This repository has been archived by the owner on Dec 4, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Setup IPFW as the default firewall, and add a basic ruleset which
allows all outgoing, but NO incoming by default.
- Loading branch information
Kris Moore
committed
Feb 18, 2015
1 parent
2042a72
commit b80f78d
Showing
3 changed files
with
57 additions
and
106 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
140 changes: 50 additions & 90 deletions
140
src-sh/pcbsd-utils/xtrafiles/local/share/pcbsd/scripts/reset-firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,98 +1,58 @@ | ||
#!/bin/sh | ||
# Revision 0.2 Mon Mar 03 12:29:00 EST 2008 | ||
# | ||
# Copyright (c) 2006 Dominique Goncalves | ||
# Copyright (c) 2006 Andrei Kolu | ||
# Modified 2008 Kris Moore (PC-BSD Software) | ||
# | ||
# See COPYING for licence terms. | ||
# Copyright (c) 2015 Kris Moore (iXsystems / PC-BSD) | ||
# License: BSD | ||
|
||
# 06-03-2008 - Kris Moore (PC-BSD Software) | ||
# Added option to open specific ports by passing variables | ||
rules="/etc/ipfw.rules" | ||
|
||
pf_rules="/etc/pf.conf" | ||
|
||
if [ -e "$pf_rules" ] ; then | ||
echo "${pf_rules} already exists!" | ||
if [ -e "$rules" ] ; then | ||
echo "${rules} already exists!" | ||
echo "Remove this file first to re-generate ruleset" | ||
exit 1 | ||
fi | ||
|
||
echo "Creating $pf_rules." | ||
echo "set skip on lo0" > $pf_rules | ||
echo "set block-policy return" >> $pf_rules | ||
echo "scrub in all" >> $pf_rules | ||
echo "antispoof quick for lo0 inet" >> $pf_rules | ||
# block anything coming from source we have no back routes for | ||
echo "block in from no-route to any" >> $pf_rules | ||
|
||
echo "# Block all other incoming" >> $pf_rules | ||
echo "block in log" >> $pf_rules | ||
|
||
echo '' >> $pf_rules | ||
echo '# Allow all outgoing traffic' >> $pf_rules | ||
echo "pass out keep state" >> $pf_rules | ||
|
||
# Deny all from our blacklist | ||
echo '' >> $pf_rules | ||
echo '# Block blacklist' >> $pf_rules | ||
echo 'table <blacklist> persist file "/etc/blacklist"' >> $pf_rules | ||
echo "block from <blacklist> to any" >> $pf_rules | ||
|
||
echo '' >> $pf_rules | ||
echo "# Enable ICMP for IPv4 IPv6" >> $pf_rules | ||
echo "pass proto icmp all" >> $pf_rules | ||
echo "pass proto icmp6 all" >> $pf_rules | ||
############################################################# | ||
|
||
echo '' >> $pf_rules | ||
echo '# Nic Specific Rules' >> $pf_rules | ||
|
||
DEVLIST=`ifconfig -l` | ||
|
||
echo ${DEVLIST} | grep -q "lagg0" | ||
if [ $? -eq 0 ] ; then DEVLIST="${DEVLIST} lagg0"; fi | ||
|
||
echo ${DEVLIST} | grep -q -e "iwn0" -e "ath0" -e "bwn0" -e "bwi0" -e "an0" -e "mwl0" -e "ural0" -e "ral0" -e "zyd0" | ||
if [ $? -eq 0 ] ; then DEVLIST="${DEVLIST} wlan0"; fi | ||
|
||
for inf in ${DEVLIST} ; do | ||
if `echo $inf | egrep -v 'ath|bwn|bwi|an|mwl|ural|ral|zyd|iwn|lo|plip|gif|tun|pfsync' 1>/dev/null` ; then | ||
|
||
# Ports from 49152 to 65535 is needed for SMB and other connectivity | ||
echo "pass in quick on $inf proto {tcp,udp} from any to any port 49152:65535 keep state" >> $pf_rules | ||
|
||
# Setup the default UDP entries | ||
echo "pass in quick on $inf proto udp from any to ($inf) port 137 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto udp from any to ($inf) port 138 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto udp from any to ($inf) port 111 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto udp from any to ($inf) port 1110 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto udp from any to ($inf) port 2049 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto udp from any to ($inf) port 4045 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto udp from any to ($inf) port 5353 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto udp from any to 224.0.0.251/32 port 5353 keep state" >> $pf_rules | ||
|
||
|
||
# Setup the default TCP entries | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port 445 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port 137 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port 139 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port 111 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port 1110 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port 4045 keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port 5353 keep state" >> $pf_rules | ||
|
||
|
||
# Check if there are any extra ports to open and do so | ||
if [ ! -z "$@" ] | ||
then | ||
for port in "$@" | ||
do | ||
echo "pass in quick on $inf proto udp from any to ($inf) port ${port} keep state" >> $pf_rules | ||
echo "pass in quick on $inf proto tcp from any to ($inf) port ${port} keep state" >> $pf_rules | ||
done | ||
fi | ||
|
||
fi | ||
done | ||
echo "Creating $rules." | ||
|
||
cat >${rules} << EOF | ||
#!/bin/sh | ||
# To re-apply rules, you can run "sh ${rules}" | ||
# Flush out the list before we begin. | ||
ipfw -q -f flush | ||
# Set rules command prefix | ||
cmd="ipfw -q add" | ||
# No restrictions on loopback | ||
#################################################################### | ||
\$cmd 00020 allow all from any to any via lo0 | ||
#################################################################### | ||
# Catch spoofing from outside | ||
#################################################################### | ||
\$cmd 00025 deny ip from any to any not antispoof in | ||
#################################################################### | ||
# Check the state of packets | ||
#################################################################### | ||
\$cmd 00050 check-state | ||
\$cmd 00100 allow tcp from any to any established | ||
#################################################################### | ||
# Allow all outgoing packets | ||
#################################################################### | ||
\$cmd 00150 allow ip from any to any out keep-state | ||
#################################################################### | ||
# Allow specific ports IN now | ||
# Add here for any incoming services | ||
#################################################################### | ||
#\$cmd 00400 allow tcp from any to me 22 in keep-state | ||
#\$cmd 00405 allow tcp from any to me 80 in keep-state | ||
#################################################################### | ||
# Deny all other incoming troublemakers | ||
#################################################################### | ||
\$cmd 00500 deny log all from any to any | ||
#################################################################### | ||
EOF |