#!/bin/sh # # many thanks to Frank's Example # http://www.pasadena.net/linux/linuxsecure.html # # My external ip address # EXTIP="63.193.144.218/32" PF="/sbin/ipfwadm" /sbin/depmod -a /sbin/modprobe ip_masq_raudio.o # # Set default policy to deny # $PF -F -p deny $PF -I -p deny $PF -O -p deny # # Flush rules # $PF -I -f $PF -O -f $PF -F -f # # For grins, you might want to get in the habit of flushing any # ipautofw rules also, with # ipautofw -F # You may end up with some, so it's a good idea to flush em # echo "1" > /proc/sys/net/ipv4/ip_forward # ----------------------- # EXTERNAL INBOUND RULES # ----------------------- # # Deny packets with localhost, broadcast and multicast addresses # $PF -I -a deny -Weth0 -S 224.0.0.0/3 -D $EXTIP -o $PF -I -a deny -Weth0 -S 127.0.0.0/8 -D $EXTIP -o $PF -I -a deny -Weth0 -S 255.0.0.0/8 -D $EXTIP -o # # Deny rfc 1918 addresses # $PF -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o $PF -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o $PF -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o # # Allow masquerading from my internal network # $PF -F -a m -S 10.0.0.0/24 -D 0.0.0.0/0 # # Deny packets without ip address. # $PF -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o # # Prevent spoofing. Deny incoming packets that have # our external address $PF -I -a deny -Weth0 -S $EXTIP -o # # Quietly Reject identd (port 113) # $PF -I -a reject -W eth0 -P tcp -D $EXTIP 113 # # Block ports on Cert's hot list (allow dns) # $PF -I -a deny -W eth0 -P tcp -D $EXTIP 87 111 540 -o $PF -I -a deny -W eth0 -P tcp -D $EXTIP 2000 2049 512:515 -o $PF -I -a deny -W eth0 -P tcp -D $EXTIP 6000:6011 -o $PF -I -a deny -W eth0 -P udp -D $EXTIP 69 111 2000 2049 -o $PF -I -a deny -W eth0 -P udp -D $EXTIP 6000:6011 -o # # Allow only specific ICMP # echo reply, Destination Unreachable, Source Quench # Time Exceeded, Parameter Problem # $PF -I -a accept -Weth0 -S any/0 0 3 4 11 12 -P icmp # # Allow only ACKed tcp packets to our network # $PF -I -a accept -Weth0 -S any/0 -D $EXTIP 1024:65534 -P tcp -k # # Don't Accept ftp-data for ftp clients # # $PF -I -a accept -Weth0 -S any/0 20 -D $EXTIP 1024:65534 -P tcp # # Allow incoming mail # $PF -I -a accept -Weth0 -S 0.0.0.0/0 -D $EXTIP 25 -P tcp # # Allow ssh # $PF -I -a accept -Weth0 -S 0.0.0.0/0 -D $EXTIP 22 -P tcp # # Allow inbound www # $PF -I -a accept -Weth0 -S 0.0.0.0/0 -D $EXTIP 80 -P tcp # # Allow inbound DNS queries on our server and zone transfers # $PF -I -a accept -Weth0 -S any/0 -D $EXTIP 53 -P udp $PF -I -a accept -Weth0 -S any/0 -D $EXTIP 53 -P tcp # # Allow replies to outbound DNS queries # $PF -I -a accept -Weth0 -S any/0 53 -D $EXTIP 1024:65534 -P udp # # Allow Network Time Protocol Updates # from time.pacbell.net and www.lula.org $PF -I -a accept -Weth0 -S 206.13.7.12/32 123 -D $EXTIP 123 -P tcp $PF -I -a accept -Weth0 -S 206.13.7.12/32 123 -D $EXTIP 123 -P udp $PF -I -a accept -Weth0 -S 206.13.7.12/32 123 -D $EXTIP 1024:65534 -P udp $PF -I -a accept -Weth0 -S 206.135.92.250/32 123 -D $EXTIP 123 -P tcp $PF -I -a accept -Weth0 -S 206.135.92.250/32 123 -D $EXTIP 123 -P udp $PF -I -a accept -Weth0 -S 206.135.92.250/32 123 -D $EXTIP 1024:65534 -P udp # # Allow loopback # $PF -I -a accept -Wlo -S any/0 -D any/0 # # Reject Requests to doublclick.net from internal network # $PF -I -a reject -Weth1 -S any/0 -D 209.67.38.102/32 #$PF -I -a reject -Weth1 -S any/0 -D 63.236.73.30/32 # adforce.imgis.com $PF -I -a reject -Weth1 -S any/0 -D 207.211.106.40/32 # # Allow everything on the internal network # $PF -I -a accept -Weth1 -S any/0 -D any/0 # # Deny and log anything else! # $PF -I -a deny -Weth0 -S any/0 -D any/0 -o # # ----------------------- # EXTERNAL OUTBOUND RULES # ----------------------- # # Prevent leakage of rfc 1918 addresses # $PF -O -a deny -Weth0 -S 10.0.0.0/8 -o $PF -O -a deny -Weth0 -S 172.16.0.0/12 -o $PF -O -a deny -Weth0 -S 192.168.0.0/16 -o $PF -O -a deny -Weth0 -D 10.0.0.0/255.0.0.0 -o $PF -O -a deny -Weth0 -D 172.16.0.0/255.240.0.0 -o $PF -O -a deny -Weth0 -D 192.168.0.0/255.255.0.0 -o # # Allow everything else # $PF -O -a accept -Weth0 -S any/0 # # Allow loopback $PF -O -a accept -Wlo -S any/0 -D any/0 # # Allow everything on the internal network # $PF -O -a accept -Weth1 -S any/0 -D any/0 # # Deny and log anything else # $PF -O -a deny -Weth0 -S any/0 -o