#!/bin/sh # # ptudor@ptudor.net 20020408 # /Library/StartupItems/Firewall/Firewall # ## This will break normal ftp. Does ipfw support state? ## until then, just use passive ftp instead. ###### System (ignore this) . /etc/rc.common ConsoleMessage "Configuring firewall" ###### Variables (configure here) ## ## every single one of these variables is ## required by some rule. so don't leave it ## blank, leave it as default or change it ## but leave something. ## IPFW=/sbin/ipfw # this is the interface we apply this to. # en-star matches en0, en1, ... (copper Ethernet and Airport in my iBook) ETHERNET=en* # other possibillties... ppp0 # Ports always wide open, regardless, are: dns, dhcp, ntp, and traceroute # Real ports open to the world WIDEOPENPORTS="22,80" # These are ports open to the single network defined below # You can list them again below in reset/reject but the # default deny at the end should take care of them. PORTSTRUST="23" # Logged ports: # Fake or real ports rejected with a quick ICMP Unreachable ("No route to host") PORTSREJECT="23,31337,666" # Fake or real ports we send a TCP RST to ("Connection refused") PORTSRESET="5432,1169,7100" # Otherwise, just drop the packet # Local or otherwise trusted network TRUSTNET="10.20.40.80" # Subnet mask of that network TRUSTMASK="255.255.252.0" # Adjust the state of logging to /var/log/system.log # 0=disable 1=enable /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1 # want to keep this file unchanged? include your own config # . /etc/firewall.ptudor.rc # end config ###### Actual Firewall # flush all the rules ${IPFW} -f flush # Local loopback interface is open #${IPFW} add 1000 allow ip from any to any via lo0 ${IPFW} add 1000 allow all from any to any via lo0 #${IPFW} add 1001 allow all from any to 127.0.0.0/8 # Block MS Office PID Sniffer ${IPFW} add 1990 deny log udp from any to any 2222 out # Allow TCP through if setup succeeded ${IPFW} add 2000 pass tcp from any to any established # Allow outgoing TCP traffic ${IPFW} add 3000 pass tcp from any to any out via ${ETHERNET} # Allow IP fragments to pass through ${IPFW} add 4000 pass all from any to any frag # Allow DNS answers ${IPFW} add 5000 allow udp from any to any 53 out via ${ETHERNET} ${IPFW} add 5001 allow udp from any 53 to any in via ${ETHERNET} # Allow dhcp ${IPFW} add 5100 allow udp from any to any 67,68 out via ${ETHERNET} ${IPFW} add 5101 allow udp from any 67,68 to any in via ${ETHERNET} # Allow NTP ${IPFW} add 5200 allow udp from any to any 123 out via ${ETHERNET} ${IPFW} add 5201 allow udp from any 123 to any in via ${ETHERNET} # Allow traceroute ${IPFW} add 5300 allow udp from any to any 33434-33499 out via ${ETHERNET} # Allow ssh and http in ${IPFW} add 6000 allow tcp from any to any ${WIDEOPENPORTS} in via ${ETHERNET} # Allow telnet from select networks; silently and explicitly reject otherwise ${IPFW} add 6500 allow tcp from ${TRUSTNET}:${TRUSTMASK} to any ${PORTSTRUST} in via ${ETHERNET} ${IPFW} add 6510 reject log tcp from any to any ${PORTSREJECT} in via ${ETHERNET} # reset a few ports, make them look open. These are honeypot ports to log. # if someone is scanning me, I don't want 65,000 lines of logs. # Five lines of logs to odd ports will suffice. ${IPFW} add 6600 reset log tcp from any to any ${PORTSRESET} in via ${ETHERNET} # Deny everything else except for ICMP ${IPFW} add 8000 deny tcp from any to any via ${ETHERNET} ${IPFW} add 8001 deny udp from any to any via ${ETHERNET} # allow all icmp ${IPFW} add 9000 allow icmp from any to any via ${ETHERNET} # implicit allow: ## ${IPFW} 65535 allow ip from any to any ${IPFW} add 65534 deny log ip from any to any