Changeset 10185 in hybrid for branches/releng-9.0/nanobsd/files/etc

Timestamp:

Mar 17, 2012, 11:51:28 AM (13 years ago)

Author:

richardvm

Message:

firewall and portal fixes

File:

• branches/releng-9.0/nanobsd/files/etc/ipfw.sh (modified) (1 diff)

branches/releng-9.0/nanobsd/files/etc/ipfw.sh

@@ -1 @@
-#!/bin/sh -
-# Based on /etc/rc.firewall
-#
-# Credits: Richard van Mansom, Rick van der Zwet
+## Building options
+dumpdev="NO"                    # No kernel dumps as we don't have a place to
+                                # store them 
+ipv6_enable="NO"                # No IPv6 support for now, near feature... ;-)
 
+# NTP server needs working config with WL network or internet on boot
+# so some warnings might pop up, but no harm
+ntpdate_enable="YES"
+ntpd_enable="YES"
+ntpd_sync_on_start="YES"
+ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntp.drift"
 
-allowed2internet="80,443"
-maxconnections="10"
+# We need no running mail server
+sendmail_enable="NONE"
 
-RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
-WLNET='172.16.0.0/12'
+# Don't let syslog accept input from other remote hosts
+syslogd_enable="YES"
+syslogd_flags="-s -A -c"
 
-# Suck in the configuration variables.
-if [ -z "${source_rc_confs_defined}" ]; then
-        if [ -r /etc/defaults/rc.conf ]; then
-                . /etc/defaults/rc.conf
-                source_rc_confs
-        elif [ -r /etc/rc.conf ]; then
-                . /etc/rc.conf
-        fi
-fi
+# Remote login without DNS checking as it might not also be functionable
+# -u0 prevent sshd from making DNS requests unless the authentication mechanism
+# or configuration requires it.
+sshd_enable="YES"
+sshd_flags="-u0"
 
-setup_loopback () {
-        ############
-        # Only in rare cases do you want to change these rules
-        #
-        ${fwcmd} add 100 pass all from any to any via lo0
-        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
-        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
-}
+# Don't update the motd as it not writeable, the update_nanobsd_motd is a
+# simple wrapper found at /usr/local/etc/rc.d supporting this featureg
+update_motd="NO"
+update_nanobsd_motd="YES"
 
-############
-# Set quiet mode if requested
-#
-case ${firewall_quiet} in
-[Yy][Ee][Ss])
-        fwcmd="/sbin/ipfw -q"
-        ;;
-*)
-        fwcmd="/sbin/ipfw"
-        ;;
-esac
+# Monitoring deamons
+nrpe2_enable="YES"
+snmpd_enable="YES"
+snmpd_flags="-a -LF w /var/log/snmpd.log"
 
-###########
-# Set Internal/External Interface
-#
-driver=`echo ${internalif} | sed 's/[0-9]*//g'`
-seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
+# HTTP(S) proxy server
+tinyproxy_enable="YES"
 
-if [ ${seq} = 0 ]; then
-  seq=`expr ${seq} \+ 1`
-else
-  seq=`expr ${seq} \- 1`
-fi
+# Make sure generated ssh keys are saved 
+nanobsd_save_sshkeys_enable="YES"
 
-externalif="$driver$seq"
+## Port extentions
+# Serve our clients some pretty cool IP address to at least get connected
+# Also some low-memory footprint dns resolver
+dnsmasq_enable="YES"
 
-# Get interface Addresses
-externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
-internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'`
-############
-# Flush out the list before we begin.
-#
-${fwcmd} -f flush
+## WL ports extentions
+thttpd_enable="YES"
+http302_enable="YES"
 
-setup_loopback
+# Make sure generated ssh keys are saved 
+nanobsd_save_sshkeys_enable="YES"
 
-
-############
-# Block the hosters network (and maybe others)
-for IP in ${firewall_block}
-do
-  ${fwcmd} add deny ip from any to ${IP} in via $internalif
-done
-
-############
-# Statefull filewall in use
-${fwcmd} add check-state
-
-# Allow anything originating from me
-${fwcmd} add allow ip from me to any keep-state
-
-
-#############
-# Outbound NAT setup
-# WL Net -> Internet
-${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif
-${fwcmd} add nat 100 all from any to $externalip in recv $externalif
-${fwcmd} nat 100 config if $externalif
-
-# Subnet Internet is allowed
-${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections
-
-
-#############
-# Internal Network -> WL Net
-# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL
-${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif
-${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif
-${fwcmd} nat 200 config if $internalif
-
-# Allow all traffic inbound
-${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state
-
-
-#############
-## Services in use
-## Allow on external interface
-external_allow_tcp="ssh"
-${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state
-
-## Allow on internal interface
-internal_allow_tcp="ssh,domain,3128"
-internal_allow_udp="ntp,domain,snmp,12345"
-${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state
-${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state
-
-# Basic ICMP managment traffic
-${fwcmd} add allow icmp from any to me icmptype 8
-${fwcmd} add allow icmp from me to any icmptype 3,4,11
-
-
-#############
-# Block anything else
-${fwcmd} add 65000 deny log logamount 500 ip from any to any
-
+#Hybrid
+openvpn_enable="YES"
+openvpn_if="tap"
+cloned_interfaces="bridge0"
+gateway_enable="YES"
+pf_enable="YES"
+pf_rules="/etc/pf.conf.ileiden"
+pf_flags=""
+pf2_enable="YES"