fly" /sbin/ipfw -q l 2>/dev/null || /sbin/kldload ipfw || { echo "Error: IP Firewall is not available" exit 1 } ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac if [ "X${firewall_config}" = "X" ]; then CONF="/etc/rc.fw.conf" else CONF="${firewall_config}" fi [ -r "${firewall_config}" ] || { echo "Error: ${firewall_config} does not exist nor readable" exit 1 } grep -q -w log $CONF && \ /sbin/sysctl net.inet.ip.fw.verbose=1 ${fwcmd} -f flush while read param do case $param in "") ;; \#*) ;; # :NNN config ... \:*) E="C=\"`echo $param | cut -c 2-`\"" eval $E ${fwcmd} queue $C ;; # |NNN config ... \|*) E="C=\"`echo $param | cut -c 2-`\"" eval $E ${fwcmd} pipe $C ;; # [NNN] action proto ... *) E="C=\"$param\"" eval $E ${fwcmd} add $C ;; esac done < $CONF # clear accounting esp. useful for rule 65535 case ${firewall_zero} in [Yy][Ee][Ss]) ${fwcmd} zero ;; esac # --- END --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message