# bling.properkernel.com's old firewalling rules (before check-state). # This script is unpublished work by Andre Guibert de Bruet. # ipfw program IPFW=ipfw # Flush any rules that we might currently have in place. ${IPFW} -f flush ${IPFW} zero 65535 # Ethernet cards in this system. ETHER0=em0 ETHER1=rl0 ETHER2= ETHER3= ETHER4= ETHER5= LOOP=lo0 # System's main ethernet card. This is the card that packets use to # get out to the Internet. ETHER=${ETHER0} # Network addressing. Local, loopback, friendly networks. SEG_LAN="10.0.1.0/24" SEG_LOOP="127.0.0.1/24" SEG_NAT="10.0.2.0/24" # Hosts on the LAN. ROUTER="10.0.1.1" HOST_ROUTER=${ROUTER} HOST_BLING="bling.home" HOST_SUSHIBSD="sushibsd.home" HOST_OMEGA="omega.home" HOST_CRUZAR="cruzar.home" HOST_REBOOT="reboot.home" #HOST_OMIKRON="omikron.home" PRIV=1-1024 UNPRIV=1025-65535 # Protocol counters. ipfw add count icmp from any to any ipfw add count tcp from any to any ipfw add count udp from any to any # General counters - "Friendly" destinations. ipfw add count all from ${SEG_LAN} to ${SEG_LAN} in via ${ETHER} ipfw add count all from ${SEG_LAN} to ${SEG_LAN} out via ${ETHER} # Global destinations. ipfw add count all from not ${SEG_LAN}, ${SEG_LOOP} to any in via ${ETHER} ipfw add count all from any to not ${SEG_LAN}, ${SEG_LOOP} out via ${ETHER} # Divert sockets #ipfw add divert natd all from any to any via ${ETHER0} ########################### # # # ##### ##### ##### # # # # # # # # # # # # # # ##### ##### # # # # # # # # # ##### # # # # # ########################### # ftp client ipfw add allow tcp from any 20 to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any 20 out via ${ETHER} ipfw add allow tcp from any ftp to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any ftp out via ${ETHER} # ssh incoming ipfw add allow tcp from any ${UNPRIV} to me ssh in via ${ETHER} ipfw add allow tcp from me ssh to any ${UNPRIV} out via ${ETHER} # ssh outgoing ipfw add allow tcp from any ssh to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any ssh out via ${ETHER} # telnet outgoing ipfw add allow tcp from any telnet to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any telnet out via ${ETHER} # smtp incoming (server) #ipfw add allow tcp from any ${UNPRIV} to me smtp in via ${ETHER} #ipfw add allow tcp from me smtp to any ${UNPRIV} out via ${ETHER} # smtp outgoing ipfw add allow tcp from any smtp to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any smtp out via ${ETHER} # whois ipfw add allow tcp from any nicname to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any nicname out via ${ETHER} # finger ipfw add allow tcp from any finger to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any finger out via ${ETHER} # http browsing ipfw add allow tcp from any http to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any http out via ${ETHER} #ipfw add allow tcp from any http to ${SEG_NAT} ${UNPRIV} in via ${ETHER} #ipfw add allow tcp from any http to ${SEG_NAT} ${UNPRIV} out via ${ETHER1} #ipfw add allow tcp from ${SEG_NAT} ${UNPRIV} to any http in via ${ETHER1} #ipfw add allow tcp from ${SEG_NAT} ${UNPRIV} to any http out via ${ETHER} # httpd ipfw add allow tcp from any ${UNPRIV} to me http in via ${ETHER} ipfw add allow tcp from me http to any ${UNPRIV} out via ${ETHER} # https client ipfw add allow tcp from any https to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any https out via ${ETHER} # dnetc/2064 ipfw add allow tcp from any 2064 to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any 2064 out via ${ETHER} # cvs/2401 ipfw add allow tcp from any cvspserver to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any cvspserver out via ${ETHER} # aim/oscar ipfw add allow tcp from any aol to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any aol out via ${ETHER} # cvsup ipfw add allow tcp from any cvsup to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any cvsup out via ${ETHER} # X11 outgoing/6000 ipfw add allow tcp from any x11 to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any x11 out via ${ETHER} # irc/6667 ipfw add allow tcp from any ircd to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any ircd out via ${ETHER} # http/8080 ipfw add allow tcp from any 8080 to me ${UNPRIV} in via ${ETHER} ipfw add allow tcp from me ${UNPRIV} to any 8080 out via ${ETHER} ########################### # # # # # #### ##### # # # # # # # # # # # # # # # # # # ##### ##### # # # # # # # # # # ##### #### # # # # # ########################### # dns server ipfw add allow udp from any to me domain in via ${ETHER} ipfw add allow udp from me domain to any out via ${ETHER} # dns queries ipfw add allow udp from any domain to me in via ${ETHER} ipfw add allow udp from me to any domain out via ${ETHER} # ntp ipfw add allow udp from any ntp to me in via ${ETHER} ipfw add allow udp from me to any ntp out via ${ETHER} # smb ipfw add reject udp from ${SEG_LAN} to any 137,138 in via ${ETHER} # syslog/514 ipfw add allow udp from ${HOST_ROUTER} to me 514 in via ${ETHER} ipfw add allow udp from me 514 to ${HOST_ROUTER} out via ${ETHER} ########################### # # # ##### ##### # # ##### # # # # ## ## # # # # # # # # # ##### # # # # # # # # # ##### ##### # # # # # # ########################### # ICMP 'Host unreachable' is permissible. ipfw add allow icmp from me to any out icmptype 3,11,12 via ${ETHER} ########################### # # # ##### ##### # # # # # # # # # # # # # # # # ##### # # ##### # # # # # # # # # ##### # # # # # # ########################### ipfw add allow ip from me to me via ${LOOP} # log and drop everything else... ipfw add 65530 unreach host log logamount 0 ip from any to any ########################### # # # ##### ##### # # ##### # # # # # # # # # # # ##### # # ##### # # # # # # # # # # ##### # # ##### # # # ########################### #ip6fw add allow ipv6 from any to any