3 # Create an initial IPFW rules file
5 require './ipfw-lib.pl';
8 # Start with base configuration, which will include 65535 rule
9 $rules = &get_config("$config{'ipfw'} list |", \$out);
11 @$rules = grep { $_->{'num'} == 65535 } @$rules;
14 # A flush will generate the 65535 rule, so we can exclude it
15 if (&get_ipfw_format() == 1) {
16 @$rules = grep { $_->{'num'} != 65535 } @$rules;
20 if ($in{'auto'} == 0) {
22 splice(@$rules, 0, 0, { "action" => "allow",
27 "cmt" => "Allow all traffic" });
29 elsif ($in{'auto'} >= 2) {
30 # Block all traffic, apart from established connections, DNS replies
32 $iface = $in{'iface'.$in{'auto'}} ||
33 $in{'iface'.$in{'auto'}.'_other'};
34 $iface || &error($text{'setup_eiface'});
35 splice(@$rules, 0, 0, { "action" => "skipto",
42 "cmt" => "Skip next rule for external interface" },
43 { "action" => "allow",
48 "cmt" => "Allow all traffic on internal interfaces" },
49 { "action" => "allow",
55 "cmt" => "Allow established TCP connections" },
56 { "action" => "allow",
62 "cmt" => "Allow traffic with ACK flag set" },
63 { "action" => "allow",
69 "to_ports" => "1024-65535",
70 "cmt" => "Accept responses to DNS queries" },
71 { "action" => "allow",
76 "icmptypes" => "0,3,4,11,12",
77 "cmt" => "Accept safe ICMP types" });
78 if ($in{'auto'} >= 3) {
80 splice(@$rules, @$rules-1, 0,
81 { "action" => "allow",
87 "cmt" => "Allow connections to our SSH server" },
88 { "action" => "allow",
94 "cmt" => "Allow connections to our IDENT server" });
96 if ($in{'auto'} >= 4) {
97 # Allow pings and most high ports
98 splice(@$rules, @$rules-1, 0,
99 { "action" => "allow",
105 "cmt" => "Respond to pings" },
106 { "action" => "deny",
111 "to_ports" => "2049-2050",
112 "cmt" => "Protect our NFS server" },
113 { "action" => "deny",
118 "to_ports" => "6000-6063",
119 "cmt" => "Protect our X11 display server" },
120 { "action" => "deny",
125 "to_ports" => "7000-7010",
126 "cmt" => "Protect our X font server" },
127 { "action" => "allow",
132 "to_ports" => "1024-65535",
133 "cmt" => "Allow connections to unprivileged ports" });
136 # Add final deny all rule (if needed)
137 local $lr = $rules->[@$rules-1];
138 if ($lr->{'num'} != 65535 || $lr->{'action'} ne 'deny') {
139 splice(@$rules, @$rules-1, 0,
140 { "action" => "deny",
148 # Add flush line at top
149 if (&get_ipfw_format() == 1) {
150 splice(@$rules, 0, 0, { 'other' => 1,
151 'text' => 'flush' });
155 &lock_file($ipfw_file);
156 &save_config($rules);
157 &unlock_file($ipfw_file);
161 &create_firewall_init();
164 &webmin_log("setup");