Created
October 10, 2016 09:30
-
-
Save adzhurinskij/0d2c37fe3aa854be3534fd9be292002d to your computer and use it in GitHub Desktop.
IPFW example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
firewall_enable="YES" | |
firewall_script="/etc/rc.firewall" | |
firewall_logging="YES" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# kldload ipfw | |
# fwcmd="/sbin/ipfw" | |
fwcmd="/sbin/ipfw -q" | |
setup_statefull () { | |
${fwcmd} add check-state | |
${fwcmd} add allow tcp from any to any established | |
${fwcmd} add allow all from any to any out keep-state | |
} | |
setup_outgoing () { | |
${fwcmd} add pass tcp from me to any setup | |
${fwcmd} add pass udp from me to any setup | |
} | |
setup_loopback () { | |
${fwcmd} add pass all from any to any via lo0 | |
${fwcmd} add deny all from any to 127.0.0.0/8 | |
${fwcmd} add deny ip from 127.0.0.0/8 to any | |
} | |
setup_icmp () { | |
${fwcmd} add pass icmp from me to any keep-state | |
${fwcmd} add pass icmp from any to any icmptype 8 | |
${fwcmd} add pass icmp from any to any icmptype 3,4,11 | |
} | |
setup_allow_ips () { | |
${fwcmd} add allow ip from 10.0.0.2 to any | |
${fwcmd} add allow ip from 192.168.0.0/24 to any | |
} | |
setup_services () { | |
# zabbix | |
${fwcmd} add allow tcp from any to any 10050 in | |
# ssh | |
${fwcmd} add allow tcp from any to any 22 in | |
} | |
setup_deny_all () { | |
${fwcmd} add deny log all from any to any | |
} | |
setup_allow_all () { | |
${fwcmd} add allow ip from any to any | |
} | |
${fwcmd} -f flush | |
setup_statefull | |
setup_outgoing | |
setup_loopback | |
setup_icmp | |
setup_allow_ips | |
setup_services |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment