[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])
# Configuration:
# firewall_myservices: List of ports/protocols on which this
# host offers services.
# firewall_allowservices: List of IPv4 and/or IPv6 addresses
# that have access to
# $firewall_myservices.
# firewall_trusted: List of IPv4 and/or IPv6 addresses
# that have full access to this host.
# Be very careful when setting this.
# This option can seriously degrade
# the level of protection provided by
# the firewall.
# firewall_logdeny: Boolean (YES/NO) specifying if the
# default denied packets should be
# logged (in /var/log/security).
# firewall_nologports: List of TCP/UDP ports for which
# denied incoming packets are not
# logged.
# Allow packets for which a state has been built.
${fwcmd} add check-state
# For services permitted below.
${fwcmd} add pass tcp from me to any established
# Allow any connection out, adding state for each.
${fwcmd} add pass tcp from me to any setup keep-state
${fwcmd} add pass udp from me to any keep-state
${fwcmd} add pass icmp from me to any keep-state
if [ $ipv6_available -eq 0 ]; then
${fwcmd} add pass ipv6-icmp from me to any keep-state
fi
# Allow DHCP.
${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out
${fwcmd} add pass udp from any 67 to me 68 in
${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in
if [ $ipv6_available -eq 0 ]; then
${fwcmd} add pass udp from fe80::/10 to me 546 in
fi
# Some servers will ping the IP while trying to decide if it's
# still in use.
${fwcmd} add pass icmp from any to any icmptype 8
if [ $ipv6_available -eq 0 ]; then
${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129
fi
# Allow "mandatory" ICMP in.
${fwcmd} add pass icmp from any to any icmptype 3,4,11
if [ $ipv6_available -eq 0 ]; then
${fwcmd} add pass ipv6-icmp from any to any icmp6type 3
fi
# Add permits for this workstations published services below
# Only IPs and nets in firewall_allowservices is allowed in.
# If you really wish to let anyone use services on your
# workstation, then set "firewall_allowservices='any'" in /etc/rc.conf
#
# Note: We don't use keep-state as that would allow DoS of
# our statetable.
# You can add 'keep-state' to the lines for slightly
# better performance if you fell that DoS of your
# workstation won't be a problem.
#
for i in ${firewall_allowservices} ; do
for j in ${firewall_myservices} ; do
case $j in
[0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo])
${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me
;;
[0-9A-Za-z]*/[Tt][Cc][Pp])
${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]}
;;
[0-9A-Za-z]*/[Uu][Dd][Pp])
${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]}
;;
*[0-9A-Za-z])
echo "Consider using ${j}/tcp in firewall_myservices." \
> /dev/stderr
${fwcmd} add pass tcp from $i to me $j
;;
*)
echo "Invalid port in firewall_myservices: $j" > /dev/stderr
;;
esac
done
done
# Allow all connections from trusted IPs.
# Playing with the content of firewall_trusted could seriously
# degrade the level of protection provided by the firewall.
for i in ${firewall_trusted} ; do
${fwcmd} add pass ip from $i to me
done
${fwcmd} add 65000 count ip from any to any
# Drop packets to ports where we don't want logging
for i in ${firewall_nologports} ; do
${fwcmd} add deny { tcp or udp } from any to any $i in
done
# Broadcasts and multicasts
${fwcmd} add deny ip from any to 255.255.255.255
${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX
# Noise from routers
${fwcmd} add deny udp from any to any 520 in
# Noise from webbrowsing.
# The stateful filter is a bit aggressive, and will cause some
# connection teardowns to be logged.
${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in
# Deny and (if wanted) log the rest unconditionally.
log=""
if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then
log="log logamount 500" # The default of 100 is too low.
sysctl net.inet.ip.fw.verbose=1 >/dev/null
fi
${fwcmd} add deny $log ip from any to any
;;
[Cc][Ll][Oo][Ss][Ee][Dd])