Changeset 10136 in hybrid for trunk/nanobsd/files/etc/ipfw.sh

Timestamp:

Mar 12, 2012, 6:32:43 AM (13 years ago)

Author:

richardvm

Message:

domme toevoeging van proxy files

File:

• trunk/nanobsd/files/etc/ipfw.sh (modified) (3 diffs)

trunk/nanobsd/files/etc/ipfw.sh

@@ -1 +1 @@
 #!/bin/sh -
+# Based on /etc/rc.firewall
+#
+# Credits: Richard van Mansom, Rick van der Zwet
 
-# Based on /etc/rc.firewall
+
+allowed2internet="80,443"
+maxconnections="10"
+
+RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+WLNET='172.16.0.0/12'
 
 # Suck in the configuration variables.
@@ -34 +42 @@
 esac
 
+###########
+# Set Internal/External Interface
+#
+driver=`echo ${internalif} | sed 's/[0-9]*//g'`
+seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
+
+if [ ${seq} = 0 ]; then
+  seq=`expr ${seq} \+ 1`
+else
+  seq=`expr ${seq} \- 1`
+fi
+
+externalif="$driver$seq"
+
+# Get interface Addresses
+externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
+internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'`
 ############
 # Flush out the list before we begin.
@@ -41 +66 @@
 setup_loopback
 
-############
-
-# By default no firewalling
-${fwcmd} add 65000 pass all from any to any
-
-# Transproxy/WLportal/Captive portal
-${fwcmd} add 10000 allow tcp from any to localhost 80
-${fwcmd} add 10001 allow tcp from any to me 80
 
 ############
-# Reserved: Whitelist rule numbers
-# 10002 - 10009
-NR=10002
-  for IP in $captive_portal_whitelist; do
-  ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80
-  NR=`expr $NR + 1`
+# Block the hosters network (and maybe others)
+for IP in ${firewall_block}
+do
+  ${fwcmd} add deny ip from any to ${IP} in via $internalif
 done
 
 ############
-# Reserved: WLPortal rule numbers
-# 10010 - 10099
+# Statefull filewall in use
+${fwcmd} add check-state
 
-# Forward rules work without a base address, so needed a loop over all inet4 adresses
-for INF in $captive_portal_interfaces; do
-  ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
-done
+# Allow anything originating from me
+${fwcmd} add allow ip from me to any keep-state
+
+
+#############
+# Outbound NAT setup
+# WL Net -> Internet
+${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif
+${fwcmd} add nat 100 all from any to $externalip in recv $externalif
+${fwcmd} nat 100 config if $externalif
+
+# Subnet Internet is allowed
+${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections
+
+
+#############
+# Internal Network -> WL Net
+# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL
+${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif
+${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif
+${fwcmd} nat 200 config if $internalif
+
+# Allow all traffic inbound
+${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state
+
+
+#############
+## Services in use
+## Allow on external interface
+external_allow_tcp="ssh"
+${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state
+
+## Allow on internal interface
+internal_allow_tcp="ssh,domain,3128"
+internal_allow_udp="ntp,domain,snmp,12345"
+${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state
+${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state
+
+# Basic ICMP managment traffic
+${fwcmd} add allow icmp from any to me icmptype 8
+${fwcmd} add allow icmp from me to any icmptype 3,4,11
+
+
+#############
+# Block anything else
+${fwcmd} add 65000 deny log logamount 500 ip from any to any
+