Context Navigation

← Previous Changeset
Next Changeset →

Changeset 8734

Timestamp:

Jan 26, 2011, 9:49:24 PM (14 years ago)

Author:

rick

Message:

Less restrictive Firewall in internal port

Support for inbound NAT to use the proxy as router from PRIVATE NETWORK -> WL NETWORK

Code/Variable Cleanup

File:

: 1 edited

2.0/nanobsd/nanobsd/files/etc/ipfw.sh (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

2.0/nanobsd/nanobsd/files/etc/ipfw.sh

-              r8419
+              r8734
 #!/bin/sh -
 # Based on /etc/rc.firewall
+allowed2internet="80,443"
+maxconnections="10"
+#
+# Firewall for use at Wireless Leiden Proxy. Rules:
+# - Fully exposed internal interface.
+# - Allow private networks connected to IFACE_INET to connected to WL NETWORK (NAT).
+# - Limited set of outbound NAT for WL connections.
+#
+# Richard van Mansom <richard@vanmansom.net>
+# Rick van der Zwet <info@rickvanderzwet.nl>
 # Suck in the configuration variables.
 …
         fi
 fi
+IFACE_INET=${IFACE_INET:-sis0}
+IFACE_WL=${IFACE_WL:-sis1}
+PRIVATE_NETWORKS=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
+# MAX_CONN allowed via Outbound NAT to ONP ports
+ONP=http,https
+MAX_CONN=10
 setup_loopback () {
 …
 esac
-###########
-# Set Internal/External Interface
+#
-driver=`echo ${internalif} | sed 's/[0-9]*//g'`
-seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
-if [ ${seq} = 0 ]; then
-  seq=`expr ${seq} \+ 1`
-else
-  seq=`expr ${seq} \- 1`
-fi
-externalif="$driver$seq"
-# Get public ip
-externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
 ############
 # Flush out the list before we begin.
 …
 setup_loopback
+${fwcmd} add 400 check-state
 ############
+# Block the hosters network (and maybe others)
+# Allow all outgoing connections from this system
+${fwcmd} add 500 allow all from me to any keep-state
+for IP in ${firewall_block}
+do
+  ${fwcmd} add deny ip from any to ${IP} in via $internalif
+done
+############
+# Default services on External Interface (firewalled)
+${fwcmd} add 501 allow tcp from any to me ssh via ${IFACE_INET} keep-state
+# Default services on Internal Interface (allow all)
+${fwcmd} add 502 allow ip from any to me via ${IFACE_WL} keep-state
-#############
-# Outbound NAT setup
+${fwcmd} add nat 100 all from 172.16.0.0/12 to any out via $externalif
+${fwcmd} add nat 100 all from any to $externalip in via $externalif
+${fwcmd} nat 100 config if $externalif
+############
+# Inbound NAT setup (External -> WL Network, all ports allowed
+# Used to allow external network to use WL Network
+${fwcmd} add 1000 nat 1 ip from ${PRIVATE_NETWORKS} to 172.16.0.0/12 out xmit ${IFACE_WL} setup established
+${fwcmd} add 1001 nat 1 ip from 172.16.0.0/12 to ${PRIVATE_NETWORKS} in recv ${IFACE_WL} established
+${fwcmd} nat 1 config if ${IFACE_WL}
+#
+${fwcmd} add 1010 allow all from ${PRIVATE_NETWORKS} to 172.16.0.0/12 in via ${IFACE_INET} keep-state
+#############
+# WL -> Internet
+# Stateful firewalling
+${fwcmd} add 3000 check-state
+# HTTP
+${fwcmd} add 3001 allow tcp from 172.16.0.0/12 to any $allowed2internet in via $internalif setup limit src-addr $maxconnections
+# HTTPS
+# Allow anything originating from me
+${fwcmd} add 4001 allow ip from me to any keep-state
+# Allow on any interface
+# Allow SSH
+${fwcmd} add 5001 allow tcp from any to me 22 keep-state
+# Allow on internal interface
+# DNS
+${fwcmd} add 6001 allow ip from any to me 53 via $internalif keep-state
+# NTP
+${fwcmd} add 6002 allow udp from any to me 123 via $internalif keep-state
+# HTTP-PROXY
+${fwcmd} add 6003 allow tcp from any to me 3128 via $internalif keep-state
+# lvrouted
+${fwcmd} add 6004 allow udp from 172.16.0.0/12 to me 12345 via $internalif keep-state
+# SNMP
+${fwcmd} add 6005 allow udp from any to me 161 via $internalif keep-state
+############
+# Outbound NAT setup (WL Network -> External, limited portset)
+${fwcmd} add 2000 nat 2 ip from 172.16.0.0/12 to any ${ONP} out xmit ${IFACE_INET} setup established
+${fwcmd} add 2001 nat 2 ip from any ${ONP} to 172.16.0.0/12 in recv ${IFACE_INET} established
+${fwcmd} nat 2 config if ${IFACE_INET}
+#
+# Block any communication private network at external interface,
+# to ensure you cannot reach the (private network in between). (extra security)
+${fwcmd} add 2010 deny all from any to ${PRIVATE_NETWORKS} in recv ${IFACE_WL}
+#
+# Allow communication to allowed ports.
+${fwcmd} add 2011 allow all from 172.16.0.0/12 to any ${ONP} in via ${IFACE_WL} setup limit src-addr ${MAX_CONN}
+# Block anything else
+${fwcmd} add 65000 deny ip from any to any
+############
+# Transproxy/WLportal/Captive portal
+# ${fwcmd} add 10000 allow tcp from any to localhost 80
+# ${fwcmd} add 10001 allow tcp from any to me 80
+############
+# Reserved: WLPortal rule numbers
+# 10010 - 10099
+# Forward rules work without a base address, so needed a loop over all inet4 adresses
+# for IP in `ifconfig -a | awk '/inet / {print $2}'`; do
+#   ${fwcmd} add 10100 fwd $IP,8081 tcp from any to not 172.16.0.0/12 80
+# done
+############
+# By default DENY everything.
+${fwcmd} add 65000 deny log logamount 500 all from any to any

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 8734

Legend:

2.0/nanobsd/nanobsd/files/etc/ipfw.sh

Download in other formats: