diff --git a/libexec/rc/rc.firewall b/libexec/rc/rc.firewall index e4fc8cc3db7808..273f9835b7df63 100644 --- a/libexec/rc/rc.firewall +++ b/libexec/rc/rc.firewall @@ -547,7 +547,16 @@ case ${firewall_type} in ;; *) if [ -r "${firewall_type}" ]; then - ${fwcmd} ${firewall_flags} ${firewall_type} + if [ -f "${firewall_type}" ]; then + ${fwcmd} ${firewall_flags} ${firewall_type} + else + if [ -d "${firewall_type}" ]; then + for fwfile in `rcorder $firewall_type/*` + do + ipfw -q $fwfile; + done + fi + fi fi ;; esac diff --git a/share/examples/ipfw.d/final b/share/examples/ipfw.d/final new file mode 100644 index 00000000000000..8cc97711d6beda --- /dev/null +++ b/share/examples/ipfw.d/final @@ -0,0 +1,13 @@ +# +# PROVIDE: final +# REQUIRE: setup services outbound routing +# + +# +add allow tcp from me to any out setup // default outbound + +# silently ignore local multicast +add deny ip from any to 224.0.0.0/4 // drop multicast + +# drop and log everything else +add reset log ip from any to any diff --git a/share/examples/ipfw.d/ntp_client b/share/examples/ipfw.d/ntp_client new file mode 100644 index 00000000000000..8f76c0276ce523 --- /dev/null +++ b/share/examples/ipfw.d/ntp_client @@ -0,0 +1,11 @@ +# REQUIRE: outbound +# PROVIDE: ntp_client ntp_servers +# BEFORE: final + +table ntp_servers create + +# Uncomment and your NTP servers (if they are on known ips in your network) to the following table: + +# table ntp_servers add x.x.x.x + +add allow ip from me to table(ntp_servers) 123 keep-state // NTP outbound diff --git a/share/examples/ipfw.d/outbound b/share/examples/ipfw.d/outbound new file mode 100644 index 00000000000000..36be7ab73a5ddc --- /dev/null +++ b/share/examples/ipfw.d/outbound @@ -0,0 +1,6 @@ +# +# REQUIRE: services +# PROVIDE: outbound +# BEFORE: final +# +# meta class - adds no rules diff --git a/share/examples/ipfw.d/routing b/share/examples/ipfw.d/routing new file mode 100644 index 00000000000000..a1c58321d5d98e --- /dev/null +++ b/share/examples/ipfw.d/routing @@ -0,0 +1,6 @@ +# +# REQUIRE: setup +# PROVIDE: routing +# BEFORE: services +# +# meta class - adds no rules diff --git a/share/examples/ipfw.d/services b/share/examples/ipfw.d/services new file mode 100644 index 00000000000000..a08d86d96885e0 --- /dev/null +++ b/share/examples/ipfw.d/services @@ -0,0 +1,5 @@ +# REQUIRE: setup routing +# PROVIDE: services +# BEFORE: outbound +# +# meta class - adds no rules diff --git a/share/examples/ipfw.d/setup b/share/examples/ipfw.d/setup new file mode 100644 index 00000000000000..6ed5940fbfa4c2 --- /dev/null +++ b/share/examples/ipfw.d/setup @@ -0,0 +1,47 @@ +# +# PROVIDE: setup blocked bogons +# BEFORE: services routing outbound final +# + +# remove all existing tables +table all destroy +table blocked create + +# standard (non-service specific) tables +table bogons create +table bogons add 0.0.0.0/8 +table bogons add 10.0.0.0/8 +table bogons add 172.12.0.0/12 +table bogons add 192.168.0.0/16 +table bogons add 169.254.0.0/16 +table bogons add 240.0.0.0/4 + +# permit existing TCP sessions +add allow tcp from any to any established + +# permit internal loopback traffic +add allow ip from any to any via lo0 +add allow ip from any to any via lo1 + +# deny directed loopback traffic +add deny ip from any to 127.0.0.0/8 in +add deny ip from any to ::/64 in + +# deny unexpected sources +add deny ip from table(bogons) to me in // unexpected sources + +# deny explicitly disabled (non-persistent) sources +add deny ip from table(blocked) to me in // emergency (non-persistent) blocklist + +# allow bsd-standard-port traceroutes +add allow udp from me to any 33434-33600 // traceroute in +add allow udp from any to me 33434-33600 // traceroute out + +# moderately permissive ICMPv4 +add allow icmp from any to any icmptypes 0,3,8,11,13,14 // safe ICMPv4 + +# link-local ICMPv6 (RS, RA, NS, NA) - per FreeBSD standard rules +add allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD +add allow ipv6-icmp from fe80::/10 to fe80::/10 // ICMPv6 NDP +add allow ipv6-icmp from fe80::/10 to ff02::/16 // ICMPv6 NDP +add allow ipv6-icmp from any to any icmp6types 1,2,3,128,129,135,136 // safe ICMPv6 diff --git a/share/examples/ipfw.d/ssh_service b/share/examples/ipfw.d/ssh_service new file mode 100644 index 00000000000000..dff81f4fa4397e --- /dev/null +++ b/share/examples/ipfw.d/ssh_service @@ -0,0 +1,7 @@ +# REQUIRE: services +# PROVIDE: ssh_service ssh_clients +# BEFORE: outbound + +table ssh_clients create + +add allow tcp from table(ssh_clients) to me 22 in setup // inbound SSH diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index de2181d638d17e..578a581f2069a0 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -693,6 +693,12 @@ basic protection for a LAN. .Pp If a filename is specified, the full path must be given. +If a directory is specified, then the +directory should contain files containing headers compatible with +.Xr rcorder 8 +as they will be sorted in this order, and then +.Xr ipfw 8 +will be run on each, as though each were a singular rules file. .Pp Most of the predefined rulesets define additional configuration variables. These are documented in