mirror of
https://github.com/PDP-10/klh10.git
synced 2026-01-11 23:52:54 +00:00
212 lines
6.6 KiB
Bash
212 lines
6.6 KiB
Bash
#!/bin/sh -
|
|
## Paranoid ipfw configuration for its.os.org box
|
|
|
|
# Suck in the configuration variables.
|
|
if [ -f /etc/defaults/rc.conf ]; then
|
|
. /etc/defaults/rc.conf
|
|
elif [ -f /etc/rc.conf ]; then
|
|
. /etc/rc.conf
|
|
fi
|
|
|
|
############
|
|
# Set quiet mode if requested
|
|
if [ "x$firewall_quiet" = "xYES" ]; then
|
|
fwcmd="/sbin/ipfw -q"
|
|
else
|
|
fwcmd="/sbin/ipfw"
|
|
fi
|
|
|
|
#### configure ####
|
|
|
|
# 199.34.53.48/29
|
|
# 255.255.255.248 <netmask>
|
|
# .48 <reserved (old bcast?)>
|
|
# 199.34.53.49 <gateway>
|
|
# 199.34.53.50 its.joss.com (NATIVE SYSTEM)
|
|
# 199.34.53.51 pi.its.os.org (VIRTUAL ITS)
|
|
# 199.34.53.52 dx.its.os.org (VIRTUAL ITS)
|
|
# 199.34.53.53 du.its.os.org (VIRTUAL ITS)
|
|
# 199.34.53.54 ??.its.os.org (VIRTUAL ITS)
|
|
# .55 <reserved for bcast>
|
|
#
|
|
|
|
# Addresses. "me" is its.joss.com
|
|
#
|
|
us=199.34.53.48/29
|
|
b0=199.34.53.48
|
|
gw=199.34.53.49
|
|
me=199.34.53.50
|
|
pi=199.34.53.51
|
|
dx=199.34.53.52
|
|
du=199.34.53.53
|
|
qq=199.34.53.54
|
|
b1=199.34.53.55
|
|
|
|
# Name of our interface to the outside world (ethernet, presumably)
|
|
#
|
|
oif=de0
|
|
|
|
###################
|
|
|
|
# Clean slate
|
|
#
|
|
$fwcmd -f flush
|
|
|
|
# Do not accept source routed traffic under any circumstances
|
|
#
|
|
$fwcmd add deny log all from any to any ipoptions ssrr,lsrr,rr
|
|
|
|
# Allow everything on loopback interface
|
|
#
|
|
$fwcmd add pass all from any to any via lo0
|
|
|
|
## IP rules ##
|
|
|
|
# Loopback addresses on non-loopback interfaces are spoofed
|
|
#
|
|
$fwcmd add deny log all from any to 127.0.0.0/8
|
|
$fwcmd add deny log all from 127.0.0.0/8 to any
|
|
|
|
# As far as I know there is no reason for any traffic to or from
|
|
# any kind of broadcast, class D, class E, or RFC-1597 private
|
|
# address to appear on this subnet.
|
|
#
|
|
# Tuez les tous, Dieu reconnaitra les siens.
|
|
#
|
|
$fwcmd add deny log all from $b0 to any
|
|
$fwcmd add deny log all from $b1 to any
|
|
$fwcmd add deny log all from 0.0.0.0 to any
|
|
$fwcmd add deny log all from 224.0.0.0/3 to any
|
|
$fwcmd add deny log all from 255.255.255.255 to any
|
|
$fwcmd add deny log all from any to $b0
|
|
$fwcmd add deny log all from any to $b1
|
|
$fwcmd add deny log all from any to 0.0.0.0
|
|
$fwcmd add deny log all from any to 224.0.0.0/3
|
|
$fwcmd add deny log all from any to 255.255.255.255
|
|
$fwcmd add deny log all from 10.0.0.0/8 to any
|
|
$fwcmd add deny log all from 172.16.0.0/12 to any
|
|
#KLH $fwcmd add deny log all from 192.168.0.0/16 to any
|
|
$fwcmd add deny log all from any to 10.0.0.0/8
|
|
$fwcmd add deny log all from any to 172.16.0.0/12
|
|
#KLH $fwcmd add deny log all from any to 192.168.0.0/16
|
|
|
|
# Don't let anybody else pretend to be this unix machine
|
|
#
|
|
$fwcmd add deny log all from $me to any in recv any
|
|
|
|
# If anybody actually figures out how to hack ITS into spoofing, we
|
|
# probably ought to sign that person up on the spot, but just in case
|
|
# some total loser gets lucky, let's make it a little harder for
|
|
# spoofed packets to escape from ITS
|
|
# Note: this also prevents a misconfigured ITS from causing trouble.
|
|
#
|
|
$fwcmd add deny log all from not $us to any in recv 'tun*'
|
|
$fwcmd add deny log all from $gw to any in recv 'tun*'
|
|
|
|
# Last, a little protection in case our first-hop router isn't checking
|
|
# addresses as carefully as we are. Prohibit any packets coming into
|
|
# the interface which are from our own subnet, except for ICMPs from
|
|
# the gateway.
|
|
$fwcmd add pass icmp from $gw to $us recv $oif icmptypes 0,3,8,11
|
|
$fwcmd add deny log all from $us to any in recv $oif
|
|
$fwcmd add deny log all from any to not $us in recv $oif
|
|
|
|
# Add any other rules to discard known bogus addresses here
|
|
|
|
## TCP rules
|
|
|
|
# We do our TCP connection checking on setup, so just let
|
|
# any established connection go through
|
|
# Most TCP traffic matches this rule, so put it as early as possible
|
|
#
|
|
$fwcmd add pass tcp from any to any established
|
|
|
|
#####################
|
|
# The intent of the following rules is:
|
|
# The only way to access the Unix system from outside is via SSH,
|
|
# and later SMTP after mailer is configured.
|
|
# The only outside access to PI ITS is via TELNET/SUPDUP.
|
|
# (Later FTP? Note ITS doesn't support PASV FTP.)
|
|
# Nothing from outside to DU/DX (the dev ITS systems). Access has
|
|
# to be via SSH to unix and thence to DU/DX.
|
|
# PI cannot go anywhere, either outside or locally.
|
|
# Unix and DU/DX can go anywhere, both outside & locally.
|
|
|
|
|
|
# Access from outside - permit only these things
|
|
# Allow TELNET/SUPDUP into PI ITS.
|
|
# Allow SSH into the unix box. Add SMTP later after mailer is configured.
|
|
#
|
|
$fwcmd add pass tcp from any to $pi telnet,supdup setup
|
|
$fwcmd add pass tcp from any to $me ssh setup
|
|
|
|
# Any connection initiated by the unix machine or DU, DX is okay.
|
|
# All three have full access to all systems plus outside world.
|
|
#
|
|
$fwcmd add pass tcp from $me to any setup
|
|
$fwcmd add pass tcp from $dx to any setup
|
|
$fwcmd add pass tcp from $du to any setup
|
|
|
|
# Don't allow any other connections.
|
|
#
|
|
$fwcmd add reset log tcp from any to any setup
|
|
|
|
# For possible later use:
|
|
# ITS machines are not allowed to initiate connections to the outside world
|
|
# Anything else coming from an ITS machine is ok
|
|
#
|
|
# $fwcmd add reset log tcp from any to any setup out recv 'tun*' xmit $oif
|
|
# $fwcmd add pass tcp from any to any setup recv 'tun*'
|
|
|
|
# KLH: what's the point of this when the next rule refuses it anyway?
|
|
# Silently drop IDENT traffic
|
|
# (Gee, Dr. Bernstein, let's launch a denial-of-service attack on ourselves!)
|
|
#
|
|
$fwcmd add reset tcp from any to any ident setup
|
|
|
|
# No other TCP connections allowed
|
|
#
|
|
$fwcmd add reset log tcp from any to any setup
|
|
|
|
# Please don't even think about turning on SunRPC or NFS
|
|
#
|
|
$fwcmd add deny log udp from any to any sunrpc,nfs
|
|
|
|
# Don't accept inbound syslog from the outside world
|
|
# (no known useful purpose, so don't let bozos fill our log directory)
|
|
#
|
|
$fwcmd add deny log udp from any to any syslog in recv $oif
|
|
|
|
# We need DNS (domain) and NTP
|
|
#
|
|
$fwcmd add pass udp from any domain,ntp to any
|
|
$fwcmd add pass udp from any to any domain,ntp
|
|
|
|
# Allow useful cases of syslog. Heck, maybe ITS should use it
|
|
#
|
|
$fwcmd add pass udp from $us to $us syslog
|
|
|
|
# Allow the useful ICMP messages:
|
|
# Echo (types 0 & 8, for ping and traceroute)
|
|
# Destination Unreachable (type 3)
|
|
# Time Exceeded (type 11, primarily for traceroute)
|
|
#
|
|
# We should NOT accept ICMP Redirects (we're a router)
|
|
$fwcmd add pass icmp from any to any icmptypes 0,3,8,11
|
|
$fwcmd add deny icmp from any to any out recv $oif xmit 'tun*'
|
|
$fwcmd add pass icmp from any to any out xmit 'tun*'
|
|
|
|
# Silently discard ICMP Router Discovery strobes
|
|
#
|
|
$fwcmd add deny icmp from any to any icmptypes 10
|
|
|
|
# Deny and log everything else. If this turns out to be too
|
|
# verbose, consider adding rules to silently drop stuff that
|
|
# we understand but don't want. Anything we don't understand
|
|
# probably ought to be logged.
|
|
#
|
|
# If you don't understand it, it's dangerous.
|
|
#
|
|
$fwcmd add deny log all from any to any
|
|
|