#!/bin/sh # # Setup system for firewall service. # fwcmd=/sbin/ipfw ############ # Flush out the list before we begin. # ${fwcmd} -f flush # set 1 is debug rule # ${fwcmd} set disable 1 # set 3 is source routeing packe and fragment packet # ${fwcmd} set disable 3 # set 4 is icmp ( ping etc ) # ${fwcmd} set disable 4 # set 5 is for vtun ${fwcmd} set disable 5 # set 9 is weak ( UDP open ) rule -- default: disable # ${fwcmd} set disable 9 # set 10 is weak ( TCP open ) rule -- default: disable ${fwcmd} set disable 10 # set these to your outside interface network and netmask and ip oif="fxp0" # for CATV DHCP #oif="tun0" # for PPPoE bh="192.47.37.3" # set these to your inside interface network and netmask and ip iif="rl0" inner="192.168.10.0/24" iip="192.168.10.1" # loopback interface ${fwcmd} add pass all from any to any via lo0 ${fwcmd} add deny all from any to 127.0.0.0/8 ${fwcmd} add deny ip from 127.0.0.0/8 to any # ${fwcmd} add set 5 pass all from any to any via tun0 # allow bootp (DHCP for CATV) ${fwcmd} add pass all from any 67,68 to any 67,68 via ${oif} # Stop spoofing ${fwcmd} add deny all from {10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 } to any in recv ${oif} # Deny netbios, DCOMRPC from/to outer ${fwcmd} add deny all from any to any 69,135,137-139,445,4444 via ${oif} ${fwcmd} add deny all from any 69,135,137-139,445,4444 to any via ${oif} ${fwcmd} add divert natd all from any to any via ${oif} # stateful inspection ${fwcmd} add check-state ${fwcmd} add allow tcp from any to any established # syn flood DoS attack # ${fwcmd} add deny tcp from any to any established # Deny Source Routing Packet $fwcmd add set 3 deny all from any to any ipoptions ssrr $fwcmd add set 3 deny all from any to any ipoptions lsrr # Allow IP fragments to pass through ${fwcmd} add set 3 pass all from any to any frag # Allow any traffic from me to my own net. # Allow FTP-DATA ( normal/server & passive/client ). ${fwcmd} add allow tcp from { me or ${inner} } to any setup keep-state # Allow FTP,SSHD,SMTP,DNS,POP3,IMAP,HTTP,HTTPS from outer # Allow FTP-DATA ( passive/server & noraml/client ) ${fwcmd} add pass log tcp from any to me 21,22,25,53,67,80,110,143,443,1024-65535 setup keep-state # weak rule ${fwcmd} add set 10 pass log tcp from any to me setup keep-state # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in recv ${oif} setup ${fwcmd} add deny tcp from any to any # Allow DNS,NTP queries out in the world ${fwcmd} add pass udp from { me or ${inner} } to any 53,123 keep-state ${fwcmd} add set 9 pass udp from any to me keep-state ${fwcmd} add set 9 pass udp from me to any keep-state # Reject other UDP connections ${fwcmd} add deny udp from any to any # Deny redirect $fwcmd add set 4 deny icmp from any to any via ${oif} icmptypes 5 # Deny ping(ECHO) from outer $fwcmd add set 4 deny icmp from any to ${inner} in via ${oif} icmptypes 8 $fwcmd add pass icmp from any to any ${fwcmd} add deny all from any to any