Date: Wed, 17 May 2000 09:04:33 -0400 (EDT) From: jim@thehousleys.net To: FreeBSD-gnats-submit@freebsd.org Subject: conf/18621: Adding ip6fw/firewall support for IPv6 to rc.* Message-ID: <200005171304.JAA03963@thehousleys.net>
index | next in thread | raw e-mail
>Number: 18621
>Category: conf
>Synopsis: Adding ip6fw/firewall support for IPv6 to rc.*
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed May 17 06:10:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Jim Housley
>Release: FreeBSD 4.0-STABLE i386
>Organization:
The Housleys dot Net
>Environment:
FreeBSD 4.x & FreeBSD 5.x
>Description:
The attached patch will and the capibility to /etc/defaults/rc.conf
to specify IPv6 firewall variables. /etc/rc.network will call
/etc/rc.firewall6 as a default IPv6 firewall script. BTW the
sample rules need LOTS of work, but the framework is there.
/etc/rc.firewall needs to be modified to allow IPv6 packets to
pass by default so the can be handled the the IPv6 firewall.
>How-To-Repeat:
>Fix:
--- rc.firewall Mon May 1 15:00:31 2000
+++ rc.firewall.new Wed May 17 08:47:26 2000
@@ -66,6 +66,15 @@
${fwcmd} -f flush
############
+# If IPv6 firewall is used we need to a a pass rule for IPv6
+#
+case ${firewall_enable} in
+[Yy][Ee][Ss])
+ ${fwcmd} add 25 allow ipv6 from any to any
+ ;;
+esac
+
+############
# These rules are required for using natd. All packets are passed to
# natd before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd,
@@ -74,7 +83,7 @@
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via ${natd_interface}
+ ${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
fi
;;
esac
--- rc.firewall6 Wed May 17 08:57:05 2000
+++ rc.firewall6.new Wed May 17 08:51:30 2000
@@ -0,0 +1,132 @@
+############
+# Setup system for firewall service.
+# $FreeBSD$
+
+# Suck in the configuration variables.
+if [ -r /etc/defaults/rc.conf ]; then
+ . /etc/defaults/rc.conf
+elif [ -r /etc/rc.conf ]; then
+ . /etc/rc.conf
+fi
+
+############
+# Define the firewall type in /etc/rc.conf. Valid values are:
+# open - will allow anyone in
+# client - will try to protect just this machine
+# simple - will try to protect a whole network
+# closed - totally disables IP services except via lo0 interface
+# UNKNOWN - disables the loading of firewall rules.
+# filename - will load the rules in the given filename (full path required)
+#
+# For ``client'' and ``simple'' the entries below should be customized
+# appropriately.
+
+############
+#
+# If you don't know enough about packet filtering, we suggest that you
+# take time to read this book:
+#
+# Building Internet Firewalls
+# Brent Chapman and Elizabeth Zwicky
+#
+# O'Reilly & Associates, Inc
+# ISBN 1-56592-124-0
+# http://www.ora.com/
+#
+# For a more advanced treatment of Internet Security read:
+#
+# Firewalls & Internet Security
+# Repelling the wily hacker
+# William R. Cheswick, Steven M. Bellowin
+#
+# Addison-Wesley
+# ISBN 0-201-6337-4
+# http://www.awl.com/
+#
+
+if [ -n "${1}" ]; then
+ firewall6_type="${1}"
+fi
+
+############
+# Set quiet mode if requested
+#
+case ${firewall6_quiet} in
+[Yy][Ee][Ss])
+ fw6cmd="/sbin/ip6fw -q"
+ ;;
+*)
+ fw6cmd="/sbin/ip6fw"
+ ;;
+esac
+
+############
+# Flush out the list before we begin.
+#
+${fw6cmd} -f flush
+
+############
+# If you just configured ipfw in the kernel as a tool to solve network
+# problems or you just want to disallow some particular kinds of traffic
+# then you will want to change the default policy to open. You can also
+# do this as your only action by setting the firewall6_type to ``open''.
+#
+# ${fw6cmd} add 65000 pass all from any to any
+
+############
+# Only in rare cases do you want to change these rules
+#
+${fw6cmd} add 100 pass all from any to any via lo0
+
+
+# Prototype setups.
+#
+case ${firewall6_type} in
+[Oo][Pp][Ee][Nn])
+ ${fw6cmd} add 65000 pass all from any to any
+ ;;
+
+[Cc][Ll][Ii][Ee][Nn][Tt])
+ ############
+ # This is a prototype setup that will protect your system somewhat
+ # against people from outside your own network.
+ ############
+
+ # set these to your network and netmask and ip
+ #
+ # This needs more work
+ #
+ ;;
+
+[Ss][Ii][Mm][Pp][Ll][Ee])
+ ############
+ # This is a prototype setup for a simple firewall. Configure this
+ # machine as a named server and ntp server, and point all the machines
+ # on the inside at this machine for those services.
+ ############
+
+ #
+ # ND
+ #
+ # DAD
+ ${fw6cmd} add pass ipv6-icmp from ff02::/16 to ::
+ ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
+ # RS, RA, NS, NA, redirect...
+ ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
+ ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
+
+ ${fw6cmd} add pass tcp from any to any established
+
+ # RIPng
+ ${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521
+
+ ;;
+
+[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
+ ;;
+*)
+ if [ -r "${firewall6_type}" ]; then
+ ${fw6cmd} ${firewall6_flags} ${firewall6_type}
+ fi
+ ;;
+esac
--- rc.network Mon Mar 27 16:39:49 2000
+++ rc.network.new Wed May 17 08:54:29 2000
@@ -228,6 +228,41 @@
;;
esac
+ case ${firewall6_enable} in
+ [Yy][Ee][Ss])
+ if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
+ firewall_in_kernel=1
+ echo "Kernel firewall module loaded."
+ elif [ "${firewall_in_kernel}" -eq 0 ]; then
+ echo "Warning: firewall kernel module failed to load."
+ fi
+ ;;
+ esac
+
+ # Load the filters if required
+ #
+ case ${firewall_in_kernel} in
+ 1)
+ if [ -z "${firewall6_script}" ]; then
+ firewall6_script=/etc/rc.firewall6
+ fi
+
+ case ${firewall6_enable} in
+ [Yy][Ee][Ss])
+ if [ -r "${firewall6_script}" ]; then
+ . "${firewall6_script}"
+ echo -n 'Firewall rules loaded, starting divert daemons:'
+
+ elif [ "`ip6fw l 65535`" = "65535 deny ip from any to any" ]; then
+ echo -n "Warning: kernel has firewall functionality, "
+ echo "but firewall rules are not enabled."
+ echo " All ip services are disabled."
+ fi
+ ;;
+ esac
+ ;;
+ esac
+
# Additional ATM interface configuration
#
if [ -n "${atm_pass1_done}" ]; then
--- defaults/rc.conf Mon Apr 17 09:17:11 2000
+++ defaults/rc.conf.new Wed May 17 08:39:41 2000
@@ -48,6 +48,11 @@
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_flags="" # Flags passed to ipfw when type is a file
+firewall6_enable="NO" # Set to YES to enable firewall functionality
+firewall6_script="/etc/rc.firewall6" # Which script to run to set up the firewall
+firewall6_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
+firewall6_quiet="NO" # Set to YES to suppress rule display
+firewall6_flags="" # Flags passed to ipfw when type is a file
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface or IPaddress to use.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005171304.JAA03963>