/* * Firewall rules. This file is preprocessed by cpp then fed to ipfw. * * Available knobs: * * LOG_DROPPED_PACKETS * Dropped packets are logged. * * ROUTE_INTERNAL_NETWORK * Allow all packets between internal network hosts. * * LOCAL_NAME_SERVER * This machine runs a local DNS server; give clients (both * internal & external) access to it. * * LOCAL_TIME_SERVER * This machine runs a local NTP server; it broadcasts time * announcements to local clients. * * LOCAL_VPN_SERVER * This machine runs a local PPTP server; give external * clients access to it. * * ALLOW_ACTIVE_FTP * Allow active FTP transfers, where the data connection is made * from the server back to the client. Requires -use_sockets * option for natd. * * ALLOW_TRACEROUTE * Allow outgoing traceroutes from the firewall and the internal * network. * * ALLOW_ALL_ICMP * Allow all ICMP packets to/from anywhere. Default is to allow * only a very minimal subset of: * 3 = destination unreachable * 4 = source quench * 11 = time exceeded in transit * 12 = parameter problem * * DROP_SILENT * If undefined (default), dropped connections generate an * error packet: * TCP packets generate a RST * UDP packets generate ICMP "Port unreachable" * ICMP packets generate ICMP "Prohibited by filter" * Otherwise (defined), no error packet is sent. * * DIVERT_TO_NATD * Add a rule that diverts all packets to natd. Normally this * rule is added to the set by rc.firewall, before this file is * even loaded. * * Renaud Waldura, August 2000 * */ #ifdef DROP_SILENT # ifdef LOG_DROPPED_PACKETS # define BLOCK_TCP deny log # define BLOCK_UDP deny log # define BLOCK_ICMP deny log # else # define BLOCK_TCP deny # define BLOCK_UDP deny # define BLOCK_ICMP deny # endif #else # ifdef LOG_DROPPED_PACKETS # define BLOCK_TCP reset log # define BLOCK_UDP unreach port log # define BLOCK_ICMP unreach filter-prohib log # else # define BLOCK_TCP reset # define BLOCK_UDP unreach port # define BLOCK_ICMP unreach filter-prohib # endif #endif /*** IP ******************************************************/ // filter out all bogus packets at the external interface add 00990 skipto 1000 ip from any to EXT_ADDR in recv EXT_IF add 00999 deny all from any to any in recv EXT_IF // hand off packets to natd; they will be reinjected, with the address // translated, into the next rule #ifdef DIVERT_TO_NATD add 01000 divert natd ip from any to any via EXT_IF #endif // prevent spoofing add 02100 deny all from INT_NET to any in via EXT_IF add 02110 deny all from EXT_NET to any in via INT_IF #ifdef ROUTE_INTERNAL_NET // allow all packets from the internal network, on any interface add 02300 allow all from INT_NET to any #else add 02300 allow all from INT_ADDR to INT_NET via INT_IF #endif #ifdef LOCAL_VPN_SERVER add 02400 allow gre from any to any via EXT_IF #endif /*** TCP ****************************************************/ // allow all established connections add 03000 allow tcp from any to any established // allow outgoing TCP setups from the local host, and from the internal // network add 03100 allow tcp from EXT_ADDR to any out via EXT_IF //add 03110 allow tcp from INT_NET to any in recv INT_IF setup // allow the return TCP connection for FTP data session #ifdef ALLOW_ACTIVE_FTP add 03200 allow tcp from any 20 to EXT_ADDR in recv EXT_IF setup add 03210 allow tcp from any 20 to INT_NET // out xmit INT_IF setup #endif // allow SMTP to the local host add 03300 allow tcp from any to EXT_ADDR smtp in recv EXT_IF setup // allow SSH to the local host add 03400 allow tcp from any to EXT_ADDR ssh in recv EXT_IF setup #ifdef LOCAL_NAME_SERVER // allow zone transfers to the outside world add 03500 allow tcp from any to EXT_ADDR domain in recv EXT_IF setup #endif #ifdef LOCAL_VPN_SERVER // allow traffic to PPTP daemon add 03600 allow tcp from any to EXT_ADDR pptp in recv EXT_IF setup #endif // all other TCP connections are blocked add 03900 BLOCK_TCP tcp from any to any in via EXT_IF /*** UDP ****************************************************/ // allow client DNS queries to the outside from this machine // (domain = DNS port number) add 04000 allow udp from any domain to EXT_ADDR add 04010 allow udp from EXT_ADDR to any domain #ifdef LOCAL_NAME_SERVER // allow client DNS queries from the internal net to this name server add 04020 allow udp from INT_NET to INT_ADDR domain add 04030 allow udp from INT_ADDR domain to INT_NET // allow server DNS queries to this nameserver from the Internet add 04040 allow udp from any to EXT_ADDR domain add 04050 allow udp from EXT_ADDR domain to any #endif #ifdef LOCAL_TIME_SERVER // allow NTP to/from the local host and out to the local network add 04100 allow udp from any ntp to EXT_ADDR ntp add 04110 allow udp from EXT_ADDR ntp to any ntp add 04120 allow udp from INT_ADDR ntp to INT_NET ntp #endif #ifdef ALLOW_TRACEROUTE // allow traceroutes add 04300 allow udp from EXT_ADDR to any 33434-33534 add 04310 allow udp from INT_NET to any 33434-33534 #endif // block everything else add 04900 BLOCK_UDP udp from any to any in via EXT_IF /*** ICMP **************************************************/ #ifdef ALLOW_ALL_ICMP // allow all ICMP packets to and from anywhere add 05000 allow icmp from any to any #else // allow only essential ICMP packets to and from the local host add 05000 allow icmp from EXT_ADDR to any icmptype 3,4,11,12 add 05010 allow icmp from any to EXT_ADDR icmptype 3,4,11,12 // as well as to/from the internal network add 05100 allow icmp from INT_NET to any icmptype 3,4,11,12 add 05110 allow icmp from any to INT_NET icmptype 3,4,11,12 #endif /*** EVERYTHING ELSE IS DENIED *********/ #ifdef LOG_DROPPED_PACKETS add 65000 deny log all from any to any #else add 65000 deny all from any to any #endif