#!/bin/sh #firewall script acc. Bruce Potter & Bob Fleck, "802.11 Security", chapter 12, # page 132 fwcmd="/sbin/ipfw" #set these to the outside interface network and netmask and ip oif="ed1" onet="195.64.94.0" omask="255.255.255.0" oip="195.64.94.17" #set these to the wireless interface network, netmask and ip wif="ed2" wnet="172.16.0.0" wmask="255.224.0.0" wip="172.17.16.78" voip="172.17.16.79" #set these to the inside interface network, netmask and ip iif="ed0" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" ivoip="192.168.1.66" # natdportextern=8668 natdportwleiden=8669 ${fwcmd} -q flush #stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${wnet}:${wmask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${wif} ${fwcmd} add deny all from ${inet}:${imask} to any in via ${wif} ${fwcmd} add deny all from ${wnet}:${wmask} to any in via ${iif} # stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # stop draft-manning-dsua-0.3.txt {1 May 2000} nets {includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST {class D}, and class E} # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # all packets on external interface sent to NAT daemon for IP address # translation #${fwcmd} add divert natd all from any to any via ${oif} #natd -port ${natdportextern} -interface ${oif} #natd -port ${natdportwleiden} -interface ${wif} ${fwcmd} add divert ${natdportextern} all from any to any via ${oif} ${fwcmd} add divert ${natdportwleiden} all from any to any via ${wif} # avoid blocking of internal network traffic bij RFC1918 filters # stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # stop draft-manning-dsua-0.3.txt {1 May 2000} nets {includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST {class D}, and class E} # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Blokkeer al het wleiden verkeer naar alles behalve # naar mijn wleiden interface. # #${fwcmd} add deny all from ${wnet}:${wmask} to not ${wip} # allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # allow access to our DNS # alleen interessant als er een caching dns server op de firewall draait ${fwcmd} add pass udp from any to ${wip} 53 ${fwcmd} add pass udp from ${wip} to any 53 ${fwcmd} add pass udp from any to ${iip} 53 ${fwcmd} add pass udp from ${iip} 53 to any # allow DNS queries out to the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state # allow DNS queries out to wleiden ${fwcmd} add pass udp from ${wip} to any 53 keep-state # allow SSH connections ${fwcmd} add pass tcp from any to ${oip} 22 ${fwcmd} add pass tcp from any to ${wip} 22 ${fwcmd} add pass tcp from any to ${iip} 22 # allow VOIP connections to tsunami (SIP en H.323) # -- allow incoming TCP on port 5060 into # our outside IP address ${fwcmd} add pass tcp from any to ${voip} 5060 ${fwcmd} add pass tcp from any to ${voip} 1720 # -- and once these are NAT-ed into the internal # address - pass them on further. ${fwcmd} add pass tcp from any to ${ivoip} 5060 ${fwcmd} add pass tcp from any to ${ivoip} 1720 # reject sendmail ident queries ${fwcmd} add reset tcp from any to any 113 # reject&log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # reject&log all setup of incoming connections from wleiden ${fwcmd} add deny log tcp from any to any in via ${wif} setup # allow setup of other TCP connections # ${fwcmd} add pass tcp from ${wnet}:${wmask} to any out via ${oif} setup ${fwcmd} add pass tcp from ${inet}:${imask} to any out via ${oif} setup ${fwcmd} add pass tcp from ${inet}:${imask} to any out via ${wif} setup ${fwcmd} add pass tcp from ${oip} to any out via ${oif} setup ${fwcmd} add pass tcp from ${wip} to any out via ${wif} setup ${fwcmd} add pass tcp from ${voip} to any out via ${wif} setup # allow ICMP ${fwcmd} add pass icmp from any to any icmptypes 0,3,4,11,12