# Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Firewall program fwcmd="/sbin/ipfw" # Outside interface network and netmask and ip oif="vr0" onet="24.161.139.0" omask="255.255.255.0" oip="24.161.139.249" #onet=ifconfig rl0 | grep "inet " | awk '{print $6}' #omask=ifconfig rl0 | grep "inet " | awk '{print $4}' #oip=ifconfig rl0 | grep "inet " | awk '{print $2}' # Inside interface network and netmask and ip iif="vr1" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" # My ISP's DNS servers dns1="24.25.227.34" # hawaii.rr.com ns dns2="24.25.227.36" dns2="207.69.188.185" # ns.mindspring.com # Flush previous rules ${fwcmd} -f flush # default stuff # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 110 deny all from any to 127.0.0.0/8 # Stop spoofing # ${fwcmd} add 200 deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add 210 deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add 250 deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add 255 deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add 260 deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add 300 deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add 310 deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add 320 deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add 330 deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add 340 deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add 400 divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add 500 deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add 505 deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add 510 deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add 515 deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add 520 deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add 525 deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add 530 deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add 535 deny all from 240.0.0.0/4 to any via ${oif} #### ACCEPT START #### (PUT STUFF IN HERE YOU WANT ACCEPTED) # Allow established connections with minimal overhead ${fwcmd} add 600 pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add 650 pass all from any to any frag ### TCP RULES # HTTP - Allow access to our web server #${fwcmd} add 660 pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail # ${fwcmd} add 665 pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections # ${fwcmd} add 670 deny log tcp from any to any 21 in via ${oif} setup # But.... I happen to be too much of a warez freak ${fwcmd} add 675 pass tcp from any ftp\\-data-ftp to any 1024 > keep-state #${fwcmd} add 680 pass tcp from any ftp-data to any 1024-65535 setup ${fwcmd} add 685 pass tcp from any to any 21 setup # SSH Login - Allow & Log all incoming ${fwcmd} add 690 pass tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections (fuck ident) ${fwcmd} add 695 reset tcp from any to any 113 in via ${oif} setup # QUAKE3ARENA!!!!! ${fwcmd} add 698 pass tcp from any to any 27960 in via ${oif} ${fwcmd} add 699 pass udp from any to any 27960 in via ${oif} # Allow setup of any other TCP connection ${fwcmd} add 700 pass tcp from any to any setup ### SPECIAL PORT BLOCKS TROJAN REJECTS###(DENIED!) ### Filter Port=5 *** Remote Job Entry *** ${fwcmd} add 3000 deny tcp from any to any 5 via ${oif} ${fwcmd} add 3001 deny udp from any to any 5 via ${oif} ### Filter Port=11 *** REMOTE SYSTEM INFO ***(default=deny) ${fwcmd} add 3002 deny tcp from any to any 11 via ${oif} ${fwcmd} add 3003 deny udp from any to any 11 via ${oif} ### Filter Port=23 ***TELNET Service***(default=deny) ${fwcmd} add 3004 deny tcp from any to any 23 via ${oif} ${fwcmd} add 3005 deny udp from any to any 23 via ${oif} ### Filter Port=25 ***SMTP service***(default=deny) ${fwcmd} add 3006 deny tcp from any to any 25 via ${oif} ${fwcmd} add 3007 deny udp from any to any 25 via ${oif} ### Filter Port=38 *** Route Access Protocal ***(default=deny) ${fwcmd} add 3008 deny tcp from any to any 38 via ${oif} ${fwcmd} add 3009 deny udp from any to any 38 via ${oif} ###Filter Port=42 *** Hostname Server service***(default=deny) ${fwcmd} add 3010 deny tcp from any to any 42 via ${oif} ${fwcmd} add 3011 deny udp from any to any 42 via ${oif} ### Filter Port=43 *** WHOIS *** (default=deny) ${fwcmd} add 3012 deny tcp from any to any 42 via ${oif} ${fwcmd} add 3013 deny udp from any to any 42 via ${oif} ###Filter Port=49 *** Login Host Protocol ***(default=deny) ${fwcmd} add 3014 deny tcp from any to any 49 via ${oif} ${fwcmd} add 3015 deny udp from any to any 49 via ${oif} ### Filter Port=50 *** Remote Mail Checking Protocal *** (default=deny) ${fwcmd} add 3016 deny tcp from any to any 50 via ${oif} ${fwcmd} add 3017 deny udp from any to any 50 via ${oif} ###Filter Port=69 ***TFTP service***(default=deny) ${fwcmd} add 3018 deny tcp from any to any 69 via ${oif} ${fwcmd} add 3019 deny udp from any to any 69 via ${oif} ### Filter Port=70 *** Gopher *** (default=deny) ${fwcmd} add 3020 deny tcp from any to any 70 via ${oif} ${fwcmd} add 3021 deny udp from any to any 70 via ${oif} ### Filter Port=71-74 *** Remote Job Service *** (default=deny) ${fwcmd} add 3022 deny tcp from any to any 71-74 via ${oif} ${fwcmd} add 3023 deny udp from any to any 71-74 via ${oif} ### Filter Port=79 *** Finger *** (default=deny) ${fwcmd} add 3024 deny tcp from any to any 79 via ${oif} ${fwcmd} add 3025 deny udp from any to any 79 via ${oif} ### Filter Port=81 *** Host2 Nameserver *** (default=deny) ${fwcmd} add 3028 deny tcp from any to any 81 via ${oif} ${fwcmd} add 3029 deny udp from any to any 81 via ${oif} ### Filter Port=82 *** XFER Utility *** (default=deny) ${fwcmd} add 3030 deny tcp from any to any 82 via ${oif} ${fwcmd} add 3031 deny udp from any to any 82 via ${oif} ### Filter Port=88 *** Kerberos ***(default=deny) ${fwcmd} add 3032 deny tcp from any to any 88 via ${oif} ${fwcmd} add 3033 deny udp from any to any 88 via ${oif} ### Filter Port=98 *** Linuxconf *** (default=deny) ${fwcmd} add 3034 deny tcp from any to any 98 via ${oif} ${fwcmd} add 3035 deny udp from any to any 98 via ${oif} ### Filter port=110 *** POP Mail server ***(default=accept) ${fwcmd} add 3036 deny tcp from any to any 110 via ${oif} ${fwcmd} add 3037 deny udp from any to any 110 via ${oif} ### Filter Port=111 *** Portmapper *** (default=deny) ${fwcmd} add 3038 deny tcp from any to any 111 via ${oif} ${fwcmd} add 3039 deny udp from any to any 111 via ${oif} ### Filter Port=115 *** SFTP service ***(default=deny) ${fwcmd} add 3042 deny tcp from any to any 115 via ${oif} ${fwcmd} add 3043 deny udp from any to any 115 via ${oif} ### Filter Port=143 *** IMAP server *** (default=accept) ${fwcmd} add 3044 deny tcp from any to any 143 via ${oif} ${fwcmd} add 3045 deny udp from any to any 143 via ${oif} ### Filter Port=161-162 *** SNMP *** (default=deny) ${fwcmd} add 3046 deny tcp from any to any 161-162 via ${oif} ${fwcmd} add 3047 deny udp from any to any 161-162 via ${oif} ### Filter Port=177 ***xdmcp X Display Manager Control Protocal***(default=deny) ${fwcmd} add 3048 deny tcp from any to any 177 via ${oif} ${fwcmd} add 3049 deny udp from any to any 177 via ${oif} ### Filter Port=178 ***NextStep Window Server***(default=deny) ${fwcmd} add 3050 deny tcp from any to any 178 via ${oif} ${fwcmd} add 3051 deny udp from any to any 178 via ${oif} ### Filter Port=443 *** Secure Web server service***(default=deny) ${fwcmd} add 3052 deny tcp from any to any 443 via ${oif} ${fwcmd} add 3053 deny udp from any to any 443 via ${oif} ### Filter Port=515 *** Printer Service ***(default=deny) ${fwcmd} add 4000 deny tcp from any to any 515 via ${oif} ${fwcmd} add 4001 deny udp from any to any 515 via ${oif} ### Filter Port=517 *** Talk Service ***(default=deny) ${fwcmd} add 3054 deny tcp from any to any 517 via ${oif} ${fwcmd} add 3055 deny udp from any to any 517 via ${oif} ### Filter Port=518 *** Ntalk service ***(default=deny) ${fwcmd} add 3056 deny tcp from any to any 518 via ${oif} ${fwcmd} add 3057 deny udp from any to any 518 via ${oif} ### Filter Port=1080 *** Socks service ***(default=deny) ${fwcmd} add 3058 deny tcp from any to any 1080 via ${oif} ${fwcmd} add 3059 deny udp from any to any 1080 via ${oif} ### Filter Port=6000-6063 ***X Windows System***(default=deny) ${fwcmd} add 3060 deny tcp from any to any 6000-6063 via ${oif} ${fwcmd} add 3061 deny udp from any to any 6000-6063 via ${oif} ### Filter Port=7100 *** X Font Service ***(default=deny) ${fwcmd} add 3062 deny tcp from any to any 7100 via ${oif} ${fwcmd} add 3063 deny udp from any to any 7100 via ${oif} #Begin Common Trojan Ports Blocking - This includes BackOrifice, Netbus, Trinoo, etc ${fwcmd} add 3064 deny tcp from any to any 31 via ${oif} # port 31 ${fwcmd} add 3065 deny udp from any to any 31 via ${oif} # ${fwcmd} add 3066 deny tcp from any to any 1001 via ${oif} # port 1001 ${fwcmd} add 3067 deny udp from any to any 1001 via ${oif} # ${fwcmd} add 3068 deny tcp from any to any 1011 via ${oif} # port 1011 ${fwcmd} add 3069 deny udp from any to any 1011 via ${oif} # ${fwcmd} add 3070 deny tcp from any to any 1170 via ${oif} # port 1170 ${fwcmd} add 3071 deny udp from any to any 1170 via ${oif} # ${fwcmd} add 3072 deny tcp from any to any 1234 via ${oif} # port 1234 ${fwcmd} add 3073 deny udp from any to any 1234 via ${oif} # ${fwcmd} add 3074 deny tcp from any to any 1999 via ${oif} # port 1999 ${fwcmd} add 3075 deny udp from any to any 1999 via ${oif} # ${fwcmd} add 3076 deny tcp from any to any 3150 via ${oif} # port 3150 ${fwcmd} add 3077 deny udp from any to any 3150 via ${oif} # ${fwcmd} add 3078 deny tcp from any to any 5400-5402 via ${oif} # ports 5400-5402 ${fwcmd} add 3079 deny udp from any to any 5400-5402 via ${oif} # ${fwcmd} add 3080 deny tcp from any to any 6670-6671 via ${oif} # ports 6670 and 6671 ${fwcmd} add 3081 deny udp from any to any 6670-6671 via ${oif} # ${fwcmd} add 3082 deny tcp from any to any 7300-7308 via ${oif} # ports 7300-7308 ${fwcmd} add 3083 deny udp from any to any 7300-7308 via ${oif} # ${fwcmd} add 3084 deny tcp from any to any 12223 via ${oif} # port 12223 ${fwcmd} add 3085 deny udp from any to any 12223 via ${oif} # ${fwcmd} add 3086 deny tcp from any to any 12361 via ${oif} # port 12361 ${fwcmd} add 3087 deny udp from any to any 12361 via ${oif} # ${fwcmd} add 3088 deny tcp from any to any 20001 via ${oif} # port 20001 ${fwcmd} add 3089 deny udp from any to any 20001 via ${oif} # ${fwcmd} add 3090 deny tcp from any to any 20034 via ${oif} # port 20034 ${fwcmd} add 3091 deny udp from any to any 20034 via ${oif} # ${fwcmd} add 3092 deny tcp from any to any 31337 via ${oif} # port 31337 ${fwcmd} add 3093 deny udp from any to any 31337 via ${oif} # ${fwcmd} add 3094 deny tcp from any to any 31338 via ${oif} # port 31338 ${fwcmd} add 3095 deny udp from any to any 31338 via ${oif} ${fwcmd} add 3096 deny tcp from any to any 3306 via ${oif} # Reject&Log all setup of incoming connections from the outside ${fwcmd} add 4000 deny log tcp from any to any in via ${oif} setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add 5000 pass udp from any to ${dns1} 53 ${fwcmd} add 5100 pass udp from any to ${dns2} 53 ${fwcmd} add 5200 pass udp from ${dns1} 53 to any ${fwcmd} add 5300 pass udp from ${dns2} 53 to any ${fwcmd} add 5400 pass udp from any to ${dns3} 53 ${fwcmd} add 5500 pass udp from ${dns3} 53 to any # SMB - Allow local traffic ${fwcmd} add 6000 pass udp from any to any 137-139 via ${iif} # SYSLOG - Allow machines on inside net to log to us. ${fwcmd} add 7000 pass log udp from any to any 514 via ${iif} ${fwcmd} add 7050 deny log udp from any to any 514 via ${oif} # NTP - Allow queries out in the world # ${fwcmd} add 8000 pass udp from any 123 to any 123 via ${oif} # ${fwcmd} add 8100 pass udp from any 123 to any via ${iif} # ${fwcmd} add 8200 pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing ${fwcmd} add 8500 pass udp from any to any 33434-33523 out via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 8700 deny log udp from any to any 137-139 via ${oif} #DENY ANY FURTHER UDP CRAP ${fwcmd} add 9000 deny udp from any to any via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add 10000 pass icmp from any to any via ${iif} # Allow outgoing pings ${fwcmd} add 10100 pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add 10200 pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header ${fwcmd} add 10500 pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add 10700 deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log all other connections from outside interface ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file.