#!/bin/sh # # /etc/rc.d/rc.firewall, define the firewall configuration, invoked from # rc.local. # # Load all modules that should be loaded by default.. echo "Loading all modules that should be loaded by default.." /sbin/depmod -a # Load ip masqerading modules echo "Loading ip masqerading modules.." /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio /sbin/modprobe ip_masq_irc /sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_vdolive echo "Changing firewall rules.." # Flush all rules. ipfwadm -A -f # Incoming, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -I -f ipfwadm -I -p deny # local interface, local machines, going anywhere is valid # dmitry (kbg) ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.5/32 -D 0.0.0.0/0 # Jane (klay) ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.2/32 -D 0.0.0.0/0 # Vadim's proxy.. #ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.4/32 -D 0.0.0.0/0 #unknown #ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.5/32 -D 0.0.0.0/0 #unknown #ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.6/32 -D 0.0.0.0/0 #unknown #ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.7/32 -D 0.0.0.0/0 # Jane T (guest) ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.8/32 -D 0.0.0.0/0 # unknown #ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.9/32 -D 0.0.0.0/0 # noone (acer) ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.10/32 -D 0.0.0.0/0 # Aleksey (225) ipfwadm -I -a accept -V 192.168.0.3 -S 192.168.0.25/32 -D 0.0.0.0/0 #Deny all from this host. ipfwadm -I -P all -i deny -S 195.46.168.168/32 -D 195.218.173.129 ####Deny all Real Audio to all: ipfwadm -I -P tcp -i deny -S 0.0.0.0/0 7070 -D 0.0.0.0/0 -o ipfwadm -O -P tcp -i deny -S 0.0.0.0/0 -D 0.0.0.0/0 7070 -o ipfwadm -I -P udp -i deny -S 0.0.0.0/0 7070 -D 0.0.0.0/0 -o ipfwadm -O -P udp -i deny -S 0.0.0.0/0 -D 0.0.0.0/0 7070 -o #### ####Deny all mp3 Audio to all: ipfwadm -I -P tcp -i deny -S 0.0.0.0/0 8000 -D 0.0.0.0/0 -o ipfwadm -O -P tcp -i deny -S 0.0.0.0/0 -D 0.0.0.0/0 7070 -o ipfwadm -I -P udp -i deny -S 0.0.0.0/0 8000 -D 0.0.0.0/0 -o ipfwadm -O -P udp -i deny -S 0.0.0.0/0 -D 0.0.0.0/0 7070 -o #### #this is for slip/ppp client.. # Accept evrything going via ppp1/sl0 w/ addr 192.168.4.120 # this is for all , but not for my home-only.. ipfwadm -I -a accept -W ppp1 -V 192.168.0.3 -S 192.168.4.120/32 -D 0.0.0.0/0 ipfwadm -I -a accept -W sl0 -V 192.168.0.3 -S 192.168.4.120/32 -D 0.0.0.0/0 # Accept evrything going via ppp1/sl0 w/ addr 192.168.4.121 # this is for my home account only.. ipfwadm -I -a accept -W sl0 -V 192.168.0.3 -S 192.168.4.121/32 -D 0.0.0.0/0 ipfwadm -I -a accept -W sl0 -V 192.168.0.3 -S 192.168.4.122/32 -D 0.0.0.0/0 # Accept evrything going via ppp1 w/ addr 192.168.4.123 # this is for Rosmol ispolkom only.. ipfwadm -I -a accept -W ppp1 -V 192.168.0.3 -S 192.168.4.123/32 -D 192.168.0.3/32 -o # deny any any other interfaces claming these addresses ipfwadm -I -a deny -V 192.168.0.3 -S 192.168.4.120/32 -D 0.0.0.0/0 -o ipfwadm -I -a deny -V 192.168.0.3 -S 192.168.4.121/32 -D 0.0.0.0/0 -o ipfwadm -I -a deny -V 192.168.0.3 -S 192.168.4.122/32 -D 0.0.0.0/0 -o ipfwadm -I -a deny -V 192.168.0.3 -S 192.168.4.123/32 -D 0.0.0.0/0 -o # The below is for mail-only accounts: ipfwadm -I -a accept -W ppp1 -V 192.168.0.3 -S 192.168.4.122/32 -D 192.168.0.3/32 ipfwadm -I -a accept -W ppp2 -V 192.168.0.3 -S 192.168.4.122/32 -D 192.168.0.3/32 #this is for slip/ppp clients.. ipfwadm -I -a deny -V 195.218.173.129 -S 192.168.4.0/24 -D 0.0.0.0/0 -o # remote interface, claiming to be local machines, IP spoofing, get lost ipfwadm -I -a deny -V 195.218.173.129 -S 192.168.0.0/24 -D 0.0.0.0/0 -o # remote interface, any source, going to permanent PPP address is valid ipfwadm -I -a accept -V 195.218.173.129 -S 0.0.0.0/0 -D 195.218.173.129/32 # loopback interface is valid. ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o # Outgoing, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -O -f ipfwadm -O -p deny # local interface, any source going to local net is valid ipfwadm -O -a accept -V 192.168.0.3 -S 0.0.0.0/0 -D 192.168.0.0/24 # outgoing to local net on remote interface, stuffed routing, deny ipfwadm -O -a deny -V 195.218.173.129 -S 0.0.0.0/0 -D 192.168.0.0/24 -o # outgoing from local net on remote interface, stuffed masquerading, deny ipfwadm -O -a deny -V 195.218.173.129 -S 192.168.0.0/24 -D 0.0.0.0/0 -o # outgoing from local net on remote interface, stuffed masquerading, deny ipfwadm -O -a deny -V 195.218.173.129 -S 0.0.0.0/0 -D 192.168.0.0/24 -o # anything else outgoing on remote interface is valid ipfwadm -O -a accept -V 195.218.173.129 -S 195.218.173.129/32 -D 0.0.0.0/0 # this helps w/ slip/ppp 192.168.4.120 address. ipfwadm -O -a accept -V 192.168.0.3 -S 0.0.0.0/0 -D 192.168.4.120/32 # loopback interface is valid. ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 # outgoing from slip/ppp on remote interface, stuffed masquerading, deny ipfwadm -O -a deny -V 195.218.173.129 -S 192.168.4.0/24 -D 0.0.0.0/0 -o # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o # Forwarding, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -F -f ipfwadm -F -p deny # Masquerade from local net on local interface to anywhere. ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.5/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.2/32 -D 0.0.0.0/0 #ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.4/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.5/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.6/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.7/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.8/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.9/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.10/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.25/32 -D 0.0.0.0/0 # this is for slip/ppp client. ipfwadm -F -a masquerade -W ppp1 -S 192.168.4.120/32 -D 0.0.0.0/0 ipfwadm -F -a masquerade -W ppp1 -S 192.168.4.121/32 -D 192.168.0.3/32 ipfwadm -F -a masquerade -W ppp1 -S 192.168.4.122/32 -D 192.168.0.3/32 ipfwadm -F -a masquerade -W ppp1 -S 192.168.4.123/32 -D 192.168.0.3/32 -o # catch all rule, all other forwarding is denied and logged. ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o