#!/bin/sh # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set variables varIPFW="/sbin/ipfw" varCMD="/sbin/ipfw -q add" varSkip="skipto 09999" varNICPub="em0" varNICPri="em1" varIPPub="x.y.z.254" varIPPri="a.b.c.254" varISPNameServers="M.N.O.6, M.N.Q.9" varISPTimeServers="M.N.O.22, M.N.Q.22" varInternalNameServers="p.q.r.51, p.q.r.52" varMgmtHosts="f.g.h.201, f.g.h.202" varPublicNet="x.y.z.248/29" varClientsNet="f.g.h.0/24" varServerNet="p.q.r.0/24" varIoTNet="f.g.i.0/24" varTrustedNets="f.g.h.0/24, p.q.r.0/24, f.g.i.0/24" varSyslogHost="p.q.r.41" varInternalRouter="a.b.c.1" varRFC1918="10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" varServerNetTCPPortsAllowed="80, 443" varClientsNetTCPPortsAllowed="22, 25, 80, 110, 143, 443, 465, 554, 587, 989, 990, 993, 995" varClientsNetUDPPortsAllowed="80, 443" varIoTNetTCPPortsAllowed="80, 443" varIoTNetUDPPortsAllowed="53, 123" #------------------------- # Start of firewall config #------------------------- ${varIPFW} disable one_pass ${varIPFW} -q nat 1 config if ${varNICPub} same_ports unreg_only reset # No restrictions on Loopback Interface ${varCMD} 00010 allow all from any to any via lo0 ${varCMD} 00011 deny all from any to 127.0.0.0/8 ${varCMD} 00012 deny ip from 127.0.0.0/8 to any # Reassemble inbound packets ${varCMD} 00099 reass all from any to any in # NAT any IPv4 inbound packets ${varCMD} 00100 nat 1 ip4 from any to any in recv ${varNICPub} # Check the state ${varCMD} 00101 check-state # Deny partial packets ${varCMD} 00102 deny ip from any to any frag ${varCMD} 00103 deny ip from any to any established #------------------------------------------------------------------------ # Inbound #------------------------------------------------------------------------ # Deny and do NOT log known traffic ${varCMD} 01001 deny ip from ${varPublicNet} to 224.0.0.1 in recv ${varNICPub} # Allow inbound ICMP ${varCMD} 01301 allow icmp from any to me in recv ${varNICPub} keep-state # Deny all other in ${varCMD} 01499 deny log all from any to any in via ${varNICPub} # Allow inbound SSH connections ${varCMD} 01501 allow tcp from ${varMgmtHosts} to me dst-port ssh in recv ${varNICPri} setup limit src-addr 2 # Allow inbound ICMP ${varCMD} 01701 allow icmp from ${varTrustedNets}, ${varInternalRouter} to me in recv ${varNICPri} keep-state # Allow IP traffic on internal interface ${varCMD} 01899 allow ip from ${varTrustedNets}, ${varInternalRouter} to \( not ${varRFC1918} or not me \) in recv ${varNICPri} # Deny all other in ${varCMD} 01999 deny log all from any to any in via ${varNICPri} #------------------------------------------------------------------------ # Outbound #------------------------------------------------------------------------ # From me (DNS, NTP, HTTP(S), ICMP) ${varCMD} 02001 allow tcp from me to ${varISPNameServers} dst-port domain out xmit ${varNICPub} setup keep-state ${varCMD} 02002 allow udp from me to ${varISPNameServers} dst-port domain out xmit ${varNICPub} keep-state ${varCMD} 02011 allow udp from me to ${varISPTimeServers} dst-port ntp out xmit ${varNICPub} keep-state ${varCMD} 02021 allow tcp from me to any dst-port http, https out xmit ${varNICPub} setup keep-state ${varCMD} 02031 allow icmp from me to any out xmit ${varNICPub} keep-state # Allow DNS out ${varCMD} 02101 ${varSkip} tcp from ${varInternalNameServers} to any dst-port domain out xmit ${varNICPub} setup keep-state ${varCMD} 02102 ${varSkip} udp from ${varInternalNameServers} to any dst-port domain out xmit ${varNICPub} keep-state ${varCMD} 02103 ${varSkip} tcp from ${varIoTNet} to any dst-port domain out xmit ${varNICPub} setup keep-state ${varCMD} 02104 ${varSkip} udp from ${varIoTNet} to any dst-port domain out xmit ${varNICPub} keep-state # Allow NTP out ${varCMD} 02111 ${varSkip} udp from ${varTrustedNets}, ${varInternalRouter} to any dst-port ntp out xmit ${varNICPub} keep-state # Allowed traffic from server network ${varCMD} 02201 ${varSkip} tcp from ${varServerNet} to any dst-port ${varServerNetTCPPortsAllowed} out xmit ${varNICPub} setup keep-state # Allowed traffic from clients network ${varCMD} 02211 ${varSkip} tcp from ${varClientsNet} to any dst-port ${varClientsNetTCPPortsAllowed} out xmit ${varNICPub} setup keep-state ${varCMD} 02212 ${varSkip} udp from ${varClientsNet} to any dst-port ${varClientsNetUDPPortsAllowed} out xmit ${varNICPub} keep-state # Allowed traffic from IoT network ${varCMD} 02221 ${varSkip} tcp from ${varIoTNet} to any dst-port ${varIoTNetTCPPortsAllowed} out xmit ${varNICPub} setup keep-state # Allowed traffic from internal router ${varCMD} 02231 ${varSkip} tcp from ${varInternalRouter} to any dst-port http, https out xmit ${varNICPub} setup keep-state # Allow ICMP out ${varCMD} 02301 ${varSkip} icmp from ${varTrustedNets}, ${varInternalRouter} to any out xmit ${varNICPub} keep-state # Deny all other out ${varCMD} 02499 deny log all from any to any out via ${varNICPub} # Allow syslog out ${varCMD} 02501 allow udp from me to ${varSyslogHost} dst-port syslog out xmit ${varNICPri} keep-state # Deny all other out ${varCMD} 02999 deny log all from any to any out via ${varNICPri} # Default deny all ${varCMD} 04999 deny log all from any to any # Outbound IPv4 NAT ${varCMD} 09999 nat 1 ip4 from any to any out xmit ${varNICPub} # Allow all ${varCMD} 10001 allow ip4 from any to any