nileshgr/ipfw.rules

## ipfw.rules
#!/bin/sh

alias ipfw=/sbin/ipfw

ipfw -f flush

# Make sure you have ipfw_nat_load=yes in loader.conf

# Map port 2201 on first public IP to first jail's port 22
ipfw nat 1 config ip <public ip> unreg_only same_ports redirect_port tcp 192.168.0.1:22 2201

# Allow local loopback traffic
ipfw add 100 allow ip from any to any via lo0

# Allow local jail <-> jail traffic
ipfw add 101 allow ip from 192.168.0.0/27 to me via lo1
ipfw add 102 allow ip from 192.168.0.0/27 to 192.168.0.0/27 via lo1

# NAT rule for jail1 port 22
ipfw add 103 nat 1 ip from any to any via re0

### Taken from handbook

# Deny all inbound traffic from non-routable reserved address spaces
ipfw add 200 deny all from 192.168.0.0/16 to any in via re0 #RFC 1918 private IP
ipfw add 201 deny all from 172.16.0.0/12 to any in via re0 #RFC 1918 private IP
ipfw add 202 deny all from 10.0.0.0/8 to any in via re0 #RFC 1918 private IP
ipfw add 203 deny all from 127.0.0.0/8 to any in via re0 #loopback
ipfw add 204 deny all from 0.0.0.0/8 to any in via re0 #loopback
ipfw add 205 deny all from 169.254.0.0/16 to any in via re0 #DHCP auto-config
ipfw add 206 deny all from 192.0.2.0/24 to any in via re0 #reserved for docs
ipfw add 207 deny all from 204.152.64.0/23 to any in via re0 #Sun cluster interconnect
ipfw add 208 deny all from 224.0.0.0/3 to any in via re0 #Class D & E multicast

# Stateful
ipfw add 300 check-state

# Permit out traffic
ipfw add 400 allow tcp from any to any out setup keep-state
ipfw add 401 allow ip from any to any out keep-state

# Fail2Ban IPFW-SSH
ipfw add 500 deny tcp from 'table(1)' to me dst-port 22 in

# Allow incoming ports and ICMP echo-request
ipfw add 600 allow tcp from any to any dst-port 80,443,22 in setup keep-state
ipfw add 601 allow icmp from any to any icmptypes 8 in keep-state

# Allow jail ports
ipfw add 700 allow tcp from any to any dst-port 2201 in setup keep-state
	#!/bin/sh

	alias ipfw=/sbin/ipfw

	ipfw -f flush

	# Make sure you have ipfw_nat_load=yes in loader.conf

	# Map port 2201 on first public IP to first jail's port 22
	ipfw nat 1 config ip <public ip> unreg_only same_ports redirect_port tcp 192.168.0.1:22 2201

	# Allow local loopback traffic
	ipfw add 100 allow ip from any to any via lo0

	# Allow local jail <-> jail traffic
	ipfw add 101 allow ip from 192.168.0.0/27 to me via lo1
	ipfw add 102 allow ip from 192.168.0.0/27 to 192.168.0.0/27 via lo1

	# NAT rule for jail1 port 22
	ipfw add 103 nat 1 ip from any to any via re0

	### Taken from handbook

	# Deny all inbound traffic from non-routable reserved address spaces
	ipfw add 200 deny all from 192.168.0.0/16 to any in via re0 #RFC 1918 private IP
	ipfw add 201 deny all from 172.16.0.0/12 to any in via re0 #RFC 1918 private IP
	ipfw add 202 deny all from 10.0.0.0/8 to any in via re0 #RFC 1918 private IP
	ipfw add 203 deny all from 127.0.0.0/8 to any in via re0 #loopback
	ipfw add 204 deny all from 0.0.0.0/8 to any in via re0 #loopback
	ipfw add 205 deny all from 169.254.0.0/16 to any in via re0 #DHCP auto-config
	ipfw add 206 deny all from 192.0.2.0/24 to any in via re0 #reserved for docs
	ipfw add 207 deny all from 204.152.64.0/23 to any in via re0 #Sun cluster interconnect
	ipfw add 208 deny all from 224.0.0.0/3 to any in via re0 #Class D & E multicast

	# Stateful
	ipfw add 300 check-state

	# Permit out traffic
	ipfw add 400 allow tcp from any to any out setup keep-state
	ipfw add 401 allow ip from any to any out keep-state

	# Fail2Ban IPFW-SSH
	ipfw add 500 deny tcp from 'table(1)' to me dst-port 22 in

	# Allow incoming ports and ICMP echo-request
	ipfw add 600 allow tcp from any to any dst-port 80,443,22 in setup keep-state
	ipfw add 601 allow icmp from any to any icmptypes 8 in keep-state

	# Allow jail ports
	ipfw add 700 allow tcp from any to any dst-port 2201 in setup keep-state