1*5d8c2d4cSEmmanuel Vadot#!/bin/sh - 2*5d8c2d4cSEmmanuel Vadot# Copyright (c) 1996 Poul-Henning Kamp 3*5d8c2d4cSEmmanuel Vadot# All rights reserved. 4*5d8c2d4cSEmmanuel Vadot# 5*5d8c2d4cSEmmanuel Vadot# Redistribution and use in source and binary forms, with or without 6*5d8c2d4cSEmmanuel Vadot# modification, are permitted provided that the following conditions 7*5d8c2d4cSEmmanuel Vadot# are met: 8*5d8c2d4cSEmmanuel Vadot# 1. Redistributions of source code must retain the above copyright 9*5d8c2d4cSEmmanuel Vadot# notice, this list of conditions and the following disclaimer. 10*5d8c2d4cSEmmanuel Vadot# 2. Redistributions in binary form must reproduce the above copyright 11*5d8c2d4cSEmmanuel Vadot# notice, this list of conditions and the following disclaimer in the 12*5d8c2d4cSEmmanuel Vadot# documentation and/or other materials provided with the distribution. 13*5d8c2d4cSEmmanuel Vadot# 14*5d8c2d4cSEmmanuel Vadot# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15*5d8c2d4cSEmmanuel Vadot# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16*5d8c2d4cSEmmanuel Vadot# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17*5d8c2d4cSEmmanuel Vadot# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18*5d8c2d4cSEmmanuel Vadot# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19*5d8c2d4cSEmmanuel Vadot# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20*5d8c2d4cSEmmanuel Vadot# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21*5d8c2d4cSEmmanuel Vadot# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22*5d8c2d4cSEmmanuel Vadot# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23*5d8c2d4cSEmmanuel Vadot# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24*5d8c2d4cSEmmanuel Vadot# SUCH DAMAGE. 25*5d8c2d4cSEmmanuel Vadot# 26*5d8c2d4cSEmmanuel Vadot# $FreeBSD$ 27*5d8c2d4cSEmmanuel Vadot# 28*5d8c2d4cSEmmanuel Vadot 29*5d8c2d4cSEmmanuel Vadot# 30*5d8c2d4cSEmmanuel Vadot# Setup system for ipfw(4) firewall service. 31*5d8c2d4cSEmmanuel Vadot# 32*5d8c2d4cSEmmanuel Vadot 33*5d8c2d4cSEmmanuel Vadot# Suck in the configuration variables. 34*5d8c2d4cSEmmanuel Vadotif [ -z "${source_rc_confs_defined}" ]; then 35*5d8c2d4cSEmmanuel Vadot if [ -r /etc/defaults/rc.conf ]; then 36*5d8c2d4cSEmmanuel Vadot . /etc/defaults/rc.conf 37*5d8c2d4cSEmmanuel Vadot source_rc_confs 38*5d8c2d4cSEmmanuel Vadot elif [ -r /etc/rc.conf ]; then 39*5d8c2d4cSEmmanuel Vadot . /etc/rc.conf 40*5d8c2d4cSEmmanuel Vadot fi 41*5d8c2d4cSEmmanuel Vadotfi 42*5d8c2d4cSEmmanuel Vadot 43*5d8c2d4cSEmmanuel Vadot############ 44*5d8c2d4cSEmmanuel Vadot# Define the firewall type in /etc/rc.conf. Valid values are: 45*5d8c2d4cSEmmanuel Vadot# open - will allow anyone in 46*5d8c2d4cSEmmanuel Vadot# client - will try to protect just this machine 47*5d8c2d4cSEmmanuel Vadot# simple - will try to protect a whole network 48*5d8c2d4cSEmmanuel Vadot# closed - totally disables IP services except via lo0 interface 49*5d8c2d4cSEmmanuel Vadot# workstation - will try to protect just this machine using stateful 50*5d8c2d4cSEmmanuel Vadot# firewalling. See below for rc.conf variables used 51*5d8c2d4cSEmmanuel Vadot# UNKNOWN - disables the loading of firewall rules. 52*5d8c2d4cSEmmanuel Vadot# filename - will load the rules in the given filename (full path required) 53*5d8c2d4cSEmmanuel Vadot# 54*5d8c2d4cSEmmanuel Vadot# For ``client'' and ``simple'' the entries below should be customized 55*5d8c2d4cSEmmanuel Vadot# appropriately. 56*5d8c2d4cSEmmanuel Vadot 57*5d8c2d4cSEmmanuel Vadot############ 58*5d8c2d4cSEmmanuel Vadot# 59*5d8c2d4cSEmmanuel Vadot# If you don't know enough about packet filtering, we suggest that you 60*5d8c2d4cSEmmanuel Vadot# take time to read this book: 61*5d8c2d4cSEmmanuel Vadot# 62*5d8c2d4cSEmmanuel Vadot# Building Internet Firewalls, 2nd Edition 63*5d8c2d4cSEmmanuel Vadot# Brent Chapman and Elizabeth Zwicky 64*5d8c2d4cSEmmanuel Vadot# 65*5d8c2d4cSEmmanuel Vadot# O'Reilly & Associates, Inc 66*5d8c2d4cSEmmanuel Vadot# ISBN 1-56592-871-7 67*5d8c2d4cSEmmanuel Vadot# http://www.ora.com/ 68*5d8c2d4cSEmmanuel Vadot# http://www.oreilly.com/catalog/fire2/ 69*5d8c2d4cSEmmanuel Vadot# 70*5d8c2d4cSEmmanuel Vadot# For a more advanced treatment of Internet Security read: 71*5d8c2d4cSEmmanuel Vadot# 72*5d8c2d4cSEmmanuel Vadot# Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition 73*5d8c2d4cSEmmanuel Vadot# William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin 74*5d8c2d4cSEmmanuel Vadot# 75*5d8c2d4cSEmmanuel Vadot# Addison-Wesley / Prentice Hall 76*5d8c2d4cSEmmanuel Vadot# ISBN 0-201-63466-X 77*5d8c2d4cSEmmanuel Vadot# http://www.pearsonhighered.com/ 78*5d8c2d4cSEmmanuel Vadot# http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html 79*5d8c2d4cSEmmanuel Vadot# 80*5d8c2d4cSEmmanuel Vadot 81*5d8c2d4cSEmmanuel Vadotsetup_loopback() { 82*5d8c2d4cSEmmanuel Vadot ############ 83*5d8c2d4cSEmmanuel Vadot # Only in rare cases do you want to change these rules 84*5d8c2d4cSEmmanuel Vadot # 85*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 100 pass all from any to any via lo0 86*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 200 deny all from any to 127.0.0.0/8 87*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any 88*5d8c2d4cSEmmanuel Vadot if [ $ipv6_available -eq 0 ]; then 89*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 400 deny all from any to ::1 90*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 500 deny all from ::1 to any 91*5d8c2d4cSEmmanuel Vadot fi 92*5d8c2d4cSEmmanuel Vadot} 93*5d8c2d4cSEmmanuel Vadot 94*5d8c2d4cSEmmanuel Vadotsetup_ipv6_mandatory() { 95*5d8c2d4cSEmmanuel Vadot [ $ipv6_available -eq 0 ] || return 0 96*5d8c2d4cSEmmanuel Vadot 97*5d8c2d4cSEmmanuel Vadot ############ 98*5d8c2d4cSEmmanuel Vadot # Only in rare cases do you want to change these rules 99*5d8c2d4cSEmmanuel Vadot # 100*5d8c2d4cSEmmanuel Vadot # ND 101*5d8c2d4cSEmmanuel Vadot # 102*5d8c2d4cSEmmanuel Vadot # DAD 103*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from :: to ff02::/16 104*5d8c2d4cSEmmanuel Vadot # RS, RA, NS, NA, redirect... 105*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 106*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 107*5d8c2d4cSEmmanuel Vadot 108*5d8c2d4cSEmmanuel Vadot # Allow ICMPv6 destination unreachable 109*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1 110*5d8c2d4cSEmmanuel Vadot 111*5d8c2d4cSEmmanuel Vadot # Allow NS/NA/toobig (don't filter it out) 112*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136 113*5d8c2d4cSEmmanuel Vadot} 114*5d8c2d4cSEmmanuel Vadot 115*5d8c2d4cSEmmanuel Vadot. /etc/rc.subr 116*5d8c2d4cSEmmanuel Vadot. /etc/network.subr 117*5d8c2d4cSEmmanuel Vadot 118*5d8c2d4cSEmmanuel Vadotif [ -n "${1}" ]; then 119*5d8c2d4cSEmmanuel Vadot firewall_type="${1}" 120*5d8c2d4cSEmmanuel Vadotfi 121*5d8c2d4cSEmmanuel Vadotif [ -z "${firewall_rc_config_load}" ]; then 122*5d8c2d4cSEmmanuel Vadot load_rc_config ipfw 123*5d8c2d4cSEmmanuel Vadotelse 124*5d8c2d4cSEmmanuel Vadot for i in ${firewall_rc_config_load}; do 125*5d8c2d4cSEmmanuel Vadot load_rc_config $i 126*5d8c2d4cSEmmanuel Vadot done 127*5d8c2d4cSEmmanuel Vadotfi 128*5d8c2d4cSEmmanuel Vadot 129*5d8c2d4cSEmmanuel Vadotafexists inet6 130*5d8c2d4cSEmmanuel Vadotipv6_available=$? 131*5d8c2d4cSEmmanuel Vadot 132*5d8c2d4cSEmmanuel Vadot############ 133*5d8c2d4cSEmmanuel Vadot# Set quiet mode if requested 134*5d8c2d4cSEmmanuel Vadot# 135*5d8c2d4cSEmmanuel Vadotcase ${firewall_quiet} in 136*5d8c2d4cSEmmanuel Vadot[Yy][Ee][Ss]) 137*5d8c2d4cSEmmanuel Vadot fwcmd="/sbin/ipfw -q" 138*5d8c2d4cSEmmanuel Vadot ;; 139*5d8c2d4cSEmmanuel Vadot*) 140*5d8c2d4cSEmmanuel Vadot fwcmd="/sbin/ipfw" 141*5d8c2d4cSEmmanuel Vadot ;; 142*5d8c2d4cSEmmanuel Vadotesac 143*5d8c2d4cSEmmanuel Vadot 144*5d8c2d4cSEmmanuel Vadot############ 145*5d8c2d4cSEmmanuel Vadot# Flush out the list before we begin. 146*5d8c2d4cSEmmanuel Vadot# 147*5d8c2d4cSEmmanuel Vadot${fwcmd} -f flush 148*5d8c2d4cSEmmanuel Vadot 149*5d8c2d4cSEmmanuel Vadotsetup_loopback 150*5d8c2d4cSEmmanuel Vadotsetup_ipv6_mandatory 151*5d8c2d4cSEmmanuel Vadot 152*5d8c2d4cSEmmanuel Vadot############ 153*5d8c2d4cSEmmanuel Vadot# Network Address Translation. All packets are passed to natd(8) 154*5d8c2d4cSEmmanuel Vadot# before they encounter your remaining rules. The firewall rules 155*5d8c2d4cSEmmanuel Vadot# will then be run again on each packet after translation by natd 156*5d8c2d4cSEmmanuel Vadot# starting at the rule number following the divert rule. 157*5d8c2d4cSEmmanuel Vadot# 158*5d8c2d4cSEmmanuel Vadot# For ``simple'' firewall type the divert rule should be put to a 159*5d8c2d4cSEmmanuel Vadot# different place to not interfere with address-checking rules. 160*5d8c2d4cSEmmanuel Vadot# 161*5d8c2d4cSEmmanuel Vadotcase ${firewall_type} in 162*5d8c2d4cSEmmanuel Vadot[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) 163*5d8c2d4cSEmmanuel Vadot case ${natd_enable} in 164*5d8c2d4cSEmmanuel Vadot [Yy][Ee][Ss]) 165*5d8c2d4cSEmmanuel Vadot if [ -n "${natd_interface}" ]; then 166*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface} 167*5d8c2d4cSEmmanuel Vadot fi 168*5d8c2d4cSEmmanuel Vadot ;; 169*5d8c2d4cSEmmanuel Vadot esac 170*5d8c2d4cSEmmanuel Vadot case ${firewall_nat_enable} in 171*5d8c2d4cSEmmanuel Vadot [Yy][Ee][Ss]) 172*5d8c2d4cSEmmanuel Vadot if [ -n "${firewall_nat_interface}" ]; then 173*5d8c2d4cSEmmanuel Vadot if echo "${firewall_nat_interface}" | \ 174*5d8c2d4cSEmmanuel Vadot grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then 175*5d8c2d4cSEmmanuel Vadot firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}" 176*5d8c2d4cSEmmanuel Vadot else 177*5d8c2d4cSEmmanuel Vadot firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" 178*5d8c2d4cSEmmanuel Vadot fi 179*5d8c2d4cSEmmanuel Vadot ${fwcmd} nat 123 config log ${firewall_nat_flags} 180*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} 181*5d8c2d4cSEmmanuel Vadot fi 182*5d8c2d4cSEmmanuel Vadot ;; 183*5d8c2d4cSEmmanuel Vadot esac 184*5d8c2d4cSEmmanuel Vadotesac 185*5d8c2d4cSEmmanuel Vadot 186*5d8c2d4cSEmmanuel Vadot############ 187*5d8c2d4cSEmmanuel Vadot# If you just configured ipfw in the kernel as a tool to solve network 188*5d8c2d4cSEmmanuel Vadot# problems or you just want to disallow some particular kinds of traffic 189*5d8c2d4cSEmmanuel Vadot# then you will want to change the default policy to open. You can also 190*5d8c2d4cSEmmanuel Vadot# do this as your only action by setting the firewall_type to ``open''. 191*5d8c2d4cSEmmanuel Vadot# 192*5d8c2d4cSEmmanuel Vadot# ${fwcmd} add 65000 pass all from any to any 193*5d8c2d4cSEmmanuel Vadot 194*5d8c2d4cSEmmanuel Vadot 195*5d8c2d4cSEmmanuel Vadot# Prototype setups. 196*5d8c2d4cSEmmanuel Vadot# 197*5d8c2d4cSEmmanuel Vadotcase ${firewall_type} in 198*5d8c2d4cSEmmanuel Vadot[Oo][Pp][Ee][Nn]) 199*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 65000 pass all from any to any 200*5d8c2d4cSEmmanuel Vadot ;; 201*5d8c2d4cSEmmanuel Vadot 202*5d8c2d4cSEmmanuel Vadot[Cc][Ll][Ii][Ee][Nn][Tt]) 203*5d8c2d4cSEmmanuel Vadot ############ 204*5d8c2d4cSEmmanuel Vadot # This is a prototype setup that will protect your system somewhat 205*5d8c2d4cSEmmanuel Vadot # against people from outside your own network. 206*5d8c2d4cSEmmanuel Vadot # 207*5d8c2d4cSEmmanuel Vadot # Configuration: 208*5d8c2d4cSEmmanuel Vadot # firewall_client_net: Network address of local IPv4 network. 209*5d8c2d4cSEmmanuel Vadot # firewall_client_net_ipv6: Network address of local IPv6 network. 210*5d8c2d4cSEmmanuel Vadot ############ 211*5d8c2d4cSEmmanuel Vadot 212*5d8c2d4cSEmmanuel Vadot # set this to your local network 213*5d8c2d4cSEmmanuel Vadot net="$firewall_client_net" 214*5d8c2d4cSEmmanuel Vadot net6="$firewall_client_net_ipv6" 215*5d8c2d4cSEmmanuel Vadot 216*5d8c2d4cSEmmanuel Vadot # Allow limited broadcast traffic from my own net. 217*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from ${net} to 255.255.255.255 218*5d8c2d4cSEmmanuel Vadot 219*5d8c2d4cSEmmanuel Vadot # Allow any traffic to or from my own net. 220*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from me to ${net} 221*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from ${net} to me 222*5d8c2d4cSEmmanuel Vadot if [ -n "$net6" ]; then 223*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from me to ${net6} 224*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from ${net6} to me 225*5d8c2d4cSEmmanuel Vadot fi 226*5d8c2d4cSEmmanuel Vadot 227*5d8c2d4cSEmmanuel Vadot if [ -n "$net6" ]; then 228*5d8c2d4cSEmmanuel Vadot # Allow any link-local multicast traffic 229*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from fe80::/10 to ff02::/16 230*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from ${net6} to ff02::/16 231*5d8c2d4cSEmmanuel Vadot # Allow DHCPv6 232*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from fe80::/10 to me 546 233*5d8c2d4cSEmmanuel Vadot fi 234*5d8c2d4cSEmmanuel Vadot 235*5d8c2d4cSEmmanuel Vadot # Allow TCP through if setup succeeded 236*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from any to any established 237*5d8c2d4cSEmmanuel Vadot 238*5d8c2d4cSEmmanuel Vadot # Allow IP fragments to pass through 239*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from any to any frag 240*5d8c2d4cSEmmanuel Vadot 241*5d8c2d4cSEmmanuel Vadot # Allow setup of incoming email 242*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from any to me 25 setup 243*5d8c2d4cSEmmanuel Vadot 244*5d8c2d4cSEmmanuel Vadot # Allow setup of outgoing TCP connections only 245*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from me to any setup 246*5d8c2d4cSEmmanuel Vadot 247*5d8c2d4cSEmmanuel Vadot # Disallow setup of all other TCP connections 248*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny tcp from any to any setup 249*5d8c2d4cSEmmanuel Vadot 250*5d8c2d4cSEmmanuel Vadot # Allow DNS queries out in the world 251*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from me to any 53 keep-state 252*5d8c2d4cSEmmanuel Vadot 253*5d8c2d4cSEmmanuel Vadot # Allow NTP queries out in the world 254*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from me to any 123 keep-state 255*5d8c2d4cSEmmanuel Vadot 256*5d8c2d4cSEmmanuel Vadot # Everything else is denied by default, unless the 257*5d8c2d4cSEmmanuel Vadot # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 258*5d8c2d4cSEmmanuel Vadot # config file. 259*5d8c2d4cSEmmanuel Vadot ;; 260*5d8c2d4cSEmmanuel Vadot 261*5d8c2d4cSEmmanuel Vadot[Ss][Ii][Mm][Pp][Ll][Ee]) 262*5d8c2d4cSEmmanuel Vadot ############ 263*5d8c2d4cSEmmanuel Vadot # This is a prototype setup for a simple firewall. Configure this 264*5d8c2d4cSEmmanuel Vadot # machine as a DNS and NTP server, and point all the machines 265*5d8c2d4cSEmmanuel Vadot # on the inside at this machine for those services. 266*5d8c2d4cSEmmanuel Vadot # 267*5d8c2d4cSEmmanuel Vadot # Configuration: 268*5d8c2d4cSEmmanuel Vadot # firewall_simple_iif: Inside IPv4 network interface. 269*5d8c2d4cSEmmanuel Vadot # firewall_simple_inet: Inside IPv4 network address. 270*5d8c2d4cSEmmanuel Vadot # firewall_simple_oif: Outside IPv4 network interface. 271*5d8c2d4cSEmmanuel Vadot # firewall_simple_onet: Outside IPv4 network address. 272*5d8c2d4cSEmmanuel Vadot # firewall_simple_iif_ipv6: Inside IPv6 network interface. 273*5d8c2d4cSEmmanuel Vadot # firewall_simple_inet_ipv6: Inside IPv6 network prefix. 274*5d8c2d4cSEmmanuel Vadot # firewall_simple_oif_ipv6: Outside IPv6 network interface. 275*5d8c2d4cSEmmanuel Vadot # firewall_simple_onet_ipv6: Outside IPv6 network prefix. 276*5d8c2d4cSEmmanuel Vadot ############ 277*5d8c2d4cSEmmanuel Vadot BAD_ADDR_TBL=13 278*5d8c2d4cSEmmanuel Vadot 279*5d8c2d4cSEmmanuel Vadot # set these to your outside interface network 280*5d8c2d4cSEmmanuel Vadot oif="$firewall_simple_oif" 281*5d8c2d4cSEmmanuel Vadot onet="$firewall_simple_onet" 282*5d8c2d4cSEmmanuel Vadot oif6="${firewall_simple_oif_ipv6:-$firewall_simple_oif}" 283*5d8c2d4cSEmmanuel Vadot onet6="$firewall_simple_onet_ipv6" 284*5d8c2d4cSEmmanuel Vadot 285*5d8c2d4cSEmmanuel Vadot # set these to your inside interface network 286*5d8c2d4cSEmmanuel Vadot iif="$firewall_simple_iif" 287*5d8c2d4cSEmmanuel Vadot inet="$firewall_simple_inet" 288*5d8c2d4cSEmmanuel Vadot iif6="${firewall_simple_iif_ipv6:-$firewall_simple_iif}" 289*5d8c2d4cSEmmanuel Vadot inet6="$firewall_simple_inet_ipv6" 290*5d8c2d4cSEmmanuel Vadot 291*5d8c2d4cSEmmanuel Vadot # Stop spoofing 292*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ${inet} to any in via ${oif} 293*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ${onet} to any in via ${iif} 294*5d8c2d4cSEmmanuel Vadot if [ -n "$inet6" ]; then 295*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ${inet6} to any in via ${oif6} 296*5d8c2d4cSEmmanuel Vadot if [ -n "$onet6" ]; then 297*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ${onet6} to any in \ 298*5d8c2d4cSEmmanuel Vadot via ${iif6} 299*5d8c2d4cSEmmanuel Vadot fi 300*5d8c2d4cSEmmanuel Vadot fi 301*5d8c2d4cSEmmanuel Vadot 302*5d8c2d4cSEmmanuel Vadot # Define stuff we should never send out or receive in. 303*5d8c2d4cSEmmanuel Vadot # Stop RFC1918 nets on the outside interface 304*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} flush 305*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 10.0.0.0/8 306*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 172.16.0.0/12 307*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 192.168.0.0/16 308*5d8c2d4cSEmmanuel Vadot 309*5d8c2d4cSEmmanuel Vadot # And stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 310*5d8c2d4cSEmmanuel Vadot # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 311*5d8c2d4cSEmmanuel Vadot # on the outside interface 312*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 0.0.0.0/8 313*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 169.254.0.0/16 314*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 192.0.2.0/24 315*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 224.0.0.0/4 316*5d8c2d4cSEmmanuel Vadot ${fwcmd} table ${BAD_ADDR_TBL} add 240.0.0.0/4 317*5d8c2d4cSEmmanuel Vadot 318*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to "table($BAD_ADDR_TBL)" via ${oif} 319*5d8c2d4cSEmmanuel Vadot 320*5d8c2d4cSEmmanuel Vadot # Network Address Translation. This rule is placed here deliberately 321*5d8c2d4cSEmmanuel Vadot # so that it does not interfere with the surrounding address-checking 322*5d8c2d4cSEmmanuel Vadot # rules. If for example one of your internal LAN machines had its IP 323*5d8c2d4cSEmmanuel Vadot # address set to 192.0.2.1 then an incoming packet for it after being 324*5d8c2d4cSEmmanuel Vadot # translated by natd(8) would match the `deny' rule above. Similarly 325*5d8c2d4cSEmmanuel Vadot # an outgoing packet originated from it before being translated would 326*5d8c2d4cSEmmanuel Vadot # match the `deny' rule below. 327*5d8c2d4cSEmmanuel Vadot case ${natd_enable} in 328*5d8c2d4cSEmmanuel Vadot [Yy][Ee][Ss]) 329*5d8c2d4cSEmmanuel Vadot if [ -n "${natd_interface}" ]; then 330*5d8c2d4cSEmmanuel Vadot ${fwcmd} add divert natd ip4 from any to any via ${natd_interface} 331*5d8c2d4cSEmmanuel Vadot fi 332*5d8c2d4cSEmmanuel Vadot ;; 333*5d8c2d4cSEmmanuel Vadot esac 334*5d8c2d4cSEmmanuel Vadot 335*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from "table($BAD_ADDR_TBL)" to any via ${oif} 336*5d8c2d4cSEmmanuel Vadot if [ -n "$inet6" ]; then 337*5d8c2d4cSEmmanuel Vadot # Stop unique local unicast address on the outside interface 338*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from fc00::/7 to any via ${oif6} 339*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to fc00::/7 via ${oif6} 340*5d8c2d4cSEmmanuel Vadot 341*5d8c2d4cSEmmanuel Vadot # Stop site-local on the outside interface 342*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from fec0::/10 to any via ${oif6} 343*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to fec0::/10 via ${oif6} 344*5d8c2d4cSEmmanuel Vadot 345*5d8c2d4cSEmmanuel Vadot # Disallow "internal" addresses to appear on the wire. 346*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ::ffff:0.0.0.0/96 to any \ 347*5d8c2d4cSEmmanuel Vadot via ${oif6} 348*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to ::ffff:0.0.0.0/96 \ 349*5d8c2d4cSEmmanuel Vadot via ${oif6} 350*5d8c2d4cSEmmanuel Vadot 351*5d8c2d4cSEmmanuel Vadot # Disallow packets to malicious IPv4 compatible prefix. 352*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ::224.0.0.0/100 to any via ${oif6} 353*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to ::224.0.0.0/100 via ${oif6} 354*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ::127.0.0.0/104 to any via ${oif6} 355*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to ::127.0.0.0/104 via ${oif6} 356*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ::0.0.0.0/104 to any via ${oif6} 357*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to ::0.0.0.0/104 via ${oif6} 358*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ::255.0.0.0/104 to any via ${oif6} 359*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to ::255.0.0.0/104 via ${oif6} 360*5d8c2d4cSEmmanuel Vadot 361*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ::0.0.0.0/96 to any via ${oif6} 362*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to ::0.0.0.0/96 via ${oif6} 363*5d8c2d4cSEmmanuel Vadot 364*5d8c2d4cSEmmanuel Vadot # Disallow packets to malicious 6to4 prefix. 365*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from 2002:e000::/20 to any via ${oif6} 366*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to 2002:e000::/20 via ${oif6} 367*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from 2002:7f00::/24 to any via ${oif6} 368*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to 2002:7f00::/24 via ${oif6} 369*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from 2002:0000::/24 to any via ${oif6} 370*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to 2002:0000::/24 via ${oif6} 371*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from 2002:ff00::/24 to any via ${oif6} 372*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to 2002:ff00::/24 via ${oif6} 373*5d8c2d4cSEmmanuel Vadot 374*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from 2002:0a00::/24 to any via ${oif6} 375*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to 2002:0a00::/24 via ${oif6} 376*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from 2002:ac10::/28 to any via ${oif6} 377*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to 2002:ac10::/28 via ${oif6} 378*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from 2002:c0a8::/32 to any via ${oif6} 379*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to 2002:c0a8::/32 via ${oif6} 380*5d8c2d4cSEmmanuel Vadot 381*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from ff05::/16 to any via ${oif6} 382*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny all from any to ff05::/16 via ${oif6} 383*5d8c2d4cSEmmanuel Vadot fi 384*5d8c2d4cSEmmanuel Vadot 385*5d8c2d4cSEmmanuel Vadot # Allow TCP through if setup succeeded 386*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from any to any established 387*5d8c2d4cSEmmanuel Vadot 388*5d8c2d4cSEmmanuel Vadot # Allow IP fragments to pass through 389*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass all from any to any frag 390*5d8c2d4cSEmmanuel Vadot 391*5d8c2d4cSEmmanuel Vadot # Allow setup of incoming email 392*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from any to me 25 setup 393*5d8c2d4cSEmmanuel Vadot 394*5d8c2d4cSEmmanuel Vadot # Allow access to our DNS 395*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from any to me 53 setup 396*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from any to me 53 397*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from me 53 to any 398*5d8c2d4cSEmmanuel Vadot 399*5d8c2d4cSEmmanuel Vadot # Allow access to our WWW 400*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from any to me 80 setup 401*5d8c2d4cSEmmanuel Vadot 402*5d8c2d4cSEmmanuel Vadot # Reject&Log all setup of incoming connections from the outside 403*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp 404*5d8c2d4cSEmmanuel Vadot if [ -n "$inet6" ]; then 405*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny log ip6 from any to any in via ${oif6} \ 406*5d8c2d4cSEmmanuel Vadot setup proto tcp 407*5d8c2d4cSEmmanuel Vadot fi 408*5d8c2d4cSEmmanuel Vadot 409*5d8c2d4cSEmmanuel Vadot # Allow setup of any other TCP connection 410*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from any to any setup 411*5d8c2d4cSEmmanuel Vadot 412*5d8c2d4cSEmmanuel Vadot # Allow DNS queries out in the world 413*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from me to any 53 keep-state 414*5d8c2d4cSEmmanuel Vadot 415*5d8c2d4cSEmmanuel Vadot # Allow NTP queries out in the world 416*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from me to any 123 keep-state 417*5d8c2d4cSEmmanuel Vadot 418*5d8c2d4cSEmmanuel Vadot # Everything else is denied by default, unless the 419*5d8c2d4cSEmmanuel Vadot # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 420*5d8c2d4cSEmmanuel Vadot # config file. 421*5d8c2d4cSEmmanuel Vadot ;; 422*5d8c2d4cSEmmanuel Vadot 423*5d8c2d4cSEmmanuel Vadot[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) 424*5d8c2d4cSEmmanuel Vadot # Configuration: 425*5d8c2d4cSEmmanuel Vadot # firewall_myservices: List of ports/protocols on which this 426*5d8c2d4cSEmmanuel Vadot # host offers services. 427*5d8c2d4cSEmmanuel Vadot # firewall_allowservices: List of IPv4 and/or IPv6 addresses 428*5d8c2d4cSEmmanuel Vadot # that have access to 429*5d8c2d4cSEmmanuel Vadot # $firewall_myservices. 430*5d8c2d4cSEmmanuel Vadot # firewall_trusted: List of IPv4 and/or IPv6 addresses 431*5d8c2d4cSEmmanuel Vadot # that have full access to this host. 432*5d8c2d4cSEmmanuel Vadot # Be very careful when setting this. 433*5d8c2d4cSEmmanuel Vadot # This option can seriously degrade 434*5d8c2d4cSEmmanuel Vadot # the level of protection provided by 435*5d8c2d4cSEmmanuel Vadot # the firewall. 436*5d8c2d4cSEmmanuel Vadot # firewall_logdeny: Boolean (YES/NO) specifying if the 437*5d8c2d4cSEmmanuel Vadot # default denied packets should be 438*5d8c2d4cSEmmanuel Vadot # logged (in /var/log/security). 439*5d8c2d4cSEmmanuel Vadot # firewall_nologports: List of TCP/UDP ports for which 440*5d8c2d4cSEmmanuel Vadot # denied incoming packets are not 441*5d8c2d4cSEmmanuel Vadot # logged. 442*5d8c2d4cSEmmanuel Vadot 443*5d8c2d4cSEmmanuel Vadot # Allow packets for which a state has been built. 444*5d8c2d4cSEmmanuel Vadot ${fwcmd} add check-state 445*5d8c2d4cSEmmanuel Vadot 446*5d8c2d4cSEmmanuel Vadot # For services permitted below. 447*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from me to any established 448*5d8c2d4cSEmmanuel Vadot 449*5d8c2d4cSEmmanuel Vadot # Allow any connection out, adding state for each. 450*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from me to any setup keep-state 451*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from me to any keep-state 452*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass icmp from me to any keep-state 453*5d8c2d4cSEmmanuel Vadot if [ $ipv6_available -eq 0 ]; then 454*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from me to any keep-state 455*5d8c2d4cSEmmanuel Vadot fi 456*5d8c2d4cSEmmanuel Vadot 457*5d8c2d4cSEmmanuel Vadot # Allow DHCP. 458*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out 459*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from any 67 to me 68 in 460*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in 461*5d8c2d4cSEmmanuel Vadot if [ $ipv6_available -eq 0 ]; then 462*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from fe80::/10 to me 546 in 463*5d8c2d4cSEmmanuel Vadot fi 464*5d8c2d4cSEmmanuel Vadot # Some servers will ping the IP while trying to decide if it's 465*5d8c2d4cSEmmanuel Vadot # still in use. 466*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass icmp from any to any icmptype 8 467*5d8c2d4cSEmmanuel Vadot if [ $ipv6_available -eq 0 ]; then 468*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129 469*5d8c2d4cSEmmanuel Vadot fi 470*5d8c2d4cSEmmanuel Vadot 471*5d8c2d4cSEmmanuel Vadot # Allow "mandatory" ICMP in. 472*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass icmp from any to any icmptype 3,4,11 473*5d8c2d4cSEmmanuel Vadot if [ $ipv6_available -eq 0 ]; then 474*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3 475*5d8c2d4cSEmmanuel Vadot fi 476*5d8c2d4cSEmmanuel Vadot 477*5d8c2d4cSEmmanuel Vadot # Add permits for this workstations published services below 478*5d8c2d4cSEmmanuel Vadot # Only IPs and nets in firewall_allowservices is allowed in. 479*5d8c2d4cSEmmanuel Vadot # If you really wish to let anyone use services on your 480*5d8c2d4cSEmmanuel Vadot # workstation, then set "firewall_allowservices='any'" in /etc/rc.conf 481*5d8c2d4cSEmmanuel Vadot # 482*5d8c2d4cSEmmanuel Vadot # Note: We don't use keep-state as that would allow DoS of 483*5d8c2d4cSEmmanuel Vadot # our statetable. 484*5d8c2d4cSEmmanuel Vadot # You can add 'keep-state' to the lines for slightly 485*5d8c2d4cSEmmanuel Vadot # better performance if you fell that DoS of your 486*5d8c2d4cSEmmanuel Vadot # workstation won't be a problem. 487*5d8c2d4cSEmmanuel Vadot # 488*5d8c2d4cSEmmanuel Vadot for i in ${firewall_allowservices} ; do 489*5d8c2d4cSEmmanuel Vadot for j in ${firewall_myservices} ; do 490*5d8c2d4cSEmmanuel Vadot case $j in 491*5d8c2d4cSEmmanuel Vadot [0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo]) 492*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me 493*5d8c2d4cSEmmanuel Vadot ;; 494*5d8c2d4cSEmmanuel Vadot [0-9A-Za-z]*/[Tt][Cc][Pp]) 495*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]} 496*5d8c2d4cSEmmanuel Vadot ;; 497*5d8c2d4cSEmmanuel Vadot [0-9A-Za-z]*/[Uu][Dd][Pp]) 498*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]} 499*5d8c2d4cSEmmanuel Vadot ;; 500*5d8c2d4cSEmmanuel Vadot *[0-9A-Za-z]) 501*5d8c2d4cSEmmanuel Vadot echo "Consider using ${j}/tcp in firewall_myservices." \ 502*5d8c2d4cSEmmanuel Vadot > /dev/stderr 503*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass tcp from $i to me $j 504*5d8c2d4cSEmmanuel Vadot ;; 505*5d8c2d4cSEmmanuel Vadot *) 506*5d8c2d4cSEmmanuel Vadot echo "Invalid port in firewall_myservices: $j" > /dev/stderr 507*5d8c2d4cSEmmanuel Vadot ;; 508*5d8c2d4cSEmmanuel Vadot esac 509*5d8c2d4cSEmmanuel Vadot done 510*5d8c2d4cSEmmanuel Vadot done 511*5d8c2d4cSEmmanuel Vadot 512*5d8c2d4cSEmmanuel Vadot # Allow all connections from trusted IPs. 513*5d8c2d4cSEmmanuel Vadot # Playing with the content of firewall_trusted could seriously 514*5d8c2d4cSEmmanuel Vadot # degrade the level of protection provided by the firewall. 515*5d8c2d4cSEmmanuel Vadot for i in ${firewall_trusted} ; do 516*5d8c2d4cSEmmanuel Vadot ${fwcmd} add pass ip from $i to me 517*5d8c2d4cSEmmanuel Vadot done 518*5d8c2d4cSEmmanuel Vadot 519*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 65000 count ip from any to any 520*5d8c2d4cSEmmanuel Vadot 521*5d8c2d4cSEmmanuel Vadot # Drop packets to ports where we don't want logging 522*5d8c2d4cSEmmanuel Vadot for i in ${firewall_nologports} ; do 523*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny { tcp or udp } from any to any $i in 524*5d8c2d4cSEmmanuel Vadot done 525*5d8c2d4cSEmmanuel Vadot 526*5d8c2d4cSEmmanuel Vadot # Broadcasts and multicasts 527*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny ip from any to 255.255.255.255 528*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX 529*5d8c2d4cSEmmanuel Vadot 530*5d8c2d4cSEmmanuel Vadot # Noise from routers 531*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny udp from any to any 520 in 532*5d8c2d4cSEmmanuel Vadot 533*5d8c2d4cSEmmanuel Vadot # Noise from webbrowsing. 534*5d8c2d4cSEmmanuel Vadot # The stateful filter is a bit aggressive, and will cause some 535*5d8c2d4cSEmmanuel Vadot # connection teardowns to be logged. 536*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in 537*5d8c2d4cSEmmanuel Vadot 538*5d8c2d4cSEmmanuel Vadot # Deny and (if wanted) log the rest unconditionally. 539*5d8c2d4cSEmmanuel Vadot log="" 540*5d8c2d4cSEmmanuel Vadot if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then 541*5d8c2d4cSEmmanuel Vadot log="log logamount 500" # The default of 100 is too low. 542*5d8c2d4cSEmmanuel Vadot sysctl net.inet.ip.fw.verbose=1 >/dev/null 543*5d8c2d4cSEmmanuel Vadot fi 544*5d8c2d4cSEmmanuel Vadot ${fwcmd} add deny $log ip from any to any 545*5d8c2d4cSEmmanuel Vadot ;; 546*5d8c2d4cSEmmanuel Vadot 547*5d8c2d4cSEmmanuel Vadot[Cc][Ll][Oo][Ss][Ee][Dd]) 548*5d8c2d4cSEmmanuel Vadot ${fwcmd} add 65000 deny ip from any to any 549*5d8c2d4cSEmmanuel Vadot ;; 550*5d8c2d4cSEmmanuel Vadot[Uu][Nn][Kk][Nn][Oo][Ww][Nn]) 551*5d8c2d4cSEmmanuel Vadot ;; 552*5d8c2d4cSEmmanuel Vadot*) 553*5d8c2d4cSEmmanuel Vadot if [ -r "${firewall_type}" ]; then 554*5d8c2d4cSEmmanuel Vadot ${fwcmd} ${firewall_flags} ${firewall_type} 555*5d8c2d4cSEmmanuel Vadot fi 556*5d8c2d4cSEmmanuel Vadot ;; 557*5d8c2d4cSEmmanuel Vadotesac 558