# Router Firewall Rules # fwcmd="/sbin/ipfw" lan=vr0 ext=rl0 # set these to your outside interface network and netmask and ip oif="rl0" onet="192.168.1.0" omask="255.255.255.240" oip="192.168.1.1" tun="tun0" # set these to your inside interface network and netmask and ip iif="vr0" inet="192.168.107.0/24" imask="255.255.255.0" iip="192.168.107.254" # server ip sip="192.168.107.1" # Clear out the firewall ${fwcmd} -f flush # Set up loopback ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny log all from any to 127.0.0.0/8 ${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any # Allow ethernet traffic ${fwcmd} add allow ip from any to any via ${lan} ${fwcmd} add allow ip from any to any via lo0 # Stop spoofing ${fwcmd} add deny log all from ${inet}:${imask} to any in via ${tun} #${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif} # Allow outgoing connections via adsl ${fwcmd} add allow tcp from ${inet} to any out via ${tun} keep-state setup ${fwcmd} add allow udp from ${inet} to any out via ${tun} keep-state #${fwcmd} add divert natd all from any to any via ${tun} # Allow DNS queries ${fwcmd} add allow udp from any to any 53 in via ${tun} ${fwcmd} add allow tcp from any to any 53 in via ${tun} ${fwcmd} add allow udp from any 53 to any out via ${tun} ${fwcmd} add allow tcp from any 53 to any out via ${tun} # Allow cvsup ${fwcmd} add allow tcp from any to any 5999 in via ${tun} ${fwcmd} add allow tcp from any to any 5999 out via ${tun} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow entries in the state table to pass ${fwcmd} add check-state # Allow incoming ssh #${fwcmd} add allow tcp from any to any 22 via ${tun} in keep-state setup #${fwcmd} add allow tcp from any 22 to any via ${tun} in keep-state setup ${fwcmd} add allow tcp from any to any 22 in via ${tun} keep-state setup ${fwcmd} add allow tcp from any 22 to any out via ${tun} # Allow Ident in ${fwcmd} add allow tcp from any to any 113 in via ${tun} keep-state setup # allow smtp in #${fwcmd} add allow tcp from any to 192.168.107.1 25 in via ${tun} #${fwcmd} add allow tcp from 192.168.107.1 25 to any out via ${tun} #${fwcmd} add fwd 172.31.17.152 tcp from any 25 to 130.130.0.0/16 # allow http in ${fwcmd} add allow tcp from any to any 80 in via ${tun} keep-state setup ${fwcmd} add allow tcp from any 80 to any out via ${tun} #${fwcmd} add fwd 192.168.107.1 tcp from any to me 80 in via tun0 keep-state # allow https in ${fwcmd} add allow tcp from any to 192.168.107.1 443 in via ${tun} ${fwcmd} add allow tcp from 192.168.107.1 443 to any out via ${tun} # Allow ICMP ${fwcmd} add allow icmp from any to any # Stop RFC1918 nets on the outside interface ${fwcmd} add deny log all from any to 10.0.0.0/8 out via ${tun} ${fwcmd} add deny log all from 10.0.0.0/8 to any in via ${tun} ${fwcmd} add deny log all from any to 172.16.0.0/12 out via ${tun} ${fwcmd} add deny log all from 172.16.0.0/12 to any in via ${tun} ${fwcmd} add deny log all from any to 192.168.0.0/16 out via ${tun} ${fwcmd} add deny log all from 192.168.0.0/16 to any in via ${tun} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${tun} ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${tun} ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${tun} ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${tun} ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${tun} # Deny and log all other connections ${fwcmd} add 65000 deny log logamount 65000 ip from any to any