========================================================================= FreeBSD ipfw ------------------------------------------------------------------------- by o1 FreeBSD condo 13.1-RELEASE-p7 FreeBSD 13.1-RELEASE-p7 GENERIC amd64 ========================================================================= create /usr/local/bin/ipfw and run after updating service changes ------------------------------------------------------------------------- #!/bin/sh # Setup ----------------------------------------------------------------------- # Add rule rule="ipfw -q add" # loopback loop="lo0" # private LAN interface lan="vtnet0" # public WAN interface wan="vtnet1" # VPN interface vpn="tun0" # from remote fenn1="88.88.88.0/8" fenn2="99.99.99.99/32" # Flush out the list first ---------------------------------------------------- ipfw -q -f flush # Allow loopback In/Out ------------------------------------------------------- # $rule 1100 allow all from any to any via $loop $rule 1100 allow tcp from any to any via $loop $rule 1110 allow udp from any to any via $loop $rule 1120 allow icmp from any to any via $loop # Allow LAN In/Out ------------------------------------------------------------ # $rule 2100 allow all from any to any via $lan $rule 2100 allow tcp from any to any via $lan $rule 2110 allow udp from any to any via $lan $rule 2120 allow icmp from any to any via $lan # Allow VPN In/Out ------------------------------------------------------------ # $rule 3100 allow log all from any to any via $vpn # $rule 3100 allow log tcp from any to any via $vpn # $rule 3110 allow log udp from any to any via $vpn # $rule 3120 allow log icmp from any to any via $vpn # Allow Existing Connections In/Out ------------------------------------------- $rule 4100 check-state # Deny WAN Attack in ---------------------------------------------------------- # Deny non-routable reserved address spaces $rule 5100 deny all from 192.168.0.0/16 to any in via $wan #RFC 1918 private IP $rule 5110 deny all from 172.16.0.0/12 to any in via $wan #RFC 1918 private IP $rule 5120 deny all from 10.0.0.0/8 to any in via $wan #RFC 1918 private IP $rule 5130 deny all from 127.0.0.0/8 to any in via $wan #loopback $rule 5140 deny all from 0.0.0.0/8 to any in via $wan #loopback $rule 5150 deny all from 169.254.0.0/16 to any in via $wan #DHCP auto-config $rule 5160 deny all from 192.0.2.0/24 to any in via $wan #reserved for docs $rule 5170 deny all from 204.152.64.0/23 to any in via $wan #Sun cluster interconnect $rule 5180 deny all from 224.0.0.0/3 to any in via $wan #Class D & E multicast # Deny public pings # $rule 5200 deny icmp from any to any in via $wan # Allow traceroute out $rule 5200 unreach port udp from any to any 33434-33524 via $wan $rule 5210 allow icmp from any to any icmptypes 0,3,4,11 via $wan # Deny ident $rule 5300 deny tcp from any to any 113 in via $wan # Deny all Netbios services. $rule 5400 deny tcp from any to any 137 in via $wan $rule 5410 deny tcp from any to any 138 in via $wan $rule 5420 deny tcp from any to any 139 in via $wan $rule 5430 deny tcp from any to any 81 in via $wan # Deny fragments $rule 5500 deny all from any to any frag in via $wan # Deny ACK packets that did not match the dynamic rule table $rule 5600 deny tcp from any to any established in via $wan # Allow WAN Out (client) ------------------------------------------------------ # $rule 6100 allow tcp from me to any out via $wan setup keep-state # $rule 6110 allow udp from me to any out via $wan keep-state # $rule 6120 allow icmp from me to any out via $wan keep-state # PING rule 6100 allow log icmp from any to any out via $wan keep-state # WHOIS $rule 6110 allow log tcp from any to any 43 out via $wan setup keep-state # NTP $rule 6200 allow log udp from any to any 123 out via $wan keep-state # SSH $rule 6300 allow log tcp from any to any 22 out via $wan setup keep-state # DNS $rule 6400 allow log tcp from any to any 53 out via $wan setup keep-state $rule 6410 allow log udp from any to any 53 out via $wan keep-state # HTTP $rule 6500 allow log tcp from any to any 80 out via $wan setup keep-state # HTTPS $rule 6510 allow log tcp from any to any 443 out via $wan setup keep-state # SMTP $rule 6600 allow log tcp from any to any 25 out via $wan setup keep-state # Allow WAN In (server) ------------------------------------------------------- # SSH # $rule 7100 allow log tcp from any to me 22 in via $wan setup keep-state $rule 7102 allow log tcp from $fenn2 to me 22 in via $wan setup keep-state $rule 7103 allow log tcp from $fenn1 to me 22 in via $wan setup keep-state # DNS Master $rule 7200 allow udp from any to me 53 in via $wan keep-state # DNS Slave $rule 7300 allow tcp from any to me 53 in via $wan setup keep-state # HTTP $rule 7400 allow tcp from any to me 80 in via $wan setup keep-state # HTTPS $rule 7500 allow tcp from any to me 443 in via $wan setup keep-state # SMTP # $rule 7600 allow log tcp from any to me 25 in via $wan setup keep-state # SMTP SSL # $rule 7610 allow log tcp from any to me 465 in via $wan setup keep-state # SMTP STARTTLS # $rule 7620 allow log tcp from any to me 587 in via $wan setup keep-state # POP3 # $rule 7700 allow log tcp from any to me 110 in via $wan setup keep-state # POP3S # $rule 7710 allow log tcp from any to me 995 in via $wan setup keep-state # IMAP4 # $rule 7800 allow log tcp from any to me 143 in via $wan setup keep-state # IMAP4S # $rule 7810 allow log tcp from any to me 993 in via $wan setup keep-state # OpenVPN (limit max 9 connections) # $rule 7900 allow log udp from any to me 1194 in via $wan limit src-addr 9 # Deny & Log ------------------------------------------------------------------ # Deny & Log all other incoming connections $rule 9100 deny log all from any to any in via $wan # Deny & Log everything else $rule 9200 deny log all from any to any ========================================================================= /etc/rc.conf ------------------------------------------------------------------------- firewall_enable="YES" firewall_script="/usr/local/bin/ipfw" firewall_logging="YES" ========================================================================= /etc/sysctl.conf ------------------------------------------------------------------------- net.inet.ip.fw.verbose_limit=10