Date: Wed, 6 Feb 2019 20:57:16 -0500 From: jeff@justfixit.net To: freebsd-doc@FreeBSD.org Subject: ipfw documentation Message-ID: <c3a8b0768110e79da3e65c09581465bc.squirrel@email.powweb.com>
next in thread | raw e-mail | index | archive | help
Please consider using some/all of this config for assisting folk getting started with IPFW+NAT Using the existing IPFW documentation, it still took me a couple weeks to fully understand enough of it to work up to this: #!/bin/sh # * ------- Let the games begin ------- * # *************************************************************************** # Flush out the list before we begin. # *-------------------------------------------------------------------------* ipfw -q -f flush # *************************************************************************** # Set variables used throughout script # *-------------------------------------------------------------------------* # Shorten commands to easy readable acronyms cmd="ipfw -q add" skip="skipto 5500" ks="keep-state" # Assign Interfaces (external/internal) EXT_IF="em0" # interface name of NIC attached to Internet LAN_IF="bge0" # interface name of NIC attached in LAN # Assign outbound UDP traffic that should always be blocked bad_udpo="\ 1900,\ 1975,\ 20007,\ 20008,\ 20009,\ 20010" # Assign normal outbound "authorized" TCP port activity good_tcpo="\ 22,\ 25,\ 37,\ 53,\ 80,\ 443,\ 993,\ 2350,\ 5228,\ 8080,\ 110" # Assign normal outbound "authorized" UDP port activity good_udpo="\ 2350,\ 5060,\ 5228" # Make sure XBOX Live works as designed - allow proprietary ports XBOX_tcp="3074" XBOX_udp="88,3074,500,3544,4500" # Assign authorized DNS servers # *************************************************************************** # * ------- Define DNS servers ------- * # *************************************************************************** DNS="\ 209.18.47.61,\ 209.18.47.63,\ 209.18.47.63,\ 208.67.222.222,\ 208.67.220.220,\ 209.18.47.62,\ 4.2.2.5,\ 4.2.2.2" echo "***************************************************************************" echo "* Firewall Script importing IPFW rules... *" echo "***************************************************************************" date echo "***************************************************************************" printf "* Outbound TCP=%-58s *\n" "$good_tcpo" printf "* Outbound UDP=%-58s *\n" "$good_udpo" printf "* Outbound XBOX TCP=%-53s *\n" "$XBOX_tcp" printf "* Outbound XBOX UDP=%-53s *\n" "$XBOX_udp" echo "Authorized DNS= $DNS" echo "" # # *************************************************************************** # * ------- INCOMING RULES ------- * # *************************************************************************** # *************************************************************************** # *************************************************************************** # * Ruleset --> Allow incoming communication from internal LAN * # *-------------------------------------------------------------------------* $cmd 00005 allow all from any to any via $LAN_IF # *************************************************************************** # * Ruleset --> Allow all traffic to/from LOOPBACK * # *-------------------------------------------------------------------------* $cmd 00100 allow ip from any to any via lo0 # *************************************************************************** # *************************************************************************** # * Ruleset --> allow incoming traffic that is returning to NAT'ed hosts * # *-------------------------------------------------------------------------* $cmd 001000 divert natd ip from any to any in via $EXT_IF $cmd 001010 check-state # *************************************************************************** # *************************************************************************** # * ------- OUTGOING RULES ------- * # *************************************************************************** # *************************************************************************** # *************************************************************************** # *************************************************************************** # * ------- Allow new connections to establish ------- * # * an "authorized" state * # * from Internal hosts -> Internet * # *************************************************************************** # * ------- Allow access to public DNS ------- * # *-------------------------------------------------------------------------* $cmd 002000 $skip tcp from any to $DNS 53 out via $EXT_IF setup keep-state $cmd 002010 $skip udp from any to $DNS 53 out via $EXT_IF keep-state # *************************************************************************** # * ------- Allow any device (dangerous) to ------- * # * request DHCP from ISP * # *************************************************************************** $cmd 002100 $skip udp from any to any 67 out via $EXT_IF $ks # *************************************************************************** # * ------- Allow TCP traffic specifically authorized ------- * # *************************************************************************** $cmd 002200 $skip tcp from any to any $good_tcpo out via $EXT_IF setup $ks $cmd 002210 $skip udp from any to any $good_udpo out via $EXT_IF $ks # *************************************************************************** # * ------- Allow TCP traffic specifically authorized ------- * # * for Microsoft XBOX Live * # *************************************************************************** $cmd 002220 $skip tcp from any to any $XBOX_tcp out via $EXT_IF setup $ks $cmd 002230 $skip udp from any to any $XBOX_udp out via $EXT_IF $ks # *************************************************************************** # * ------- Allow outgoing Pings to external hosts ------ * # *************************************************************************** $cmd 002300 $skip icmp from any to any out via $EXT_IF $ks # *************************************************************************** # * Ruleset --> Allow server to go anywhere * # *-------------------------------------------------------------------------* $cmd 002400 $skip tcp from me to any out via $EXT_IF setup $ks uid root # *************************************************************************** # * Ruleset --> Allow outbound HTTP and HTTPS connections * # *-------------------------------------------------------------------------* $cmd 002500 $skip tcp from any to any 80 out via $EXT_IF setup $ks $cmd 002510 $skip tcp from any to any 443 out via $EXT_IF setup $ks # *************************************************************************** # * Ruleset --> Allow outbound email connections * # *-------------------------------------------------------------------------* $cmd 002620 $skip tcp from any to any 25 out via $EXT_IF setup $ks $cmd 002630 $skip tcp from any to any 110 out via $EXT_IF setup $ks # *************************************************************************** # * Ruleset --> Allow outbound ping * # *-------------------------------------------------------------------------* $cmd 002700 $skip icmp from any to any out via $EXT_IF $ks # *************************************************************************** # * Ruleset --> Allow outbound NTP * # *-------------------------------------------------------------------------* $cmd 002710 $skip udp from any to any 123 out via $EXT_IF $ks # *************************************************************************** # * Ruleset --> Allow outbound SSH * # *-------------------------------------------------------------------------* $cmd 002720 $skip tcp from any to any 22 out via $EXT_IF setup $ks # *************************************************************************** # * Ruleset --> Allow traffic from ISP's DHCP server. * # * Replace x.x.x.x with the same IP address used in * # * rule 00120. * # *-------------------------------------------------------------------------* $cmd 002730 allow udp from any to any 67 in via $EXT_IF $ks # *************************************************************************** # *************************************************************************** # *************************************************************************** # * Ruleset --> Allow outbound http * # *-------------------------------------------------------------------------* $cmd 002800 allow tcp from any to any $good_tcpo out via $EXT_IF $ks $cmd 002810 allow udp from any to any $good_udpo out via $EXT_IF $ks # *************************************************************************** # *************************************************************************** # *************************************************************************** # *************************************************************************** # *************************************************************************** # * ------- BLOCK AND TACKLE ALL OTHER OUTBOUND TRAFFIC ------- * # *************************************************************************** # *************************************************************************** # * Ruleset --> BLOCK any traffic specifically targeted as $bad_udpo * # * NOTE: This is what you don't want logged ^^^^^^^ * # *-------------------------------------------------------------------------* $cmd 003000 deny udp from any to any $bad_udpo out via $EXT_IF # *************************************************************************** # *************************************************************************** # * Ruleset --> deny all "Google" UDP 443 requests * # *-------------------------------------------------------------------------* $cmd 003100 deny udp from any to any 443 out via $EXT_IF # *************************************************************************** # * Ruleset --> deny and LOG all other outbound connections * # *-------------------------------------------------------------------------* $cmd 003200 deny log all from any to any out via $EXT_IF # *************************************************************************** # *************************************************************************** # *************************************************************************** # *************************************************************************** # *************************************************************************** # * ------- BLOCK AND TACKLE INBOUND TRAFFIC ------- * # *************************************************************************** # *************************************************************************** # * Ruleset --> Deny all inbound traffic from non-routable reserved * # * address spaces * # *-------------------------------------------------------------------------* $cmd 004100 deny all from 192.168.0.0/16 to any in via $EXT_IF $cmd 004110 deny all from 172.16.0.0/16 to any in via $EXT_IF $cmd 004120 deny all from 10.0.0.0/8 to any in via $EXT_IF $cmd 004130 deny all from 127.0.0.0/8 to any in via $EXT_IF $cmd 004140 deny all from 0.0.0.0/8 to any in via $EXT_IF $cmd 004150 deny all from 169.254.0.0/16 to any in via $EXT_IF $cmd 004160 deny all from 192.0.2.0/24 to any in via $EXT_IF $cmd 004170 deny all from 204.152.64.0/23 to any in via $EXT_IF $cmd 004180 deny all from 224.0.0.0/3 to any in via $EXT_IF # *************************************************************************** # * Ruleset --> Deny incoming pings from Internet * # *-------------------------------------------------------------------------* $cmd 004200 deny icmp from any to any in via $EXT_IF # *************************************************************************** # * Ruleset --> Deny ident protocol (hosts asking report who you are) * # *-------------------------------------------------------------------------* $cmd 004300 deny tcp from any to any 113 in via $EXT_IF # *************************************************************************** # * Ruleset --> Deny all incoming Netbios services. * # *-------------------------------------------------------------------------* $cmd 004400 deny tcp from any to any 137 in via $EXT_IF $cmd 004410 deny tcp from any to any 138 in via $EXT_IF $cmd 004420 deny tcp from any to any 139 in via $EXT_IF $cmd 004430 deny tcp from any to any 81 in via $EXT_IF # *************************************************************************** # * Ruleset --> Deny all Win32 Active Directory / modern file shares * # *-------------------------------------------------------------------------* $cmd 004500 deny tcp from any to any 445 in via $EXT_IF # *************************************************************************** # * Ruleset --> Deny fragments * # *-------------------------------------------------------------------------* $cmd 004600 deny all from any to any frag in via $EXT_IF # *************************************************************************** # * Ruleset --> Deny ACK packets that did not match the dynamic * # * rule table * # *-------------------------------------------------------------------------* $cmd 004700 deny tcp from any to any established in via $EXT_IF # *************************************************************************** # *************************************************************************** # *************************************************************************** # *************************************************************************** # * Ruleset --> Reject and log all other incoming connections * # *-------------------------------------------------------------------------* $cmd 05000 deny log all from any to any $cmd 05500 divert natd ip from any to any out via $EXT_IF $cmd 05510 allow ip from any to any # *************************************************************************** # * Ruleset --> Everything else is denied and logged * # *-------------------------------------------------------------------------* $cmd 09999 deny log all from any to any # *************************************************************************** # * ------- The End ------- * # *************************************************************************** --Jeff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c3a8b0768110e79da3e65c09581465bc.squirrel>