#!/bin/sh export PATH=$PATH:/sbin # our local IPs local="150.203.164.104/32 150.203.164.103/32" # a list of nets that are to be allowed through completely # DCS hosts good="localhost/32 150.203.164.0/24" # hosts that have telnet and rlogin enabled login="" # csc terminal server # login="$login 150.203.148.0/24 192.245.0.0/16 129.127.130.2/32" dns="150.203.22.28/32" nfs="150.203.160.0/24 150.203.161.0/24 150.203.162.0/24 150.203.163.0/24 150.203.165.0/24 150.203.166.0/24 150.203.21.0/24" # a list of hosts that have ssh access only ssh="" # list of sites that I want to block out completely bad="" # a list of ports we will let in from the outside world tcpOK="22 smtp ident ftp ftp-data daytime http finger 443" udpOK="netbios-ns" blockListNoLog="7 220" blockList="1:999 nfs 1315" udpblockListNoLog="7 220" udpblockList="1:999 nfs" # flush our previous setup ipfwadm -I -f ipfwadm -O -f # stop leakages from my home net ipfwadm -I -a deny -S 0.0.0.0/0 -D 192.168.0.0/16 -W eth0 ipfwadm -O -a deny -S 192.168.0.0/16 -D 0.0.0.0/0 -W eth0 # stop localhost leakages ipfwadm -O -a deny -S 127.0.0.1 -D 0.0.0.0/0 -W eth0 ipfwadm -O -a deny -D 127.0.0.1 -S 0.0.0.0/0 -W eth0 # stop localhost spoofs ipfwadm -I -a deny -S 127.0.0.1 -D 0.0.0.0/0 -W eth0 # some nets are BAD for n in $bad; do ipfwadm -I -a reject -P tcp -S $n -D 0.0.0.0/0 -y ipfwadm -I -a reject -P udp -S $n -D 0.0.0.0/0 1:999 done # some nets are OK for n in $good; do ipfwadm -I -a accept -S $n -D 0.0.0.0/0 done # some nets are OK for ssh for n in $ssh; do ipfwadm -I -a accept -P tcp -S $n -D 0.0.0.0/0 22 done # some nets are OK for DNS for n in $dns; do ipfwadm -I -a accept -P udp -S $n -D 0.0.0.0/0 domain ipfwadm -I -a accept -P tcp -S $n -D 0.0.0.0/0 domain done # some nets are OK for nfs for n in $nfs; do ipfwadm -I -a accept -P udp -S $n -D 0.0.0.0/0 nfs ipfwadm -I -a accept -P tcp -S $n -D 0.0.0.0/0 nfs done # allow PPP for some #for n in $ppp; do # ipfwadm -I -a accept -P tcp -S $n -D 0.0.0.0/0 900 #done # some nets are OK for ssh and telnet for n in $login; do ipfwadm -I -a accept -P tcp -S $n -D 0.0.0.0/0 22 telnet 110 done # block most tcp connections for n in $local; do ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D $n $tcpOK ipfwadm -I -a reject -P tcp -S 0.0.0.0/0 -D $n $blockListNoLog ipfwadm -I -a reject -o -P tcp -S 0.0.0.0/0 -D $n $blockList done # ipfwadm -I -a accept -P udp -S 207.220.91.104/32 2049 -D 150.203.160.200/32 500:1024 # block most udp connections for n in $local; do ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D $n $udpOK ipfwadm -I -a reject -P udp -S 0.0.0.0/0 -D $n $udpblockListNoLog ipfwadm -I -a reject -o -P udp -S 0.0.0.0/0 -D $n $udpblockList done # block other incoming tcp connections # ipfwadm -I -a reject -o -P tcp -S 0.0.0.0/0 -D $local -y # rules to accept everything else. This gives a bit of logging of traffic levels ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 ipfwadm -I -a accept -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0 # setup the masquerading ipfwadm -F -a masquerade -S 192.168.0.0/16 -D 0.0.0.0/0 ipfwadm -I -l -n