#!/bin/sh 
#
#
# Fully functional firewall that only allows connections to ports 22 and 80 
# and will log any other connection attempts.
#

# Define the firewall command for easy reference.
# Helps to make it easier to read.

fwcmd="./ipfw"

# Define our outside interface.
oif="ppp0"

# Define our inside interface. This is usually your network
# card.  Be sure to change this to match your own network 
# interface.
iif="eth0"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Check the state of all packets.
$fwcmd add check-state

# Stop spoofing on the outside interface.
$fwcmd add deny ip from me to any in via $oif

# Allow all connections that we initiate, and keep their state.
# but deny established connections that don't have a dynamic rule.
$fwcmd add allow ip from me to any out via $oif keep-state
$fwcmd add deny tcp from any to any established in via $oif

# Allow all connections within our network.
$fwcmd add allow ip from any to any via $iif

# Allow all local traffic.
$fwcmd add allow all from any to any via lo0
$fwcmd add deny all from any to 127.0.0.0/8
$fwcmd add deny ip from 127.0.0.0/8 to any

# Allow internet users to connect to the port 22 and 80.
# This example specifically allows connections to the sshd and a
# webserver.
$fwcmd add allow tcp from any to me 22,80 in via $oif setup keep-state

# Allow ICMP packets: remove type 8 if you don't want your host
# to be pingable.
$fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12

# Deny and log all the rest.
$fwcmd add deny log ip from any to any