Date: Wed, 6 Feb 2019 20:57:16 -0500 From: jeff@justfixit.net To: freebsd-doc@FreeBSD.org Subject: ipfw documentation Message-ID: <c3a8b0768110e79da3e65c09581465bc.squirrel@email.powweb.com>
next in thread | raw e-mail | index | archive | help
Please consider using some/all of this config for assisting folk getting
started with IPFW+NAT
Using the existing IPFW documentation, it still took me a couple weeks to
fully understand enough of it to work up to this:
#!/bin/sh
# * ------- Let the games begin ------- *
# ***************************************************************************
# Flush out the list before we begin.
# *-------------------------------------------------------------------------*
ipfw -q -f flush
# ***************************************************************************
# Set variables used throughout script
# *-------------------------------------------------------------------------*
# Shorten commands to easy readable acronyms
cmd="ipfw -q add"
skip="skipto 5500"
ks="keep-state"
# Assign Interfaces (external/internal)
EXT_IF="em0" # interface name of NIC attached to Internet
LAN_IF="bge0" # interface name of NIC attached in LAN
# Assign outbound UDP traffic that should always be blocked
bad_udpo="\
1900,\
1975,\
20007,\
20008,\
20009,\
20010"
# Assign normal outbound "authorized" TCP port activity
good_tcpo="\
22,\
25,\
37,\
53,\
80,\
443,\
993,\
2350,\
5228,\
8080,\
110"
# Assign normal outbound "authorized" UDP port activity
good_udpo="\
2350,\
5060,\
5228"
# Make sure XBOX Live works as designed - allow proprietary ports
XBOX_tcp="3074"
XBOX_udp="88,3074,500,3544,4500"
# Assign authorized DNS servers
# ***************************************************************************
# * ------- Define DNS servers ------- *
# ***************************************************************************
DNS="\
209.18.47.61,\
209.18.47.63,\
209.18.47.63,\
208.67.222.222,\
208.67.220.220,\
209.18.47.62,\
4.2.2.5,\
4.2.2.2"
echo
"***************************************************************************"
echo "* Firewall Script importing IPFW rules...
*"
echo
"***************************************************************************"
date
echo
"***************************************************************************"
printf "* Outbound TCP=%-58s *\n" "$good_tcpo"
printf "* Outbound UDP=%-58s *\n" "$good_udpo"
printf "* Outbound XBOX TCP=%-53s *\n" "$XBOX_tcp"
printf "* Outbound XBOX UDP=%-53s *\n" "$XBOX_udp"
echo "Authorized DNS= $DNS"
echo ""
#
# ***************************************************************************
# * ------- INCOMING RULES ------- *
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# * Ruleset --> Allow incoming communication from internal LAN *
# *-------------------------------------------------------------------------*
$cmd 00005 allow all from any to any via $LAN_IF
# ***************************************************************************
# * Ruleset --> Allow all traffic to/from LOOPBACK *
# *-------------------------------------------------------------------------*
$cmd 00100 allow ip from any to any via lo0
# ***************************************************************************
# ***************************************************************************
# * Ruleset --> allow incoming traffic that is returning to NAT'ed hosts *
# *-------------------------------------------------------------------------*
$cmd 001000 divert natd ip from any to any in via $EXT_IF
$cmd 001010 check-state
# ***************************************************************************
# ***************************************************************************
# * ------- OUTGOING RULES ------- *
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# * ------- Allow new connections to establish ------- *
# * an "authorized" state *
# * from Internal hosts -> Internet *
# ***************************************************************************
# * ------- Allow access to public DNS ------- *
# *-------------------------------------------------------------------------*
$cmd 002000 $skip tcp from any to $DNS 53 out via $EXT_IF setup
keep-state
$cmd 002010 $skip udp from any to $DNS 53 out via $EXT_IF keep-state
# ***************************************************************************
# * ------- Allow any device (dangerous) to ------- *
# * request DHCP from ISP *
# ***************************************************************************
$cmd 002100 $skip udp from any to any 67 out via $EXT_IF $ks
# ***************************************************************************
# * ------- Allow TCP traffic specifically authorized ------- *
# ***************************************************************************
$cmd 002200 $skip tcp from any to any $good_tcpo out via $EXT_IF setup
$ks
$cmd 002210 $skip udp from any to any $good_udpo out via $EXT_IF $ks
# ***************************************************************************
# * ------- Allow TCP traffic specifically authorized ------- *
# * for Microsoft XBOX Live *
# ***************************************************************************
$cmd 002220 $skip tcp from any to any $XBOX_tcp out via $EXT_IF setup $ks
$cmd 002230 $skip udp from any to any $XBOX_udp out via $EXT_IF $ks
# ***************************************************************************
# * ------- Allow outgoing Pings to external hosts ------ *
# ***************************************************************************
$cmd 002300 $skip icmp from any to any out via $EXT_IF $ks
# ***************************************************************************
# * Ruleset --> Allow server to go anywhere *
# *-------------------------------------------------------------------------*
$cmd 002400 $skip tcp from me to any out via $EXT_IF setup $ks uid root
# ***************************************************************************
# * Ruleset --> Allow outbound HTTP and HTTPS connections *
# *-------------------------------------------------------------------------*
$cmd 002500 $skip tcp from any to any 80 out via $EXT_IF setup $ks
$cmd 002510 $skip tcp from any to any 443 out via $EXT_IF setup $ks
# ***************************************************************************
# * Ruleset --> Allow outbound email connections *
# *-------------------------------------------------------------------------*
$cmd 002620 $skip tcp from any to any 25 out via $EXT_IF setup $ks
$cmd 002630 $skip tcp from any to any 110 out via $EXT_IF setup $ks
# ***************************************************************************
# * Ruleset --> Allow outbound ping *
# *-------------------------------------------------------------------------*
$cmd 002700 $skip icmp from any to any out via $EXT_IF $ks
# ***************************************************************************
# * Ruleset --> Allow outbound NTP *
# *-------------------------------------------------------------------------*
$cmd 002710 $skip udp from any to any 123 out via $EXT_IF $ks
# ***************************************************************************
# * Ruleset --> Allow outbound SSH *
# *-------------------------------------------------------------------------*
$cmd 002720 $skip tcp from any to any 22 out via $EXT_IF setup $ks
# ***************************************************************************
# * Ruleset --> Allow traffic from ISP's DHCP server. *
# * Replace x.x.x.x with the same IP address used in *
# * rule 00120. *
# *-------------------------------------------------------------------------*
$cmd 002730 allow udp from any to any 67 in via $EXT_IF $ks
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# * Ruleset --> Allow outbound http *
# *-------------------------------------------------------------------------*
$cmd 002800 allow tcp from any to any $good_tcpo out via $EXT_IF $ks
$cmd 002810 allow udp from any to any $good_udpo out via $EXT_IF $ks
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# * ------- BLOCK AND TACKLE ALL OTHER OUTBOUND TRAFFIC ------- *
# ***************************************************************************
# ***************************************************************************
# * Ruleset --> BLOCK any traffic specifically targeted as $bad_udpo *
# * NOTE: This is what you don't want logged ^^^^^^^ *
# *-------------------------------------------------------------------------*
$cmd 003000 deny udp from any to any $bad_udpo out via $EXT_IF
# ***************************************************************************
# ***************************************************************************
# * Ruleset --> deny all "Google" UDP 443 requests *
# *-------------------------------------------------------------------------*
$cmd 003100 deny udp from any to any 443 out via $EXT_IF
# ***************************************************************************
# * Ruleset --> deny and LOG all other outbound connections *
# *-------------------------------------------------------------------------*
$cmd 003200 deny log all from any to any out via $EXT_IF
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# * ------- BLOCK AND TACKLE INBOUND TRAFFIC ------- *
# ***************************************************************************
# ***************************************************************************
# * Ruleset --> Deny all inbound traffic from non-routable reserved *
# * address spaces *
# *-------------------------------------------------------------------------*
$cmd 004100 deny all from 192.168.0.0/16 to any in via $EXT_IF
$cmd 004110 deny all from 172.16.0.0/16 to any in via $EXT_IF
$cmd 004120 deny all from 10.0.0.0/8 to any in via $EXT_IF
$cmd 004130 deny all from 127.0.0.0/8 to any in via $EXT_IF
$cmd 004140 deny all from 0.0.0.0/8 to any in via $EXT_IF
$cmd 004150 deny all from 169.254.0.0/16 to any in via $EXT_IF
$cmd 004160 deny all from 192.0.2.0/24 to any in via $EXT_IF
$cmd 004170 deny all from 204.152.64.0/23 to any in via $EXT_IF
$cmd 004180 deny all from 224.0.0.0/3 to any in via $EXT_IF
# ***************************************************************************
# * Ruleset --> Deny incoming pings from Internet *
# *-------------------------------------------------------------------------*
$cmd 004200 deny icmp from any to any in via $EXT_IF
# ***************************************************************************
# * Ruleset --> Deny ident protocol (hosts asking report who you are) *
# *-------------------------------------------------------------------------*
$cmd 004300 deny tcp from any to any 113 in via $EXT_IF
# ***************************************************************************
# * Ruleset --> Deny all incoming Netbios services. *
# *-------------------------------------------------------------------------*
$cmd 004400 deny tcp from any to any 137 in via $EXT_IF
$cmd 004410 deny tcp from any to any 138 in via $EXT_IF
$cmd 004420 deny tcp from any to any 139 in via $EXT_IF
$cmd 004430 deny tcp from any to any 81 in via $EXT_IF
# ***************************************************************************
# * Ruleset --> Deny all Win32 Active Directory / modern file shares *
# *-------------------------------------------------------------------------*
$cmd 004500 deny tcp from any to any 445 in via $EXT_IF
# ***************************************************************************
# * Ruleset --> Deny fragments *
# *-------------------------------------------------------------------------*
$cmd 004600 deny all from any to any frag in via $EXT_IF
# ***************************************************************************
# * Ruleset --> Deny ACK packets that did not match the dynamic *
# * rule table *
# *-------------------------------------------------------------------------*
$cmd 004700 deny tcp from any to any established in via $EXT_IF
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# ***************************************************************************
# * Ruleset --> Reject and log all other incoming connections *
# *-------------------------------------------------------------------------*
$cmd 05000 deny log all from any to any
$cmd 05500 divert natd ip from any to any out via $EXT_IF
$cmd 05510 allow ip from any to any
# ***************************************************************************
# * Ruleset --> Everything else is denied and logged *
# *-------------------------------------------------------------------------*
$cmd 09999 deny log all from any to any
# ***************************************************************************
# * ------- The End ------- *
# ***************************************************************************
--Jeff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c3a8b0768110e79da3e65c09581465bc.squirrel>