#!/bin/sh # https://www.freebsd.org/doc/handbook/firewalls-ipfw.html # ipfw -vated list # IPFW configuration #sysrc firewall_enable="YES" #sysrc firewall_logif="YES" #sysrc firewall_script="/mnt/config/ipfw.rules" # NATd configuration #sysrc gateway_enable="YES" #sysrc natd_enable="YES" #sysrc natd_interface="epair0b" #sysrc natd_flags="-f /mnt/config/natd.conf" #natd.conf: #redirect_port tcp 172.16.0.100:21-23 21-23 # Set rules command prefix cmd="ipfw -q add" lif="tun186" # interface name of tunnel attached to Local network rif="epair0b" # interface name of vnet attached to Remote/external network skip="skipto 12000" # Flush out the list before we begin. ipfw -q -f flush # gateway_enable already set in rc.conf # sysctl net.inet.ip.forwarding=1 # Packets passing the stateful NAT may be re-injected into the firewall # sysctl net.inet.ip.fw.one_pass=0 ipfw disable one_pass # functionality is included in the divert action #ipfw -q nat 1 config if $rif same_ports unreg_only reset $cmd 00050 allow ip from any to any via $lif $cmd 00100 allow ip from any to any via lo0 $cmd 00200 deny ip from any to 127.0.0.0/8 $cmd 00300 deny ip from 127.0.0.0/8 to any $cmd 00400 deny ip from any to ::1 $cmd 00500 deny ip from ::1 to any $cmd 00600 allow ipv6-icmp from :: to ff02::/16 $cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 $cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 $cmd 00900 allow ipv6-icmp from any to any icmp6types 1 $cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136 # The reassemble rule is not needed with userland natd(8) # because the internal workings of the IPFW divert action # takes care of reassembling packets before delivery to the socket #$cmd 01100 reass all from any to any in $cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets # Allow the packet through if it has an existing entry in the dynamic rules table $cmd 01300 check-state # Allow access to DNS $cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state $cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state $cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state $cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state # Allow access to ISP's DHCP server for cable/DSL configurations. # Use the first rule and check log for IP address. # Then, uncomment the second rule, input the IP address, and delete the first rule #$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state #$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state # Allow outbound ping $cmd 02210 $skip icmp from any to any out via $rif keep-state # Allow outbound NTP $cmd 02220 $skip udp from any to any 123 out via $rif keep-state # Allow outbound TCP traffic $cmd 02500 $skip tcp from any to any 20,22,25,80,443 out via $rif setup keep-state # 03720 pasv ftp # deny and log all other outbound connections $cmd 02999 deny log all from any to any out via $rif #### Lockdown incoming traffic # Deny all inbound traffic from non-routable reserved address spaces #$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP #$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP #$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP $cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback $cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback $cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config $cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs $cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect $cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast # Allow traffic from ISP's DHCP server. # Replace x.x.x.x with the same IP address used in rule 02120. #$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state # Allow public pings $cmd 03210 allow icmp from any to any in via $rif # Deny ident $cmd 03230 deny tcp from any to any 113 in via $rif # Deny all Netbios services. $cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif # Deny fragments $cmd 03250 deny all from any to any frag in via $rif # Deny ACK packets that did not match the dynamic rule table $cmd 03500 deny tcp from any to any established in via $rif # Allow inbound SSH host connections $cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2 # Allow HTTP host connections to host web server $cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2 # Allow inbound Telnet connections to NAT $cmd 03710 allow tcp from any to me 23,3270 in via $rif setup limit src-addr 2 # Allow inbound FTP connections to NAT $cmd 03720 allow tcp from any to me 20,21 in via $rif setup limit src-addr 2 # 02500 pasv ftp # Reject and log all other incoming connections $cmd 03999 deny log all from any to any in via $rif #### lockdown in $cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules $cmd 65000 allow ip from any to any #$cmd 65535 deny ip from any to any