#!/bin/sh - # Based on /etc/rc.firewall # # Credits: Richard van Mansom, Rick van der Zwet allowed2internet="80,443" maxconnections="10" RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" WLNET='172.16.0.0/12' # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi setup_loopback () { ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any } ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ########### # Set Internal/External Interface # driver=`echo ${internalif} | sed 's/[0-9]*//g'` seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'` if [ ${seq} = 0 ]; then seq=`expr ${seq} \+ 1` else seq=`expr ${seq} \- 1` fi externalif="$driver$seq" # Get interface Addresses externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'` internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'` ############ # Flush out the list before we begin. # ${fwcmd} -f flush setup_loopback ############ # Block the hosters network (and maybe others) for IP in ${firewall_block} do ${fwcmd} add deny ip from any to ${IP} in via $internalif done ############ # Statefull filewall in use ${fwcmd} add check-state # Allow anything originating from me ${fwcmd} add allow ip from me to any keep-state ############# # Outbound NAT setup # WL Net -> Internet ${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif ${fwcmd} add nat 100 all from any to $externalip in recv $externalif ${fwcmd} nat 100 config if $externalif # Subnet Internet is allowed ${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections ############# # Internal Network -> WL Net # Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL ${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif ${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif ${fwcmd} nat 200 config if $internalif # Allow all traffic inbound ${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state ############# ## Services in use ## Allow on external interface external_allow_tcp="ssh" ${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state ## Allow on internal interface internal_allow_tcp="ssh,domain,3128" internal_allow_udp="ntp,domain,snmp,12345" ${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state ${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state # Basic ICMP managment traffic ${fwcmd} add allow icmp from any to me icmptype 8 ${fwcmd} add allow icmp from me to any icmptype 3,4,11 ############# # Block anything else ${fwcmd} add 65000 deny log logamount 500 ip from any to any