#!/bin/sh # Przykladowy plik regul dla IPFIREWALL, FreeBSD 5 # # Krzysztof Kozlowski http://www.koziol.prv.pl # kozik1 [at] o2 [dot] pl http://acn.waw.pl/koziol # wersja: 20051030 # # # # Skrypt bazuje czesciowo na przykladzie z : # http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html # Licencja: GNU General Public License # # ################ IPFW ########################################### # Czyszczenie regul ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="rl0" # publiczny interfejs podlaczony do Internetu lif="ed0" # interfejs LAN-u dhcpserver="X.X.X.254" # Adres serwera DHCP ################################################################# # Przepuszczamy siec lokalna LAN ################################################################# $cmd 005 allow all from any to any via $lif ################################################################# # Przepuszczamy loopbacka ################################################################# $cmd 010 allow all from any to any via lo0 ################################################################# # check if packet is inbound and nat address if it is # wpis NAT-u ################################################################# $cmd 014 divert natd all from any to any in via $pif # oryginalnie z exampla : # $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces # Blokujemy adresy nierutowalne z Internetu $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny log tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 # 445 - Microsoft DS # NetBIOS i inne smieci - warto zablokowac :) $cmd 320 deny log tcp from any to any 137 in via $pif $cmd 321 deny log tcp from any to any 138 in via $pif $cmd 322 deny log tcp from any to any 139 in via $pif $cmd 323 deny log tcp from any to any 81 in via $pif $cmd 324 deny log tcp from any to any 445 in via $pif # Deny any late arriving packets $cmd 330 deny log all from any to any frag in via $pif # Deny ICMP # http://www.networksorcery.com/enp/default0703.htm # http://www.iana.org/assignments/icmp-parameters $cmd 340 allow icmp from me to any out via $pif icmptypes 8,0,3,11,12,30 $cmd 341 allow icmp from any to me in via $pif icmptypes 0,8,3,11,12,30 $cmd 342 deny log icmp from any to any via $pif # Przepuszczamy pakiety od naszego serwera DHCP. # Jesli nie korzystasz z adresu uzyskiwanego z serwera DHCP, to # mozesz to zakomentowac. # # W przeciwnym wypadku wpisz tam adres tegoz serwera. Mozna go uzyskac, # po nastepujacych komendach (oczywiscie bez hasha na poczatku) : # ps -x | grep dhclient # kill PIERWSZA_LICZBA_Z_POWYZSZEJ_KOMENDY # dhclient -v INTERFEJS_PUBLICZNY_DLA_DHCP # # Pojawi sie linia w stylu : # DHCPACK from X.X.X.X # czyli nasz szukany adres serwera DHCP $cmd 360 allow udp from $dhcpserver to any 68 in via $pif keep-state # Blokowanie reszty portow "serwerowych" (0, 1024): $cmd 410 deny log all from any to me 0-1023 in # Puszczanie aMule $cmd 500 allow udp from any to me 4672 via $pif keep-state $cmd 501 allow tcp from any to me 4662 via $pif keep-state # Kolejny wpis NAT-u : $cmd 800 divert natd all from any to any out via $pif # oryginalny z exampla : # $cmd 800 divert natd ip from any to any out via $pif # Reszte puszczamy... $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any