source: hybrid/branches/releng-11/nanobsd/files/etc/ipfw_gateway.sh@ 13724

Last change on this file since 13724 was 13460, checked in by huub, 9 years ago

dit is het proxy firewall script van de 9.0 proxy
  • Property svn:executable set to *
File size: 4.5 KB
Line 
1#!/bin/sh -
2# Based on the idea of /etc/rc.firewall
3#
4# NOTE: Consider implemention IPv6 as solution before even thinking about using
5# NOTE: this (advanced) firewall rules.
6#
7# Firewall solution for Wireless Leiden ``iLeiden'' setup.
8#
9# This firewall is configured to be a 2-NAT solution, to be used in a setup
10# when this box can reach the INET via the HOSTERNET network, connected on
11# ``externalif''. And the WLNET network is connected on ``internalif''.
12#
13# a) This will provide rate-limited NAT support for the WLNET to specific ports
14# on the internet.
15# b) Provide NAT support for HOSTERNET machines to access WLNET.
16# c) Secures the HOSTERNET from abuse from the WLNET.
17#
18# Richard van Mansom <richard@vanmansom.net>
19# Rick van der Zwet - <info@rickvanderzwet.nl>
20
21
22allowed2internet="80,443"
23maxconnections="10"
24
25WLNET=172.16.0.0/12
26
27# Suck in the configuration variables.
28if [ -z "${source_rc_confs_defined}" ]; then
29 if [ -r /etc/defaults/rc.conf ]; then
30 . /etc/defaults/rc.conf
31 source_rc_confs
32 elif [ -r /etc/rc.conf ]; then
33 . /etc/rc.conf
34 fi
35fi
36
37setup_loopback () {
38 ############
39 # Only in rare cases do you want to change these rules
40 #
41 ${fwcmd} add 100 pass all from any to any via lo0
42 ${fwcmd} add 200 deny all from any to 127.0.0.0/8
43 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
44}
45
46############
47# Set quiet mode if requested
48#
49case ${firewall_quiet} in
50[Yy][Ee][Ss])
51 fwcmd="/sbin/ipfw -q"
52 ;;
53*)
54 fwcmd="/sbin/ipfw"
55 ;;
56esac
57
58logcount=500
59case ${firewall_verbose} in
60[Yy][Ee][Ss])
61 log="log"
62 ;;
63*)
64 log=""
65 ;;
66esac
67
68###########
69# Set Internal/External Interface
70#
71driver=`echo ${internalif} | sed 's/[0-9]*//g'`
72seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
73
74if [ ${seq} = 0 ]; then
75 seq=`expr ${seq} \+ 1`
76else
77 seq=`expr ${seq} \- 1`
78fi
79
80externalif="$driver$seq"
81
82# Get public ip
83externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
84internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'`
85
86#XXX: Ugly hack, make me dynamic
87HOSTERNET=${HOSTERNET:-$externalip/24}
88
89echo "# [INFO] Internal (wleiden ) Interface: $internalif ($internalip) - $WLNET"
90echo "# [INFO] External (internet) Interface: $externalif ($externalip) - $HOSTERNET"
91
92############
93# Flush out the list before we begin.
94#
95${fwcmd} -f flush
96
97setup_loopback
98
99############
100# Block any traffic from WL to the hosters network (and maybe others)
101for IP in ${firewall_block} 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
102do
103 ${fwcmd} add deny log logamount $logcount ip from any to ${IP} recv $internalif xmit $externalip setup
104done
105
106#############
107# ICMP RULES
108# Allow ICMP from and to me
109${fwcmd} add allow $log icmp from any to me
110${fwcmd} add allow $log icmp from me to any
111
112# From ICMP only allow limited ICMP types to receive to the hosters network
113${fwcmd} add allow $log icmp from $WLNET to $HOSTERNET icmptype 0
114${fwcmd} add allow $log icmp from $HOSTERNET to $WLNET
115
116# Block any other ICMP traffic
117${fwcmd} add deny log logamount $logcount icmp from any to any
118
119
120
121#############
122# Stateful firewalling
123${fwcmd} add check-state
124${fwcmd} add allow tcp from any to any established
125
126# Transparant proxy HTTP,HTTPS
127${fwcmd} add allow $log tcp from $WLNET to any $allowed2internet setup limit src-addr $maxconnections
128
129# Allow anything originating from me
130${fwcmd} add allow $log tcp from me to any setup keep-state
131${fwcmd} add allow $log udp from me to any keep-state
132# Special Rules for HOSTERNET
133${fwcmd} add allow $log tcp from $HOSTERNET to $WLNET setup keep-state
134${fwcmd} add allow $log udp from $HOSTERNET to $WLNET keep-state
135
136## INTERNAL INTERFACE
137# TCP: ssh,domain,http,http-proxy,lvrouted
138${fwcmd} add allow $log tcp from $WLNET to me 22,53,80,3128,12345 setup keep-state
139# UDP: domain,ntp,snmp,lvrouted
140${fwcmd} add allow $log udp from $WLNET to me 53,131,161,12345 keep-state
141
142## EXTERNAL INTERFACE
143# TCP: ssh,domain
144${fwcmd} add allow $log tcp from any to me 22,53 setup keep-state
145# UDP: domain,snmp
146${fwcmd} add allow $log udp from $WLNET to me 53,161 keep-state
147
148#############
149# Outbound NAT setup
150${fwcmd} add nat 100 $log all from $WLNET to any 80,443 out recv $internalif xmit $externalif
151${fwcmd} add nat 100 $log all from any 80,443 to $externalip in recv $externalif
152${fwcmd} nat 100 config $log if $externalif
153
154#############
155# Inbound NAT setup
156${fwcmd} add nat 200 $log all from $HOSTERNET to $WLNET out recv $externalif xmit $internalif
157${fwcmd} add nat 200 $log all from $WLNET to $internalip in recv $internalif
158${fwcmd} nat 200 config $log if $internalif
159
160#############
161# Block anything else
162${fwcmd} add 65000 deny log logamount $logcount ip from any to any
Note: See TracBrowser for help on using the repository browser.