dmarov/ipfw-2isp.v2.sh

## ipfw-2isp.v2.sh
#!/bin/sh

ipfw -f -q flush

ISP1_IF="tun0"
ISP2_IF="vr1"
LAN_IF="vr0"

REDIRECT_PORTS_ISP1="redirect_port tcp 127.0.0.1:8088 80
        redirect_port tcp 192.168.0.3:443 443
        redirect_port tcp 192.168.0.4:25 25
        redirect_port tcp 192.168.0.4:587 587
        redirect_port tcp 192.168.0.4:465 465
        redirect_port tcp 192.168.0.4:143 143
        redirect_port tcp 192.168.0.4:993 993
        redirect_port tcp 192.168.0.4:110 110
        redirect_port tcp 192.168.0.11:8008 8008
        redirect_port tcp 192.168.0.11:8448 8448
        redirect_port tcp 192.168.0.5:3000 55000"

REDIRECT_PORTS_ISP2="redirect_port tcp 127.0.0.1:8089 80
        redirect_port tcp 192.168.0.3:443 443
        redirect_port tcp 192.168.0.4:25 25
        redirect_port tcp 192.168.0.4:587 587
        redirect_port tcp 192.168.0.4:465 465
        redirect_port tcp 192.168.0.4:143 143
        redirect_port tcp 192.168.0.4:993 993
        redirect_port tcp 192.168.0.4:110 110
        redirect_port tcp 192.168.0.11:8008 8008
        redirect_port tcp 192.168.0.11:8448 8448
        redirect_port tcp 192.168.0.5:3000 55000"

ipfw nat 1 config if ${ISP1_IF} deny_in reset same_ports ${REDIRECT_PORTS_ISP1}
ipfw nat 2 config if ${ISP2_IF} deny_in reset same_ports ${REDIRECT_PORTS_ISP2}

ipfw add 00300 check-state :isp1
ipfw add 00400 check-state :isp2

ipfw add 00500 set 1 skipto 02000 all from any to any in recv ${LAN_IF}
ipfw add 00500 set 2 skipto 03000 all from any to any in recv ${LAN_IF}

ipfw add 01000 skipto 02000 all from any to any in recv ${ISP1_IF}
ipfw add 01100 skipto 03000 all from any to any in recv ${ISP2_IF}
ipfw add 01200 skipto 02000 all from any to any out xmit ${ISP1_IF}
ipfw add 01300 skipto 03000 all from any to any out xmit ${ISP2_IF}
ipfw add 01400 skipto 04000 all from any to any

# 2000 - 2999 : isp1
# nat
ipfw add 02000 nat 1 all from any to any in recv ${ISP1_IF}
ipfw add 02100 skipto 02200 all from any to any keep-state :isp1
ipfw add 02200 setfib 0 all from any to any in recv ${LAN_IF}
ipfw add 02300 setfib 0 all from 127.0.0.1 to any out
# nat
ipfw add 02400 nat 1 all from any to any out xmit ${ISP1_IF}
ipfw add 02500 skipto 04000 all from any to any out xmit ${ISP1_IF}
# nat
ipfw add 02600 nat 1 all from 127.0.0.1 to any out
ipfw add 02999 skipto 04000 all from any to any

# 3000 - 3999 : isp2
# nat
ipfw add 03000 nat 2 all from any to any in recv ${ISP2_IF}
ipfw add 03100 skipto 03200 all from any to any keep-state :isp2
ipfw add 03200 setfib 1 all from any to any in recv ${LAN_IF}
ipfw add 03300 setfib 1 all from 127.0.0.1 to any
# nat
ipfw add 03400 nat 2 all from any to any out xmit ${ISP2_IF}
ipfw add 03500 skipto 04000 all from any to any out xmit ${ISP2_IF}
# nat
ipfw add 03600 nat 2 all from 127.0.0.1 to any out
ipfw add 03999 skipto 04000 all from any to any

ipfw add 60000 allow all from any to 127.0.0.1 8088
ipfw add 60000 allow all from any to 127.0.0.1 8089

ipfw add 61000 allow ip from any to any via lo0
ipfw add 61010 deny ip from any to 127.0.0.0/8
ipfw add 61020 deny ip from 127.0.0.0/8 to any
ipfw add 61030 deny ip from any to ::1
ipfw add 61040 deny ip from ::1 to any
ipfw add 61050 allow ipv6-icmp from :: to ff02::/16
ipfw add 61060 allow ipv6-icmp from fe80::/10 to fe80::/10
ipfw add 61070 allow ipv6-icmp from fe80::/10 to ff02::/16
ipfw add 61080 allow ipv6-icmp from any to any ip6 icmp6types 1
ipfw add 61090 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
ipfw add 65000 allow ip from any to any
	#!/bin/sh

	ipfw -f -q flush

	ISP1_IF="tun0"
	ISP2_IF="vr1"
	LAN_IF="vr0"

	REDIRECT_PORTS_ISP1="redirect_port tcp 127.0.0.1:8088 80
	redirect_port tcp 192.168.0.3:443 443
	redirect_port tcp 192.168.0.4:25 25
	redirect_port tcp 192.168.0.4:587 587
	redirect_port tcp 192.168.0.4:465 465
	redirect_port tcp 192.168.0.4:143 143
	redirect_port tcp 192.168.0.4:993 993
	redirect_port tcp 192.168.0.4:110 110
	redirect_port tcp 192.168.0.11:8008 8008
	redirect_port tcp 192.168.0.11:8448 8448
	redirect_port tcp 192.168.0.5:3000 55000"

	REDIRECT_PORTS_ISP2="redirect_port tcp 127.0.0.1:8089 80
	redirect_port tcp 192.168.0.3:443 443
	redirect_port tcp 192.168.0.4:25 25
	redirect_port tcp 192.168.0.4:587 587
	redirect_port tcp 192.168.0.4:465 465
	redirect_port tcp 192.168.0.4:143 143
	redirect_port tcp 192.168.0.4:993 993
	redirect_port tcp 192.168.0.4:110 110
	redirect_port tcp 192.168.0.11:8008 8008
	redirect_port tcp 192.168.0.11:8448 8448
	redirect_port tcp 192.168.0.5:3000 55000"

	ipfw nat 1 config if ${ISP1_IF} deny_in reset same_ports ${REDIRECT_PORTS_ISP1}
	ipfw nat 2 config if ${ISP2_IF} deny_in reset same_ports ${REDIRECT_PORTS_ISP2}

	ipfw add 00300 check-state :isp1
	ipfw add 00400 check-state :isp2

	ipfw add 00500 set 1 skipto 02000 all from any to any in recv ${LAN_IF}
	ipfw add 00500 set 2 skipto 03000 all from any to any in recv ${LAN_IF}

	ipfw add 01000 skipto 02000 all from any to any in recv ${ISP1_IF}
	ipfw add 01100 skipto 03000 all from any to any in recv ${ISP2_IF}
	ipfw add 01200 skipto 02000 all from any to any out xmit ${ISP1_IF}
	ipfw add 01300 skipto 03000 all from any to any out xmit ${ISP2_IF}
	ipfw add 01400 skipto 04000 all from any to any

	# 2000 - 2999 : isp1
	# nat
	ipfw add 02000 nat 1 all from any to any in recv ${ISP1_IF}
	ipfw add 02100 skipto 02200 all from any to any keep-state :isp1
	ipfw add 02200 setfib 0 all from any to any in recv ${LAN_IF}
	ipfw add 02300 setfib 0 all from 127.0.0.1 to any out
	# nat
	ipfw add 02400 nat 1 all from any to any out xmit ${ISP1_IF}
	ipfw add 02500 skipto 04000 all from any to any out xmit ${ISP1_IF}
	# nat
	ipfw add 02600 nat 1 all from 127.0.0.1 to any out
	ipfw add 02999 skipto 04000 all from any to any

	# 3000 - 3999 : isp2
	# nat
	ipfw add 03000 nat 2 all from any to any in recv ${ISP2_IF}
	ipfw add 03100 skipto 03200 all from any to any keep-state :isp2
	ipfw add 03200 setfib 1 all from any to any in recv ${LAN_IF}
	ipfw add 03300 setfib 1 all from 127.0.0.1 to any
	# nat
	ipfw add 03400 nat 2 all from any to any out xmit ${ISP2_IF}
	ipfw add 03500 skipto 04000 all from any to any out xmit ${ISP2_IF}
	# nat
	ipfw add 03600 nat 2 all from 127.0.0.1 to any out
	ipfw add 03999 skipto 04000 all from any to any

	ipfw add 60000 allow all from any to 127.0.0.1 8088
	ipfw add 60000 allow all from any to 127.0.0.1 8089

	ipfw add 61000 allow ip from any to any via lo0
	ipfw add 61010 deny ip from any to 127.0.0.0/8
	ipfw add 61020 deny ip from 127.0.0.0/8 to any
	ipfw add 61030 deny ip from any to ::1
	ipfw add 61040 deny ip from ::1 to any
	ipfw add 61050 allow ipv6-icmp from :: to ff02::/16
	ipfw add 61060 allow ipv6-icmp from fe80::/10 to fe80::/10
	ipfw add 61070 allow ipv6-icmp from fe80::/10 to ff02::/16
	ipfw add 61080 allow ipv6-icmp from any to any ip6 icmp6types 1
	ipfw add 61090 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
	ipfw add 65000 allow ip from any to any