132 lines
4.9 KiB
Bash
Executable File
132 lines
4.9 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
|
|
# ipfw -vated list
|
|
|
|
# IPFW configuration
|
|
#sysrc firewall_enable="YES"
|
|
#sysrc firewall_logif="YES"
|
|
#sysrc firewall_script="/mnt/config/ipfw.rules"
|
|
|
|
# NATd configuration
|
|
#sysrc gateway_enable="YES"
|
|
#sysrc natd_enable="YES"
|
|
#sysrc natd_interface="tun1"
|
|
#sysrc natd_flags="-f /mnt/config/natd.conf"
|
|
#natd.conf: redirect_port tcp 192.168.0.9:80 80
|
|
|
|
# Set rules command prefix
|
|
cmd="ipfw -q add"
|
|
lif="epair0b" # interface name of VNET attached to Local network
|
|
rif="tun1" # interface name of Tunnel attached to Remote network
|
|
skip="skipto 12000"
|
|
|
|
# Flush out the list before we begin.
|
|
ipfw -q -f flush
|
|
|
|
# gateway_enable already set in rc.conf
|
|
# sysctl net.inet.ip.forwarding=1
|
|
|
|
# Packets passing the stateful NAT may be re-injected into the firewall
|
|
# sysctl net.inet.ip.fw.one_pass=0
|
|
ipfw disable one_pass
|
|
|
|
# functionality is included in the divert action
|
|
#ipfw -q nat 1 config if $rif same_ports unreg_only reset
|
|
|
|
$cmd 00050 allow ip from any to any via $lif
|
|
|
|
$cmd 00100 allow ip from any to any via lo0
|
|
|
|
$cmd 00200 deny ip from any to 127.0.0.0/8
|
|
$cmd 00300 deny ip from 127.0.0.0/8 to any
|
|
$cmd 00400 deny ip from any to ::1
|
|
$cmd 00500 deny ip from ::1 to any
|
|
|
|
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
|
|
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
|
|
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
|
|
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
|
|
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
|
|
|
|
# The reassemble rule is not needed with userland natd(8)
|
|
# because the internal workings of the IPFW divert action
|
|
# takes care of reassembling packets before delivery to the socket
|
|
#$cmd 01100 reass all from any to any in
|
|
|
|
$cmd 01200 divert natd ip from any to any in via $rif # NAT any inbound packets
|
|
|
|
# Allow the packet through if it has an existing entry in the dynamic rules table
|
|
$cmd 01300 check-state
|
|
|
|
# Allow access to DNS
|
|
#$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
|
|
#$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
|
|
#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
|
|
#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
|
|
|
|
# Allow access to ISP's DHCP server for cable/DSL configurations.
|
|
# Use the first rule and check log for IP address.
|
|
# Then, uncomment the second rule, input the IP address, and delete the first rule
|
|
#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
|
|
#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
|
|
|
|
# Allow outbound ping
|
|
$cmd 02210 $skip icmp from any to any out via $rif keep-state
|
|
|
|
# Allow outbound NTP
|
|
#$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
|
|
|
|
# Allow outbound TCP traffic
|
|
$cmd 02500 $skip tcp from any to any 22,80,443,2024,3389,5904 out via $rif setup keep-state
|
|
|
|
# deny and log all other outbound connections
|
|
$cmd 02999 deny log all from any to any out via $rif
|
|
|
|
#### Lockdown incoming traffic
|
|
# Deny all inbound traffic from non-routable reserved address spaces
|
|
#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif #RFC 1918 private IP
|
|
#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif #RFC 1918 private IP
|
|
#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif #RFC 1918 private IP
|
|
$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif #loopback
|
|
$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif #loopback
|
|
$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif #DHCP auto-config
|
|
$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif #reserved for docs
|
|
$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif #Sun cluster interconnect
|
|
$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif #Class D & E multicast
|
|
|
|
# Allow traffic from ISP's DHCP server.
|
|
# Replace x.x.x.x with the same IP address used in rule 02120.
|
|
#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
|
|
|
|
# Deny public pings
|
|
#$cmd 03210 deny icmp from any to any in via $rif
|
|
|
|
# Deny ident
|
|
$cmd 03230 deny tcp from any to any 113 in via $rif
|
|
|
|
# Deny all Netbios services.
|
|
$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
|
|
|
|
# Deny fragments
|
|
$cmd 03250 deny all from any to any frag in via $rif
|
|
|
|
# Deny ACK packets that did not match the dynamic rule table
|
|
$cmd 03500 deny tcp from any to any established in via $rif
|
|
|
|
# Allow inbound SSH connections
|
|
#$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
|
|
|
|
# Allow HTTP connections to internal web server
|
|
#$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
|
|
|
|
# Reject and log all other incoming connections
|
|
$cmd 03999 deny log all from any to any in via $rif
|
|
#### lockdown in
|
|
|
|
$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
|
|
|
|
$cmd 65000 allow ip from any to any
|
|
|
|
#$cmd 65535 deny ip from any to any
|