The rules are defined by a couple of shell functions, ipfw_e adds a rule for all external interfaces, ipfw_i does the same for internal interfaces.
# Attempt at a network protecting firewall # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Hacked around mercilessly by Richard Caley (richard@caley.org.uk) # http://richard.caley.org.uk/by_firewall.html # Do what thou will but don't blame me # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" #fwcmd=echo build_cmd() { cmd="$1" shift for v in "$@" do cmd="$cmd '$v'" done } fwcmd_e () { build_cmd $fwcmd "$@" for e in $all_externals do eval `echo "$cmd"|sed -e "s/DEV/$e/g"` done } fwcmd_i () { build_cmd $fwcmd "$@" for i in $all_internals do eval `echo "$cmd"|sed -e "s/DEV/$i/g"` done } # Interface connected to your internal network all_internals="ep0 lo0" # Interface connected to the cable modem all_externals="ed0 tun0" # nat demons for each external interface natd_ed0=natd natd_tun0=8669 # Force a flushing of the current rules before we reload. $fwcmd -f flush # Let me talk to the BY modem's web status page fwcmd_e add allow all from any to 192.168.100.1 via DEV # Don't let non routable IP packets leak out for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16 do fwcmd_e add deny log all from any to $nonroute via DEV done # Divert all packets through the natted interfaces for e in $all_externals $all_internals do eval "port=\$natd_$e" [ -z "$port" ] || $fwcmd add divert $port all from any to any via "$e" done # Allow all data from my network card and localhost. fwcmd_i add allow all from any to any via DEV #Line to allow BY Cable modem to respond to traceroute fwcmd_e add allow icmp from 10.124.192.1 to any via DEV #BY modem web status page fwcmd_e add allow all from 192.168.100.1 to any via DEV # Don't let non routable IPs get in (probably spoofed) for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16 do fwcmd_e add deny log all from $nonroute to any via DEV done # Allow all connections that I initiate. fwcmd_e add allow tcp from any to any out xmit DEV setup # Once connections are made, allow them to stay open. fwcmd_e add allow tcp from any to any via DEV established # Everyone on the internet is allowed to connect to the following # services on the machine. Remove # from those you want $fwcmd add allow tcp from any to any http setup #$fwcmd add allow tcp from any to any ftp setup $fwcmd add allow tcp from any to any ssh setup #$fwcmd add allow tcp from any to any telnet setup $fwcmd add allow tcp from any to any smtp setup # X11 + VNC Bad karma # fwcmd_e add allow tcp from any to any 6000 via DEV setup # fwcmd_e add allow tcp from any to any 6001 via DEV setup # fwcmd_e add allow tcp from any to any 6010 via DEV setup # fwcmd_e add allow tcp from any to any 6011 via DEV setup # This sends a RESET to all ident packets. fwcmd_e add reset log tcp from any to any ident in recv DEV # Allow outgoing DNS queries fwcmd_e add allow udp from any to any domain out xmit DEV keep-state # Allow them back in with the answers... :) fwcmd_e add allow udp from any domain to any in recv DEV # time synchronisation fwcmd_e add allow udp from any to any ntp out xmit DEV keep-state # dhcp $fwcmd add pass udp from any to any bootpc keep-state fwcmd_e add allow udp from any to any bootps out xmit DEV fwcmd_e add allow udp from any bootps to any in recv DEV # traceroute $fwcmd add allow log udp from any to any 33434-33499 out # Igmp from CM, No one seems to know if this is necessary, so I # let it in. fwcmd_e add allow igmp from 192.168.100.1 to any in via DEV # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add allow icmp from any to any # Deny and log setups from outside, just deny the rest of the attempt fwcmd_e add deny log tcp from any to any in via DEV setup $fwcmd add deny tcp from any to any # Deny and log non tcp from outside fwcmd_e add deny log ip from any to any in via DEV # Deny all the rest. $fwcmd add 65435 deny log ip from any to any
Notes:
See Also:
