-
-
Save gmsotavio/2bd4cb5a5e8311148b34832252bb4555 to your computer and use it in GitHub Desktop.
ipfw config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # This is an attempt at an ipfw config for a cluster with a master node and many | |
| # compute nodes. The master node is acting as a gateway for the compute nodes | |
| # in the LAN (192.168.0.0/24). | |
| # | |
| # A jail running on one of the compute nodes with address 192.168.0.118 is to be | |
| # accessible from the outside (using redirect_addr 192.168.0.118 | |
| # 129.173.118.118). The address 129.173.118.118 is an alias for the WAN | |
| # interface that will only be used to direct traffic to this jail. | |
| # | |
| # Incoming traffic on port 44622 should be redirected to port 22 on the compute | |
| # node with address 192.168.0.101. | |
| # | |
| # No outgoing traffic is to be blocked from either the master node or the | |
| # compute nodes. | |
| # Ensure net.inet.ip.fw.one_pass is set to 0 | |
| cmd="/sbin/ipfw -q" | |
| lanif="bge0" | |
| wanif="bge1" | |
| # flush existing rules | |
| $cmd -f flush | |
| # incoming nat | |
| $cmd nat 1 config if $wanif \ | |
| reset \ | |
| same_ports \ | |
| unreg_only \ | |
| redirect_port tcp 192.168.0.101:22 44622 \ | |
| redirect_addr 192.168.0.118 129.173.118.118 | |
| # set up loopback | |
| $cmd add allow all from any to any via lo0 | |
| $cmd add deny all from any to 127.0.0.0/8 | |
| $cmd add deny ip from 127.0.0.0/8 to any | |
| # no restrictions on bridge0 or tun0 | |
| $cmd add allow all from any to any via bridge0 | |
| $cmd add allow all from any to any via tun0 | |
| # no restrictions on lanif | |
| $cmd add allow all from any to any via $lanif | |
| # catch spoofing from outside | |
| $cmd add deny ip from any to any in not antispoof | |
| # incoming traffic that needs nat | |
| $cmd add nat 1 ip4 from any to me in recv $wanif | |
| # this rule must be directly after incoming nat | |
| $cmd add check-state | |
| # outgoing traffic to block here | |
| # allow all other outgoing connections by skipping processing to the outbound nat rule, 10000 | |
| $cmd add skipto 10000 tcp from any to any out xmit $wanif setup keep-state | |
| $cmd add skipto 10000 udp from any to any out xmit $wanif keep-state | |
| # incoming | |
| $cmd add allow tcp from any to me 80,443,44422 in recv $wanif setup keep-state | |
| # Rules for allowing packets to services which are listening on a LAN interface behind the NAT | |
| $cmd add skipto 10000 tcp from any to any 44622 in recv $wanif setup keep-state | |
| # nat for outgoing packets | |
| $cmd add 10000 nat 1 ip4 from any to any out xmit $wanif | |
| #$cmd add 10000 nat 1 ip4 from 192.168.0.0/24 to any out | |
| # allow anything else | |
| $cmd add allow ip from any to any via $wanif |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment