close Warning: Can't use blame annotator: 
No changeset 7057 in the repository

source: hybrid/trunk/nanobsd/files/etc/ipfw.sh@ 10136

Last change on this file since 10136 was 10136, checked in by richardvm, 13 years ago

domme toevoeging van proxy files
  • Property svn:eol-style set to LF
  • Property svn:executable set to *
File size: 3.1 KB
RevLine 
1#!/bin/sh -
2# Based on /etc/rc.firewall
3#
4# Credits: Richard van Mansom, Rick van der Zwet
5
6
7allowed2internet="80,443"
8maxconnections="10"
9
10RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
11WLNET='172.16.0.0/12'
12
13# Suck in the configuration variables.
14if [ -z "${source_rc_confs_defined}" ]; then
15 if [ -r /etc/defaults/rc.conf ]; then
16 . /etc/defaults/rc.conf
17 source_rc_confs
18 elif [ -r /etc/rc.conf ]; then
19 . /etc/rc.conf
20 fi
21fi
22
23setup_loopback () {
24 ############
25 # Only in rare cases do you want to change these rules
26 #
27 ${fwcmd} add 100 pass all from any to any via lo0
28 ${fwcmd} add 200 deny all from any to 127.0.0.0/8
29 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
30}
31
32############
33# Set quiet mode if requested
34#
35case ${firewall_quiet} in
36[Yy][Ee][Ss])
37 fwcmd="/sbin/ipfw -q"
38 ;;
39*)
40 fwcmd="/sbin/ipfw"
41 ;;
42esac
43
44###########
45# Set Internal/External Interface
46#
47driver=`echo ${internalif} | sed 's/[0-9]*//g'`
48seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
49
50if [ ${seq} = 0 ]; then
51 seq=`expr ${seq} \+ 1`
52else
53 seq=`expr ${seq} \- 1`
54fi
55
56externalif="$driver$seq"
57
58# Get interface Addresses
59externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
60internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'`
61############
62# Flush out the list before we begin.
63#
64${fwcmd} -f flush
65
66setup_loopback
67
68
69############
70# Block the hosters network (and maybe others)
71for IP in ${firewall_block}
72do
73 ${fwcmd} add deny ip from any to ${IP} in via $internalif
74done
75
76############
77# Statefull filewall in use
78${fwcmd} add check-state
79
80# Allow anything originating from me
81${fwcmd} add allow ip from me to any keep-state
82
83
84#############
85# Outbound NAT setup
86# WL Net -> Internet
87${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif
88${fwcmd} add nat 100 all from any to $externalip in recv $externalif
89${fwcmd} nat 100 config if $externalif
90
91# Subnet Internet is allowed
92${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections
93
94
95#############
96# Internal Network -> WL Net
97# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL
98${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif
99${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif
100${fwcmd} nat 200 config if $internalif
101
102# Allow all traffic inbound
103${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state
104
105
106#############
107## Services in use
108## Allow on external interface
109external_allow_tcp="ssh"
110${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state
111
112## Allow on internal interface
113internal_allow_tcp="ssh,domain,3128"
114internal_allow_udp="ntp,domain,snmp,12345"
115${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state
116${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state
117
118# Basic ICMP managment traffic
119${fwcmd} add allow icmp from any to me icmptype 8
120${fwcmd} add allow icmp from me to any icmptype 3,4,11
121
122
123#############
124# Block anything else
125${fwcmd} add 65000 deny log logamount 500 ip from any to any
126
Note: See TracBrowser for help on using the repository browser.