#!/bin/sh - ############ # Setup system for IPv6 firewall service. setup_local () { ############ # Only in rare cases do you want to change these rules # ${fw6cmd} add 100 pass all from any to any via lo0 ${fw6cmd} add 200 deny all from any to ::1 ${fw6cmd} add 300 deny all from ::1 to any # # ND # # DAD ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 # RS, RA, NS, NA, redirect... ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 } fw6cmd="/sbin/ip6fw" ############ # Flush out the list before we begin. # ${fw6cmd} -f flush ############ # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and prefixlen and ip oif="ed0" onet="2001:db8:2:1::" oprefixlen="64" oip="2001:db8:2:1::1" # set these to your inside interface network and prefixlen and ip iif="ed1" inet="2001:db8:2:2::" iprefixlen="64" iip="2001:db8:2:2::1" setup_local # Stop spoofing ${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif} ${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif} # Stop unique local unicast address on the outside interface ${fw6cmd} add deny all from fc00::/7 to any via ${oif} ${fw6cmd} add deny all from any to fc00::/7 via ${oif} # Stop site-local on the outside interface ${fw6cmd} add deny all from fec0::/10 to any via ${oif} ${fw6cmd} add deny all from any to fec0::/10 via ${oif} # Disallow "internal" addresses to appear on the wire. ${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif} ${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif} # Disallow packets to malicious IPv4 compatible prefix. ${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif} ${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif} ${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif} ${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif} ${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif} ${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif} ${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif} ${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif} ${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif} ${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif} # Disallow packets to malicious 6to4 prefix. ${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif} ${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif} ${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif} ${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif} ${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif} ${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif} ${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif} ${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif} ${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif} ${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif} ${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif} ${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif} ${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif} ${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif} ${fw6cmd} add deny all from ff05::/16 to any via ${oif} ${fw6cmd} add deny all from any to ff05::/16 via ${oif} # Allow TCP through if setup succeeded ${fw6cmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fw6cmd} add pass all from any to any frag # Allow setup of incoming email ${fw6cmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fw6cmd} add pass tcp from any to ${oip} 53 setup ${fw6cmd} add pass udp from any to ${oip} 53 ${fw6cmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fw6cmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fw6cmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fw6cmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fw6cmd} add pass udp from any 53 to ${oip} ${fw6cmd} add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ${fw6cmd} add pass udp from any 123 to ${oip} ${fw6cmd} add pass udp from ${oip} to any 123 # Allow RIPng #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 # Allow ICMPv6 destination unreach ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 # Allow NS/NA/toobig (don't filter it out) ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file.