ipfw sample

日付 2007.01.15
タイトル ipfw sample
本文
#!/bin/sh -

case ${firewall_quiet} in [Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

# internet interface
OIF=lnc0
# internet ip addr
OIP=192.168.1.15
# internet network addr
ONW=192.168.1.0/24
# lan interface
IIF=lnc0
# lan ip addr
IIP=192.168.1.15
# lan network addr
INW=192.168.1.0/24


# safety
#(sleep 30 &&
#    ${fwcmd} -f flush &&
#    ${fwcmd} add allow ip from any to any) &


# init
${fwcmd} -f flush

# loopback
${fwcmd} add pass ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any

# spoofing
#${fwcmd} add deny all from ${INW} to any in via ${OIF}
#${fwcmd} add deny all from ${ONW} to any in via ${IIF}

# inside lan.
#${fwcmd} add pass ip from ${INW} to ${IIP} in recv ${IIF}
#${fwcmd} add pass ip from ${IIP} to ${INW} out xmit ${IIF}


# Open Services -----------------------------------------------
# allow TCP already established
${fwcmd} add pass tcp from any to any established

# ftp
${fwcmd} add pass tcp from any to me ftp,65020 setup
# ssh
${fwcmd} add pass tcp from any to me ssh setup
# telnet
${fwcmd} add pass tcp from any to me telnet setup
# mail
${fwcmd} add pass tcp from any to me smtp,pop3 setup
# dns
${fwcmd} add pass tcp from any to me domain setup
${fwcmd} add pass udp from any to me domain keep-state
# web
${fwcmd} add pass tcp from any to me http,https setup
# ntp for local
${fwcmd} add pass udp from ${INW} to me ntp via ${IIF} keep-state
# traceroute
${fwcmd} add pass udp from any 32768-65535 to me 33434-33623 keep-state
# icmp  (0 = echo reply, 3 = dest unreach, 8 = echo request, 11 = ttl exceed)
${fwcmd} add pass icmp from any to me icmptypes 0,3,8,11 keep-state


# to outside --------------------------------------------------

# tcp any (and need pass established)
${fwcmd} add pass tcp from me to any setup
# dns
${fwcmd} add pass udp from me to any domain keep-state
# ntp
${fwcmd} add pass udp from me to any ntp keep-state
# snmp
${fwcmd} add pass udp from me to any snmp keep-state
# traceroute
${fwcmd} add pass udp from me 32768-65535 to any 33434-33623 keep-state
# icmp  (0 = echo reply, 3 = dest unreach, 8 = echo request, 11 = ttl exceed)
${fwcmd} add pass icmp from me to any icmptypes 0,3,8,11 keep-state


# default policy ----------------------------------------------
${fwcmd} add deny log ip from any to any