#!/bin/sh - ## Paranoid ipfw configuration for its.os.org box # Suck in the configuration variables. if [ -f /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf elif [ -f /etc/rc.conf ]; then . /etc/rc.conf fi ############ # Set quiet mode if requested if [ "x$firewall_quiet" = "xYES" ]; then fwcmd="/sbin/ipfw -q" else fwcmd="/sbin/ipfw" fi #### configure #### # 199.34.53.48/29 # 255.255.255.248 # .48 # 199.34.53.49 # 199.34.53.50 its.joss.com (NATIVE SYSTEM) # 199.34.53.51 pi.its.os.org (VIRTUAL ITS) # 199.34.53.52 dx.its.os.org (VIRTUAL ITS) # 199.34.53.53 du.its.os.org (VIRTUAL ITS) # 199.34.53.54 ??.its.os.org (VIRTUAL ITS) # .55 # # Addresses. "me" is its.joss.com # us=199.34.53.48/29 b0=199.34.53.48 gw=199.34.53.49 me=199.34.53.50 pi=199.34.53.51 dx=199.34.53.52 du=199.34.53.53 qq=199.34.53.54 b1=199.34.53.55 # Name of our interface to the outside world (ethernet, presumably) # oif=de0 ################### # Clean slate # $fwcmd -f flush # Do not accept source routed traffic under any circumstances # $fwcmd add deny log all from any to any ipoptions ssrr,lsrr,rr # Allow everything on loopback interface # $fwcmd add pass all from any to any via lo0 ## IP rules ## # Loopback addresses on non-loopback interfaces are spoofed # $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log all from 127.0.0.0/8 to any # As far as I know there is no reason for any traffic to or from # any kind of broadcast, class D, class E, or RFC-1597 private # address to appear on this subnet. # # Tuez les tous, Dieu reconnaitra les siens. # $fwcmd add deny log all from $b0 to any $fwcmd add deny log all from $b1 to any $fwcmd add deny log all from 0.0.0.0 to any $fwcmd add deny log all from 224.0.0.0/3 to any $fwcmd add deny log all from 255.255.255.255 to any $fwcmd add deny log all from any to $b0 $fwcmd add deny log all from any to $b1 $fwcmd add deny log all from any to 0.0.0.0 $fwcmd add deny log all from any to 224.0.0.0/3 $fwcmd add deny log all from any to 255.255.255.255 $fwcmd add deny log all from 10.0.0.0/8 to any $fwcmd add deny log all from 172.16.0.0/12 to any #KLH $fwcmd add deny log all from 192.168.0.0/16 to any $fwcmd add deny log all from any to 10.0.0.0/8 $fwcmd add deny log all from any to 172.16.0.0/12 #KLH $fwcmd add deny log all from any to 192.168.0.0/16 # Don't let anybody else pretend to be this unix machine # $fwcmd add deny log all from $me to any in recv any # If anybody actually figures out how to hack ITS into spoofing, we # probably ought to sign that person up on the spot, but just in case # some total loser gets lucky, let's make it a little harder for # spoofed packets to escape from ITS # Note: this also prevents a misconfigured ITS from causing trouble. # $fwcmd add deny log all from not $us to any in recv 'tun*' $fwcmd add deny log all from $gw to any in recv 'tun*' # Last, a little protection in case our first-hop router isn't checking # addresses as carefully as we are. Prohibit any packets coming into # the interface which are from our own subnet, except for ICMPs from # the gateway. $fwcmd add pass icmp from $gw to $us recv $oif icmptypes 0,3,8,11 $fwcmd add deny log all from $us to any in recv $oif $fwcmd add deny log all from any to not $us in recv $oif # Add any other rules to discard known bogus addresses here ## TCP rules # We do our TCP connection checking on setup, so just let # any established connection go through # Most TCP traffic matches this rule, so put it as early as possible # $fwcmd add pass tcp from any to any established ##################### # The intent of the following rules is: # The only way to access the Unix system from outside is via SSH, # and later SMTP after mailer is configured. # The only outside access to PI ITS is via TELNET/SUPDUP. # (Later FTP? Note ITS doesn't support PASV FTP.) # Nothing from outside to DU/DX (the dev ITS systems). Access has # to be via SSH to unix and thence to DU/DX. # PI cannot go anywhere, either outside or locally. # Unix and DU/DX can go anywhere, both outside & locally. # Access from outside - permit only these things # Allow TELNET/SUPDUP into PI ITS. # Allow SSH into the unix box. Add SMTP later after mailer is configured. # $fwcmd add pass tcp from any to $pi telnet,supdup setup $fwcmd add pass tcp from any to $me ssh setup # Any connection initiated by the unix machine or DU, DX is okay. # All three have full access to all systems plus outside world. # $fwcmd add pass tcp from $me to any setup $fwcmd add pass tcp from $dx to any setup $fwcmd add pass tcp from $du to any setup # Don't allow any other connections. # $fwcmd add reset log tcp from any to any setup # For possible later use: # ITS machines are not allowed to initiate connections to the outside world # Anything else coming from an ITS machine is ok # # $fwcmd add reset log tcp from any to any setup out recv 'tun*' xmit $oif # $fwcmd add pass tcp from any to any setup recv 'tun*' # KLH: what's the point of this when the next rule refuses it anyway? # Silently drop IDENT traffic # (Gee, Dr. Bernstein, let's launch a denial-of-service attack on ourselves!) # $fwcmd add reset tcp from any to any ident setup # No other TCP connections allowed # $fwcmd add reset log tcp from any to any setup # Please don't even think about turning on SunRPC or NFS # $fwcmd add deny log udp from any to any sunrpc,nfs # Don't accept inbound syslog from the outside world # (no known useful purpose, so don't let bozos fill our log directory) # $fwcmd add deny log udp from any to any syslog in recv $oif # We need DNS (domain) and NTP # $fwcmd add pass udp from any domain,ntp to any $fwcmd add pass udp from any to any domain,ntp # Allow useful cases of syslog. Heck, maybe ITS should use it # $fwcmd add pass udp from $us to $us syslog # Allow the useful ICMP messages: # Echo (types 0 & 8, for ping and traceroute) # Destination Unreachable (type 3) # Time Exceeded (type 11, primarily for traceroute) # # We should NOT accept ICMP Redirects (we're a router) $fwcmd add pass icmp from any to any icmptypes 0,3,8,11 $fwcmd add deny icmp from any to any out recv $oif xmit 'tun*' $fwcmd add pass icmp from any to any out xmit 'tun*' # Silently discard ICMP Router Discovery strobes # $fwcmd add deny icmp from any to any icmptypes 10 # Deny and log everything else. If this turns out to be too # verbose, consider adding rules to silently drop stuff that # we understand but don't want. Anything we don't understand # probably ought to be logged. # # If you don't understand it, it's dangerous. # $fwcmd add deny log all from any to any