Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Nov 2001 21:09:19 +0300 (MSK)
From:      Seva Gluschenko <gvs@rinet.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   conf/32108: Proposed Firewall (IPv4) configuration script
Message-ID:  <200111191809.fAJI9Jt78559@staff.rinet.ru>

next in thread | raw e-mail | index | archive | help

>Number:         32108
>Category:       conf
>Synopsis:       Proposed Firewall (IPv4) configuration script
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 19 10:10:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Seva Gluschenko
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
Cronyx Plus LLC / ru.rinet LIR
>Environment:
System: FreeBSD staff.rinet.ru 4.4-STABLE FreeBSD 4.4-STABLE #0: Thu Oct 25 06:32:20 MSD 2001 root@:/usr/src/sys/compile/staff i386

>Description:
	Well, I'm proud to present you a collective mind thought of RiNet NOC
	staff: the existing /etc/rc.firewall script seems to be slightly
	outdated and does not fit well to the modern concept of flexible and
	easily configurable tools. Thus we've developed our own script called
	rc.fw which has some autoconfiguration inside and calls for its own
	configuration, rc.fw.conf by default.

>How-To-Repeat:
	The general configuration script, /etc/rc.conf (and maybe
	/etc/defaults/rc.conf, once approved) should point to a new
	firewall invocation script, as follows:
----------
firewall_script="/etc/rc.fw"

The optional configuration variables used in this script are:

firewall_config="/etc/rc.fw.conf"	# path to configuration file
firewall_zero="YES"		# whether to zero counters after all
firewall_quiet="YES"		# whether to omit "-q" switch to ipfw
firewall_ifnames="YES"		# use names of ifaces (NO - numbers)
----------

	The sample /etc/rc.fw.conf may look like
----------
# Variables from rc.conf and hostnames from /etc/hosts are allowed.
#

1000 pass all from any to any via lo0
1010 deny all from 127.0.0.0/8 to 127.0.0.0/8

# sample traffic shaper, see dummynet(4) for details
# also, consider resetting net.inet.ip.fw.one_pass
|1 config bw 64Kbit/s queue 16Kbytes mask src-ip 0xffffffff
pipe 1 ip from 192.168.240.25 to any

# sample queue configuration (WF2Q+ algorithm), again dummynet(4)
:5 config pipe 1 weight 5
queue 5 tcp from any to any smtp
queue 5 tcp from any smtp to any

# use this line when firewall_ifnames set to YES
#2000 deny icmp echo-request from any to any in via ${rl0}
# or this line otherwise
2000 deny icmp echo-request from any to any in via ${if1}
pass icmp from any to any

# Trust internal network
pass ip from any to any via ${if0}
# for firewall_ifnames=YES
#pass ip from any to any via ${de0}

# Allow setup of incoming SSH, SMTP, DNS, HTTP, auth
pass tcp from any to ${if1ip0} 22,25,53,80,113 setup
# for firewall_ifnames=YES
#pass tcp from any to ${if_rl0_0} 22,25,53,80,113 setup

# Trust NTP requests from our neighbourhood
pass udp from ${if1ip0}:${if1nm0} 1024-65535,ntp to any ntp
# for firewall_ifnames=YES
#pass udp from ${if_rl0_0}:${if_rl0_m0} 1024-65535,ntp to any ntp

# Grant access to our unprivileged userland ports
pass tcp from any to any ${first}-${last}
pass tcp from any to any ${hifirst}-${hilast}

# Sample configuration ends here
################################################################
---------

	NOTE! The firewall configuration rules specified here are only the
	examples and maybe should not be used in the production environment.

>Fix:

	The script itself follows:

#!/bin/sh
#
# RiNet NOC firewall configuration script. Authors:
# Dmitry Morozovsky (DM268-RIPE),
# Seva Gluschenko (GVS-RIPE),
# Oleg Bulyzhin (OBUL-RIPE)

# Autoconf start
case ${firewall_ifnames} in
[Yy][Ee][Ss])
	AWKCMD='BEGIN { if_no = -1; }
	{
		if ($2 ~ /^127/) { next; }
		if ($1 == "inet") {
			printf "if_%s_%d=%s\n", a[1], ad, $2;
			printf "if_%s_m%d=%s\n", a[1], ad++, $4;
		} else {
			split($1, a, /:/);
			printf "if%d=%s\n", ++if_no, a[1];
			ad = 0;
		}
	}'
	;;
*)	
	AWKCMD='BEGIN { if_no = -1; }
		{ if ($2 ~ /^127/) { next; }
		if ($1 == "inet") {
			printf "if%dip%d=%s\n", if_no, ad, $2;
			printf "if%dnm%d=%s\n", a[1], ad++, $4;
		} else {
			split($1, a, /:/);
			printf "if%d=%s\n", ++if_no, a[1];
			ad = 0;
		}
	}'
	;;
esac

eval `/sbin/ifconfig -au inet | awk "$AWKCMD"`

# Portrange guess
eval `/sbin/sysctl net.inet.ip.portrange | cut -f 5 -d . | sed 's/: /=/'`

# Autoconf end

if [ -r /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf
	source_rc_confs
elif [ -r /etc/rc.conf ]; then
	. /etc/rc.conf
fi

# Detect whether we need to load kernel module
# Esp. useful to deploy firewall rules "on the fly"
/sbin/ipfw -q l 2>/dev/null || /sbin/kldload ipfw || {
	echo "Error: IP Firewall is not available"
	exit 1
}

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
	fwcmd="/sbin/ipfw -q"
	;;
*)
	fwcmd="/sbin/ipfw"
	;;
esac

if [ "X${firewall_config}" = "X" ]; then
	CONF="/etc/rc.fw.conf"
else
	CONF="${firewall_config}"
fi

[ -r "${firewall_config}" ] || {
	echo "Error: ${firewall_config} does not exist nor readable"
	exit 1
}

grep -q -w log $CONF && \
	/sbin/sysctl net.inet.ip.fw.verbose=1

${fwcmd} -f flush

while read param
do
	case $param in
	"")	;;
	\#*)	;;
	# :NNN config ...
	\:*)	E="C=\"`echo $param | cut -c 2-`\""
		eval $E
		${fwcmd} queue $C
		;;
	# |NNN config ...
	\|*)	E="C=\"`echo $param | cut -c 2-`\""
		eval $E
		${fwcmd} pipe $C
		;;
	# [NNN] action proto ...
	*)	E="C=\"$param\""
		eval $E
		${fwcmd} add $C
		;;
	esac
done < $CONF

# clear accounting esp. useful for rule 65535
case ${firewall_zero} in
[Yy][Ee][Ss])
	${fwcmd} zero
	;;
esac

# --- END ---
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111191809.fAJI9Jt78559>