I ended up writing my own script... :-) called pfwall, then, in my rc.firewall script it goes
Code:
echo "Staring up the firewall..."
# rc.inet2 wants rc.firewall start eh, why the hell not?
start()
{
echo "Starting with a clean slate"
pfwall close
echo "Opening stuff up"
pfwall dns
pfwall ping
pfwall out
# turn on for servers
pfwall ssh open in
}
stop()
{
pfwall open
}
case "$1" in
'start')
start ;;
'stop')
stop ;;
'restart')
stop;start ;;
*)
echo "usage $0 start|stop|restart" ;;
I haven't bothered to learn how to set up ICMP filtering correctly.
My basic rules were
Code:
echo "Closing everything!"
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
...
echo "Enabling outgoing " $1 " from port " $2
iptables -A INPUT -p $1 --sport $2 -j ACCEPT
iptables -A OUTPUT -p $1 --dport $2 -j ACCEPT
...
# proto port
echo "Enabling incoming " $1 " from port " $2
iptables -A INPUT -p $1 --dport $2 -j ACCEPT
iptables -A OUTPUT -p $1 --sport $2 -j ACCEPT
...
$1 is the protocol, and $2 is the port.
I had iptables drop everything first, then I started opening. so those are what I used to open stuff. rc.firewall calls pfwall and tells it to open or close certain ports for certain protocols. I think I'll add a .conf file for it to read off of next time if I get around to doing it.
Good luck