H

BM

L E FO

OG

R H F

U O A

M W Q

T S

L O T

IS U

N T

U & O

X R

S A

H L

S N

U G

Home > Bash Scripts > Firewall

GET FREE TIPS & NEWS

Make the most of Linux Sysadmin work! Enter your email Join
2 3 ,M M E 0 9 S C O 2 0 N T

BSD PF IPv6 and IPv4 /etc/pf.conf Firewall Script

by V I V E on J A N T E R Y K G I U A 5

This is my working IPv6 and IPv4 dual stack script from FreeBSD 7.1 server. It should work with any latest PF version under OpenBSD / FreeBSD / NetBSD without a problem. You need to add following lines to /etc/rc.conf under FreeBSD to turn on PF firewall:
pf_enable="YES" pflog_enable="YES" pflog_logfile="/var/log/pflog" pf_rules="/etc/pf.conf"

42k+ Subscribers | Twitter | Google +

Next create /etc/pf.conf file as follows. Replace variable with appropriate values. 1. By default firewall drops all incoming and outgoing connections for both IPv4 and IPv6. 2. By default IPv4 and IPv6 outgoing allowed for ssh, smtp, domain / dns, www, https, ntp, ping and whois requests. 3. By default IPv4 and IPv6 incoming allowed for ssh, smtp, domain / dns, www, https, and ping only.
#### S0.1 First declare a couple of variables #### # Created by Vivek Gite <vivek@nixcraft.com> # See more info @ # http://bash.cyberciti.biz/firewall/pf-ipv6-ipv4-firewall-for-freebsd-openbsd-netbsd/ tcp_services = "{ ssh, smtp, domain, www, https, 122, ntp, 43}" udp_services = "{ domain, ntp }" icmp_types = "{ echoreq, unreach }" mail_ports = "{ smtp, imaps }" ### define tables table <droplasso> persist file "/etc/pf.drop.lasso.conf" table <blockedip> persist file "/etc/pf.block.ip.conf"

What is shell scripting? Learn shell scripting. The Shell Variables and Environment Decision Making With Shell Scripts Shell Redirection Pipes and Filters Read More

Select Category

### IPv4 ranges martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/3 http_servers = "{ 208.xx.yyy.zzz }" Find us on Facebook mail_servers = "{ 208.xx.yyy.zzz}" dns_servers = "{ 208.xx.yyy.zzz }" nixCraft adminrange = "66.228.118.0/23" ### ipv6 ranges adminrange6 = "{ 2607:F0D0:2000:0000::/48 }" http_servers6 = "{ 260z:xxx.. }" mail_servers6 = "{ 260z:xxx.. }" dns_servers6 = "{ 260z:xxx.. }" IPV6LAN = "{ 260z:xxx../64 }" IPV6MAIN = "{ 260z:xxx.. }" ### Interfaces ext_if = "em1" int_if = "em0"
Like 18,713 people like nixCraft.

Rully

Timothy

A njani

Djsaing

Kev in

Rohit

Dusan

Jeev an

O uidad

Gbor

F acebook social plugin

converted by Web2PDFConvert.com

## S0.2: Options set block-policy return set loginterface $ext_if #### S0.3: Normliaztion #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments scrub in all #### S0.4: NAT and RDR start # Drop ALL incomming everything block log all # Try to block nmap scans block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP #IPv6 - pass in/out all IPv6 ICMP traffic pass in quick proto icmp6 all # unlimited traffic for vpn and loopback set skip on {lo0, $int_if} # activate spoofing protection for all interfaces block in quick from urpf-failed #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses antispoof log for $ext_if #Block RFC 1918 addresses block drop in log (all) quick on $ext_if from $martians to any block drop out log (all) quick on $ext_if from any to $martians #Block DROP LASSO #block log (all) all # pfctl -t droplasso -T show block drop in log (all) quick on $ext_if from <droplasso> to any block drop out log (all) quick on $ext_if from any to <droplasso> # pfctl -t blockedip -T show block drop in log (all) quick on $ext_if from <blockedip> to any block drop out log (all) quick on $ext_if from any to <blockedip> # allow outgoing via ssh, smtp, domain, www, https, 122 pass out on $ext_if proto tcp to any port $tcp_services pass out on $ext_if proto udp to any port $udp_services # trace route pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state # SL admin allow 66.228.118.0/255.255.254.0 (23) pass in on $int_if from $adminrange to any # pass in pass in on pass in on pass in on pass in on pass in on pass in on on $ext_if proto tcp from any to any port 25 $ext_if inet proto tcp from 72.xx.yyy.zzz to 208.xx.yyy.zzz port ssh flags S/SA synproxy state $ext_if inet proto udp from any to $dns_servers port domain $ext_if inet proto tcp from any to $dns_servers port domain flags S/SA synproxy state $ext_if inet proto tcp from any to $http_servers port http flags S/SA synproxy state $ext_if inet proto tcp from any to 208.43.79.236 port https flags S/SA synproxy state $ext_if inet proto tcp from any to $mail_servers port $mail_ports flags S/SA synproxy state

Shell Script To Update Spamhaus Lasso Spam Database for PF Firewall OpenBSD PF Firewall Script /etc/pf.conf File FreeBSD Full / Incremental Tape Backup Shell Script Linux IPv6 Iptables Firewall Script FreeBSD Backup All MySQL Databases To a NAS Server

Search

# ping pong pass inet proto icmp all icmp-type $icmp_types keep state # Outgoing ftp pass out on $ext_if inet proto tcp from any to any port ftp pass out on $ext_if inet proto tcp from any to any port >1023 ###### IPv6 rules ############# # Allow outgoing services pass out on $ext_if inet6 proto tcp to any port $tcp_services pass out on $ext_if inet6 proto udp to any port $udp_services # Trace route out pass out on $ext_if inet6 proto udp from any to any port 33433 >< 33626 keep state # SL Admin in pass in on $ext_if inet6 from $adminrange6 to any

converted by Web2PDFConvert.com

# Open ports out pass in on $ext_if pass in on $ext_if pass in on $ext_if pass in on $ext_if

inet6 inet6 inet6 inet6

proto proto proto proto

udp tcp tcp tcp

from from from from

any any any any

to to to to

$dns_servers6 port domain $dns_servers6 port domain keep state $http_servers6 port http keep state $mail_servers6 port $mail_ports keep state

# Ftp out pass out on $ext_if inet6 proto tcp from any to any port ftp pass out on $ext_if inet6 proto tcp from any to any port >1023 # Allow ping pong out pass out on $ext_if inet6 proto icmp6 all icmp6-type echoreq keep state # ND solicitation out pass out on $ext_if inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} # ND advertisement in pass in on $ext_if inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} # Router advertisement out pass out on $ext_if inet6 proto icmp6 all icmp6-type routeradv # Router solicitation in pass in on $ext_if inet6 proto icmp6 all icmp6-type routersol # Allow Ping pong in pass in on $ext_if inet6 proto icmp6 all icmp6-type echoreq

You also need to create /etc/pf.block.ip.conf file with list of IPs and subnet to block manually as follows:
202.54.1.2 191.10.1.0/29

This script also supports Spamhaus database to block SMTP / WWW spam bots. Download Shell Script To Update Spamhaus Lasso Spam Database for PF . Featured Articles: 20 Linux System Monitoring Tools Every SysAdmin Should Know 20 Linux Server Hardening Security Tips 10 Greatest Open Source Software Of 2009 My 10 UNIX Command Line Mistakes Top 5 Email Client For Linux, Mac OS X, and Windows Users Top 20 OpenSSH Server Best Security Practices Top 10 Open Source Web-Based Project Management Software Top 5 Linux Video Editor Software

4000+ howtos and counting! If you enjoyed this article, join 45000+ others and get free email updates! Enter your email

Download Script Email this to a friend Rss Feed

Join
Last Updated: 0 2 / 2 / 0 9

{ 5 comments read them below or add one }

xcezzz
February 2, 2009

There should be a correction on the line below, of where to put pf_enable=YES You need to add following lines to /etc/pf.conf under FreeBSD to turn on PF firewall:
converted by Web2PDFConvert.com

It should be rc.conf? You need to add following lines to /etc/rc.conf under FreeBSD to turn on PF firewall:
R E P L Y

Vivek Gite

February 2, 2009

Thanks for the heads up.

R E P L Y

Roberto Greiner

March 26, 2009

Hi, I think i got a small security problem. At the end of the script you have a few lines controlling what of icmp6 can get in. But at the start of the script you have #IPv6 pass in/out all IPv6 ICMP traffic pass in quick proto icmp6 all which lets all icmp6 traffic in. Or did I get something wrong?
R E P L Y

Vivek Gite

March 27, 2009

Yes, it passes all ICMP6 traffic. Feel free to modify pf.conf it as per your requirements and setup.
R E P L Y

Tekki

July 28, 2011

Hi there! I would like to know if this configuration can help me block IPv6 domain like https facebook? I have a problem blocking Https facebook.
R E P L Y

Leave a Comment
Name E-mail Website

You can use these H T tags L attributes for UNIX com ands or shell scripts: <strong> <em> <ol> <li> <u> <ul> M and m <blockquote> <pre> <a href="" title="">

converted by Web2PDFConvert.com

Security Question:
What is 8 + 9 ?
Are you a human being? Solve the simple math so we know that you are a human and not a script.

Submit
Tagged as: /etc/rc.conf, domain dns, freebsd, ipv4 and ipv6, ipv4 and ipv6 PF firewall, IPv6 Firewall, netbsd, nmap scans, openbsd, outgoing connections, pf firewall, tcp services, udp services

P N

R E

E X

Shell O UTo Update Spamhaus LassoTSpam Database for PF Firewall I Script S P O S :

Linux IPv6 P O Firewall Script T Iptables S T :

2004-2012 nixCraft. All rights reserved | Privacy Policy | Terms of Service RSS | Email Subscription | Questions or Comments | Powered by Open source software

converted by Web2PDFConvert.com