Skip to content

Instantly share code, notes, and snippets.

@libero18
Last active August 29, 2015 14:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save libero18/8ce8a9065a80183b6db9 to your computer and use it in GitHub Desktop.
Save libero18/8ce8a9065a80183b6db9 to your computer and use it in GitHub Desktop.
ipfw の設定メモ
#!/bin/sh
# /usr/local/etc/ipfw.rules
### default network
IF="lagg0"
GW="192.168.0.254"
IP="192.168.0.10"
### alias network #1
ALIAS1_GW="192.168.100.254"
ALIAS1_IP="192.168.100.10"
### alias network #2
ALIAS2_GW="192.168.200.254"
ALIAS2_IP="192.168.200.10"
### rules
IPF="ipfw -q add"
ipfw -q -f flush
sysctl net.inet.ip.fw.verbose_limit=15
###########################################################
# forward
# check / ICMP echo request & ICMP echo reply
# tcpdump -i em0 -nl icmp
# check / matching fwd-rules counter
# ipfw show / ipfw -a list
###########################################################
$IPF 00010 fwd ${GW} ip from ${IP} to any
$IPF 00020 fwd ${ALIAS1_GW} ip from ${ALIAS1_IP} to any via ${IF}
$IPF 00030 fwd ${ALIAS2_GW} ip from ${ALIAS2_IP} to any via ${IF}
###########################################################
### loopback
###########################################################
$IPF 00110 allow all from any to any via lo0
$IPF 00120 deny all from any to 127.0.0.0/8
$IPF 00130 deny all from 127.0.0.0/8 to any
$IPF 00140 deny tcp from any to any frag
###########################################################
### stateful
###########################################################
$IPF 00150 check-state
$IPF 00160 allow tcp from any to any established
$IPF 00170 allow all from any to any out keep-state
$IPF 00180 allow icmp from any to any
###########################################################
### port (rule_number => 30000 + port_number)
###########################################################
### ftp (20,21)
# $IPF 30020 allow tcp from any to any 20 in
# $IPF 30020 allow tcp from any to any 20 out
# $IPF 30021 allow tcp from any to any 21 in
# $IPF 30021 allow tcp from any to any 21 out
### ssh (22)
$IPF 30022 allow tcp from any to any 22 in
$IPF 30022 allow tcp from any to any 22 out
### mail,submission (25,587)
# $IPF 30025 allow tcp from any to any 25 in
# $IPF 30025 allow tcp from any to any 25 out
# $IPF 30587 allow tcp from any to any 587 in
# $IPF 30587 allow tcp from any to any 587 out
### dns (53)
# $IPF 30053 allow udp from any to any 53 in
# $IPF 30053 allow udp from any to any 53 out
# $IPF 30053 allow tcp from any to any 53 in
# $IPF 30053 allow tcp from any to any 53 out
### http,https (80,443)
# $IPF 30080 allow tcp from any to any 80 in
# $IPF 30080 allow tcp from any to any 80 out
# $IPF 30443 allow tcp from any to any 443 in
# $IPF 30443 allow tcp from any to any 443 out
### ntp (123)
# $IPF 30123 allow tcp from any to any 123 in
# $IPF 30123 allow tcp from any to any 123 out
### imap (993,995)
# $IPF 30993 allow tcp from any to any 993 in
# $IPF 30993 allow tcp from any to any 993 out
# $IPF 30995 allow tcp from any to any 995 in
# $IPF 30995 allow tcp from any to any 995 out
###########################################################
# deny and log everything
###########################################################
$IPF 65000 deny log all from any to any
# /etc/rc.conf
### service
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_logging="YES"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment