Skip to content

Instantly share code, notes, and snippets.

@adzhurinskij

adzhurinskij/rc.conf

Created October 10, 2016 09:30
Show Gist options
  • Save adzhurinskij/0d2c37fe3aa854be3534fd9be292002d to your computer and use it in GitHub Desktop.
Save adzhurinskij/0d2c37fe3aa854be3534fd9be292002d to your computer and use it in GitHub Desktop.
Download ZIP
IPFW example
Raw
rc.conf
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_logging="YES"
Raw
rc.firewall
#!/bin/sh
# kldload ipfw
# fwcmd="/sbin/ipfw"
fwcmd="/sbin/ipfw -q"
setup_statefull () {
${fwcmd} add check-state
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow all from any to any out keep-state
}
setup_outgoing () {
${fwcmd} add pass tcp from me to any setup
${fwcmd} add pass udp from me to any setup
}
setup_loopback () {
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
}
setup_icmp () {
${fwcmd} add pass icmp from me to any keep-state
${fwcmd} add pass icmp from any to any icmptype 8
${fwcmd} add pass icmp from any to any icmptype 3,4,11
}
setup_allow_ips () {
${fwcmd} add allow ip from 10.0.0.2 to any
${fwcmd} add allow ip from 192.168.0.0/24 to any
}
setup_services () {
# zabbix
${fwcmd} add allow tcp from any to any 10050 in
# ssh
${fwcmd} add allow tcp from any to any 22 in
}
setup_deny_all () {
${fwcmd} add deny log all from any to any
}
setup_allow_all () {
${fwcmd} add allow ip from any to any
}
${fwcmd} -f flush
setup_statefull
setup_outgoing
setup_loopback
setup_icmp
setup_allow_ips
setup_services
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment