1 #!/bin/sh -
   2 ############
   3 # Setup system for IPv6 firewall service.
   4 
   5 setup_local () {
   6 	############
   7 	# Only in rare cases do you want to change these rules
   8 	#
   9 	${fw6cmd} add 100 pass all from any to any via lo0
  10 	${fw6cmd} add 200 deny all from any to ::1
  11 	${fw6cmd} add 300 deny all from ::1 to any
  12 	#
  13 	# ND
  14 	#
  15 	# DAD
  16 	${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
  17 	# RS, RA, NS, NA, redirect...
  18 	${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
  19 	${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
  20 }
  21 
  22 
  23 fw6cmd="/sbin/ip6fw"
  24 
  25 ############
  26 # Flush out the list before we begin.
  27 #
  28 ${fw6cmd} -f flush
  29 
  30 	############
  31 	# This is a prototype setup for a simple firewall.  Configure this
  32 	# machine as a DNS and NTP server, and point all the machines
  33 	# on the inside at this machine for those services.
  34 	############
  35 
  36 	# set these to your outside interface network and prefixlen and ip
  37 	oif="ed0"
  38 	onet="2001:db8:2:1::"
  39 	oprefixlen="64"
  40 	oip="2001:db8:2:1::1"
  41 
  42 	# set these to your inside interface network and prefixlen and ip
  43 	iif="ed1"
  44 	inet="2001:db8:2:2::"
  45 	iprefixlen="64"
  46 	iip="2001:db8:2:2::1"
  47 
  48 	setup_local
  49 
  50 	# Stop spoofing
  51 	${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif}
  52 	${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif}
  53 
  54 	# Stop unique local unicast address on the outside interface
  55 	${fw6cmd} add deny all from fc00::/7 to any via ${oif}
  56 	${fw6cmd} add deny all from any to fc00::/7 via ${oif}
  57 
  58 	# Stop site-local on the outside interface
  59 	${fw6cmd} add deny all from fec0::/10 to any via ${oif}
  60 	${fw6cmd} add deny all from any to fec0::/10 via ${oif}
  61 
  62 	# Disallow "internal" addresses to appear on the wire.
  63 	${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif}
  64 	${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif}
  65 
  66 	# Disallow packets to malicious IPv4 compatible prefix.
  67 	${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif}
  68 	${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif}
  69 	${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif}
  70 	${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif}
  71 	${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif}
  72 	${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif}
  73 	${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif}
  74 	${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif}
  75 
  76 	${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif}
  77 	${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif}
  78 
  79 	# Disallow packets to malicious 6to4 prefix.
  80 	${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif}
  81 	${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif}
  82 	${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif}
  83 	${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif}
  84 	${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif}
  85 	${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif}
  86 	${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif}
  87 	${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif}
  88 
  89 	${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif}
  90 	${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif}
  91 	${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif}
  92 	${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif}
  93 	${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif}
  94 	${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif}
  95 
  96 	${fw6cmd} add deny all from ff05::/16 to any via ${oif}
  97 	${fw6cmd} add deny all from any to ff05::/16 via ${oif}
  98 
  99 	# Allow TCP through if setup succeeded
 100 	${fw6cmd} add pass tcp from any to any established
 101 
 102 	# Allow IP fragments to pass through
 103 	${fw6cmd} add pass all from any to any frag
 104 
 105 	# Allow setup of incoming email
 106 	${fw6cmd} add pass tcp from any to ${oip} 25 setup
 107 
 108 	# Allow access to our DNS
 109 	${fw6cmd} add pass tcp from any to ${oip} 53 setup
 110 	${fw6cmd} add pass udp from any to ${oip} 53
 111 	${fw6cmd} add pass udp from ${oip} 53 to any
 112 
 113 	# Allow access to our WWW
 114 	${fw6cmd} add pass tcp from any to ${oip} 80 setup
 115 
 116 	# Reject&Log all setup of incoming connections from the outside
 117 	${fw6cmd} add deny log tcp from any to any in via ${oif} setup
 118 
 119 	# Allow setup of any other TCP connection
 120 	${fw6cmd} add pass tcp from any to any setup
 121 
 122 	# Allow DNS queries out in the world
 123 	${fw6cmd} add pass udp from any 53 to ${oip}
 124 	${fw6cmd} add pass udp from ${oip} to any 53
 125 
 126 	# Allow NTP queries out in the world
 127 	${fw6cmd} add pass udp from any 123 to ${oip}
 128 	${fw6cmd} add pass udp from ${oip} to any 123
 129 
 130 	# Allow RIPng
 131 	#${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521
 132 	#${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521
 133 
 134 	# Allow ICMPv6 destination unreach
 135 	${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
 136 
 137 	# Allow NS/NA/toobig (don't filter it out)
 138 	${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
 139 
 140 	# Everything else is denied by default, unless the
 141 	# IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
 142 	# config file.