February 11, 2010

FreeBSD - IPFW - Script.sh

#!/bin/sh

# Copyright Fedenko Vyacheslav
# Contact e-mail: vyacheslav@fedenko.info

FwCMD="/sbin/ipfw"

LanOut="de1"
LanIn="de0"
IpOut="some OUT ip address"
IpIn="some IN ip address"
NetMask="24"
NetIn="192.168.0.0"
LocalPC="some ip of local pc"


${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush

# enable loopback
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any

# disable private networks, broadcast and multicast
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny log icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny log icmp from any to 255.255.255.255 out via ${LanOut}

${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${LanOut}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${LanOut}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${LanOut}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${LanOut}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${LanOut}

# allow web server
${FwCMD} add allow ip from any to ${IpOut} 80 in via ${LanOut}

# allow everything in local lan
${FwCMD} add allow ip from ${NetIn}/${NetMask} to ${NetIn}/${NetMask} via ${LanIn}

# squid
${FwCMD} add fwd 127.0.0.1,3128 tcp from ${NetIn}/${NetMask} to any 80 via ${LanOut}

# nat
${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from any to ${IpOut} in via ${LanOut}

# allow inet for router
${FwCMD} add allow all from any to ${IpOut} in via ${LanOut} established
${FwCMD} add allow all from ${IpOut} to any out via ${LanOut}

# allow dns
${FwCMD} add allow all from any 53 to ${IpOut} in via ${LanOut}

# allow icmp types 0,3,4,8,11,12 for Lan OUT
${FwCMD} add allow icmp from any to ${IpOut} in via ${LanOut} icmptype 0,3,4,8,11,12
${FwCMD} add allow icmp from ${IpOut} to any out via ${LanOut} icmptype 0,3,4,8,11,12

# pipe rules
${FwCMD} add pipe 1 ip from ${LocalPC} to any in via ${LanIn}
${FwCMD} pipe 1 config bw 512K queue 32K

${FwCMD} add allow ip from any to ${LocalPC} in via ${LanOut}

${FwCMD} add pipe 2 ip from any to ${LocalPC} out via ${LanIn}
${FwCMD} pipe 2 config bw 512K queue 32K


${FwCMD} add deny all from any to any

No comments:

Post a Comment