#!/bin/sh clear fwcmd="/sbin/ipfw" # External Interface oif="em0" pif="em0" # External IP address oip="XXXXXXXXXXXXX" # Internal Interface iif="em1" # Internal IP address iip="XXXXXXXXXXXXXXX" # Internal LAN ilan="XXXXXXXXXXXXXXXX/24" # flush all ${fwcmd} -f flush # Check dynamic rules ${fwcmd} 10 add check-state # Allow established connects ${fwcmd} 11 add allow tcp from any to any established ######################## # SECURITY SECTION ######################## # deny X-scan ${fwcmd} 15 reject log tcp from any to any tcpflags fin, syn, rst, psh, ack, urg via $pif # deny N-scan ${fwcmd} 16 reject log tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg via $pif # deny FIN-scan ${fwcmd} 17 reject log tcp from any to any not established tcpflags fin via $pif # deny spoofing ${fwcmd} 18 deny log ip from any to any not verrevpath in via $pif ######################## # Allow localhost internal activity ${fwcmd} 20 add allow ip from any to any via lo0 # don't allow localhost to send packets outside ${fwcmd} 30 add deny ip from any to 127.0.0.0/8 ${fwcmd} 40 add deny ip from 127.0.0.0/8 to any # Deny fragmented icmp packets ${fwcmd} 50 add deny icmp from any to any frag # Deny connections to internal network from external network. ${fwcmd} 60 add deny ip from any to ${ilan} in via ${oif} # Deny broadcast icmp on external interface ${fwcmd} 70 add deny log icmp from any to 255.255.255.255 in via ${oif} ${fwcmd} 80 add deny log icmp from any to 255.255.255.255 out via ${oif} # WHITELIST ${fwcmd} 90 add allow all from "table(1)" to me cat /etc/fw_white_list | awk '{ if ($1!="") {system("ipfw table 1 add "$1"")} }' > /dev/null # BLACKLIST ${fwcmd} 100 add deny all from "table(2)" to me cat /etc/fw_black_list | awk '{ if ($1!="") {system("ipfw table 2 add "$1"")} }' > /dev/null # Allow outgoing traffic ${fwcmd} 120 add allow ip from ${oip} to any out xmit ${oif} # Allow DNS ${fwcmd} 200 add allow udp from any 53 to any via ${oif} ${fwcmd} 205 add allow udp from any to any 53 via ${oif} # Allow NTP ${fwcmd} 210 add allow udp from any to any 123 via ${oif} # Allow SSH connection to server PORT 2233 !!! - disabled allow from WHITE list see UP - rule 100 # ${fwcmd} 220 add allow tcp from any to me 2233 in via ${oif} # Allow Sweta IP Megafon SSH # Allow FTP connection to the server PORT 2133 !!! #${fwcmd} 230 add allow tcp from any to me 2133,64000-64999 via ${oif} # Allow icmp echo request, echo reply and expire packet TTL ${fwcmd} 240 add allow icmp from any to any icmptypes 0,8,11 # Allow connects from localnetwork ${fwcmd} 250 add allow ip from any to any via ${iif} # Allow HTTP connection to the server ${fwcmd} 260 add allow tcp from any to me 80 in via ${oif} # Allow WEBMIN connection to the server - disabled allow from WHITE list see UP - rule 100 #${fwcmd} 270 add allow tcp from any to me 10000 in via ${oif} # Deny other activity ${fwcmd} 900 add deny log logamount 10000 ip from any to any # ALLOW IP ALL #${fwcmd} 1000 add allow ip from any to any