ipfw sample

日付	2007.01.15
タイトル	ipfw sample
本文	#!/bin/sh - case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac # internet interface OIF=lnc0 # internet ip addr OIP=192.168.1.15 # internet network addr ONW=192.168.1.0/24 # lan interface IIF=lnc0 # lan ip addr IIP=192.168.1.15 # lan network addr INW=192.168.1.0/24 # safety #(sleep 30 && # ${fwcmd} -f flush && # ${fwcmd} add allow ip from any to any) & # init ${fwcmd} -f flush # loopback ${fwcmd} add pass ip from any to any via lo0 ${fwcmd} add deny ip from any to 127.0.0.0/8 ${fwcmd} add deny ip from 127.0.0.0/8 to any # spoofing #${fwcmd} add deny all from ${INW} to any in via ${OIF} #${fwcmd} add deny all from ${ONW} to any in via ${IIF} # inside lan. #${fwcmd} add pass ip from ${INW} to ${IIP} in recv ${IIF} #${fwcmd} add pass ip from ${IIP} to ${INW} out xmit ${IIF} # Open Services ----------------------------------------------- # allow TCP already established ${fwcmd} add pass tcp from any to any established # ftp ${fwcmd} add pass tcp from any to me ftp,65020 setup # ssh ${fwcmd} add pass tcp from any to me ssh setup # telnet ${fwcmd} add pass tcp from any to me telnet setup # mail ${fwcmd} add pass tcp from any to me smtp,pop3 setup # dns ${fwcmd} add pass tcp from any to me domain setup ${fwcmd} add pass udp from any to me domain keep-state # web ${fwcmd} add pass tcp from any to me http,https setup # ntp for local ${fwcmd} add pass udp from ${INW} to me ntp via ${IIF} keep-state # traceroute ${fwcmd} add pass udp from any 32768-65535 to me 33434-33623 keep-state # icmp (0 = echo reply, 3 = dest unreach, 8 = echo request, 11 = ttl exceed) ${fwcmd} add pass icmp from any to me icmptypes 0,3,8,11 keep-state # to outside -------------------------------------------------- # tcp any (and need pass established) ${fwcmd} add pass tcp from me to any setup # dns ${fwcmd} add pass udp from me to any domain keep-state # ntp ${fwcmd} add pass udp from me to any ntp keep-state # snmp ${fwcmd} add pass udp from me to any snmp keep-state # traceroute ${fwcmd} add pass udp from me 32768-65535 to any 33434-33623 keep-state # icmp (0 = echo reply, 3 = dest unreach, 8 = echo request, 11 = ttl exceed) ${fwcmd} add pass icmp from me to any icmptypes 0,3,8,11 keep-state # default policy ---------------------------------------------- ${fwcmd} add deny log ip from any to any

日付

2007.01.15

タイトル

ipfw sample

本文

#!/bin/sh -

case ${firewall_quiet} in [Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

# internet interface
OIF=lnc0
# internet ip addr
OIP=192.168.1.15
# internet network addr
ONW=192.168.1.0/24
# lan interface
IIF=lnc0
# lan ip addr
IIP=192.168.1.15
# lan network addr
INW=192.168.1.0/24


# safety
#(sleep 30 &&
#    ${fwcmd} -f flush &&
#    ${fwcmd} add allow ip from any to any) &


# init
${fwcmd} -f flush

# loopback
${fwcmd} add pass ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any

# spoofing
#${fwcmd} add deny all from ${INW} to any in via ${OIF}
#${fwcmd} add deny all from ${ONW} to any in via ${IIF}

# inside lan.
#${fwcmd} add pass ip from ${INW} to ${IIP} in recv ${IIF}
#${fwcmd} add pass ip from ${IIP} to ${INW} out xmit ${IIF}


# Open Services -----------------------------------------------
# allow TCP already established
${fwcmd} add pass tcp from any to any established

# ftp
${fwcmd} add pass tcp from any to me ftp,65020 setup
# ssh
${fwcmd} add pass tcp from any to me ssh setup
# telnet
${fwcmd} add pass tcp from any to me telnet setup
# mail
${fwcmd} add pass tcp from any to me smtp,pop3 setup
# dns
${fwcmd} add pass tcp from any to me domain setup
${fwcmd} add pass udp from any to me domain keep-state
# web
${fwcmd} add pass tcp from any to me http,https setup
# ntp for local
${fwcmd} add pass udp from ${INW} to me ntp via ${IIF} keep-state
# traceroute
${fwcmd} add pass udp from any 32768-65535 to me 33434-33623 keep-state
# icmp  (0 = echo reply, 3 = dest unreach, 8 = echo request, 11 = ttl exceed)
${fwcmd} add pass icmp from any to me icmptypes 0,3,8,11 keep-state


# to outside --------------------------------------------------

# tcp any (and need pass established)
${fwcmd} add pass tcp from me to any setup
# dns
${fwcmd} add pass udp from me to any domain keep-state
# ntp
${fwcmd} add pass udp from me to any ntp keep-state
# snmp
${fwcmd} add pass udp from me to any snmp keep-state
# traceroute
${fwcmd} add pass udp from me 32768-65535 to any 33434-33623 keep-state
# icmp  (0 = echo reply, 3 = dest unreach, 8 = echo request, 11 = ttl exceed)
${fwcmd} add pass icmp from me to any icmptypes 0,3,8,11 keep-state


# default policy ----------------------------------------------
${fwcmd} add deny log ip from any to any