Created
June 6, 2011 10:25
-
-
Save rwoeber/1010044 to your computer and use it in GitHub Desktop.
rather minimalistic ipfw rule-script (FreeBSD)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # see http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/ | |
| # do not forget to set right ip! | |
| ip="my.ip.address" | |
| IPF="ipfw -q add" | |
| setup_loopback | |
| Allow anything outbound from this address. | |
| ${IPF} allow all from ${ip} to any out | |
| # Deny anything outbound from other addresses. | |
| ${IPF} deny log all from any to any out | |
| # Allow TCP through if setup succeeded. | |
| ${IPF} allow tcp from any to any established | |
| # Allow IP fragments to pass through. | |
| ${IPF} allow all from any to any frag | |
| # Allow all IPv6 packets through - they are handled by the separate | |
| # ipv6 firewall rules in rc.firewall6. | |
| ${IPF} allow ipv6 from any to any | |
| # Allow inbound ssh, email, tcp-dns, http, https, imap, imaps, | |
| # pop3, pop3s. | |
| ${IPF} allow tcp from any to ${ip} 22 setup | |
| ${IPF} allow tcp from any to ${ip} 222 setup | |
| ${IPF} allow tcp from any to ${ip} 25 setup | |
| ${IPF} allow tcp from any to ${ip} 53 setup | |
| ${IPF} allow tcp from any to ${ip} 80 setup | |
| ${IPF} allow tcp from any to ${ip} 443 setup | |
| ${IPF} allow tcp from any to ${ip} 143 setup | |
| ${IPF} allow tcp from any to ${ip} 993 setup | |
| ${IPF} allow tcp from any to ${ip} 110 setup | |
| ${IPF} allow tcp from any to ${ip} 995 setup | |
| # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol | |
| # without logging. | |
| ${IPF} reset tcp from any to ${ip} 113 setup | |
| ${IPF} reset tcp from any to ${ip} 139 setup | |
| ${IPF} reset tcp from any to ${ip} 389 setup | |
| ${IPF} reset tcp from any to ${ip} 445 setup | |
| # Deny some chatty UDP broadcast protocols without logging. | |
| ${IPF} deny udp from any 137 to any | |
| ${IPF} deny udp from any to any 137 | |
| ${IPF} deny udp from any 138 to any | |
| ${IPF} deny udp from any 513 to any | |
| ${IPF} deny udp from any 525 to any | |
| # Allow inbound DNS and NTP replies. This is somewhat of a hole, | |
| # since we're looking at the incoming port number, which can be | |
| # faked, but that's just the way DNS and NTP work. | |
| ${IPF} allow udp from any 53 to ${ip} | |
| ${IPF} allow udp from any 123 to ${ip} | |
| # Allow inbound DNS queries. | |
| ${IPF} allow udp from any to ${ip} 53 | |
| # Allow inbound NTP queries. | |
| ${IPF} allow udp from any to ${ip} 123 | |
| # Allow traceroute to function, but not to get in. | |
| ${IPF} unreach port udp from any to ${ip} 33435-33524 | |
| # Allow some inbound icmps - echo reply, dest unreach, source quench, | |
| # echo, ttl exceeded. | |
| ${IPF} allow icmp from any to any icmptypes 0,3,4,8,11 | |
| # Everything else is denied and logged. | |
| ${IPF} deny log all from any to any |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment