#!/bin/sh # # Firewall Builder fwb_ipfw v2.0.5-b # # Generated Sat Jan 01 20:13:42 2005 Russian Standard Time by Ruslan # # files: * wipfw.fw # # # Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network. # This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. # Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall. # # # IPFW="./ipfw" $IPFW -f flush "$IPFW" add 1 check-state ip from any to any # # Rule 0 (eth0) # anti spoofing rule # "$IPFW" add 10 drop log all from me to any in recv eth0 "$IPFW" add 20 drop log all from 192.168.1.0/24 to any in recv eth0 # # Rule 0 (lo) # # "$IPFW" add 30 permit all from any to any via lo keep-state # # Rule 0 (global) # SSH Access to firewall is permitted # only from internal network # Also firewall serves DNS for internal # network # "$IPFW" add 40 permit tcp from 192.168.1.0/24 to me 22,53 in setup keep-state "$IPFW" add 50 permit udp from 192.168.1.0/24 to me 53 in keep-state # # Rule 1 (global) # DHCP requests are permitted # from internal network # "$IPFW" add 60 permit udp from 192.168.1.0/24 to me 68,67 in keep-state "$IPFW" add 70 permit udp from 0.0.0.0 to me 68,67 in keep-state "$IPFW" add 80 permit udp from 192.168.1.0/24 to 255.255.255.255 68,67 keep-state "$IPFW" add 90 permit udp from 0.0.0.0 to 255.255.255.255 68,67 keep-state # # Rule 2 (global) # DHCP replies # "$IPFW" add 100 permit udp from me to 192.168.1.0/24 68,67 out keep-state # # Rule 3 (global) # Firewall should be able to send # DNS queries to the Internet # "$IPFW" add 110 permit log tcp from me to any 53 out setup keep-state "$IPFW" add 120 permit log udp from me to any 53 out keep-state # # Rule 4 (global) # All other attempts to connect to # the firewall are denied and logged # "$IPFW" add 130 drop log all from any to me in # # Rule 5 (global) # # "$IPFW" add 140 permit all from 192.168.1.0/24 to any keep-state # # Rule 6 (global) # # "$IPFW" add 150 drop log all from any to any # # Rule fallback rule # fallback rule # "$IPFW" add 160 drop all from any to any # # Epilog script # # End of epilog script #