blob: 93829e8f49125e4e9d3e75a9a24b3fdbd143fd5a (
plain) (
tree)
|
|
network inetrface
fxp0 : 11.11.11.1
fxp1 : 10.14.1.254
/etc/ipnat.rules
# NAT
#
map fxp0 192.168.182.0/24 -> 11.11.11.1/32 portmap tcp/udp auto
--------------------------------------------------------
/usr/local/etc/rc.d/ipfw.sh
#!/bin/sh
RULENO="1500"
EXT_IF="fxp0"
INT_IF="fxp1"
EXT_IP="11.11.11.1"
#INT_IP="10.14.1.0/24"
# flush rules
#
ipfw -f flush
## setup loopback
##
ipfw $RULENO add pass all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any
# allow related and established on all interfaces
#
ipfw add pass ip from any to any established
# allow SA connect to me , deny any others use ssh
#
ipfw add pass tcp from 11.11.11.5 to any setup
ipfw add deny tcp from any to ${EXT_IP} 22
## allow me (firewall) to access anywhere
##
ipfw add pass tcp from ${EXT_IP} to any setup
ipfw add pass udp from ${EXT_IP} to any keep-state
## allow tun0 device to connect to anywhere
##
ipfw add pass tcp from any to any via tun0 setup
ipfw add pass udp from any to any via tun0 keep-state
# allow icmp
#
ipfw add pass icmp from any to any icmptypes 0,3,8,11
# allow http , https and dns on internal interface
#
ipfw add pass tcp from any to any 80 via ${INT_IF} setup
ipfw add pass tcp from any to any 443 via ${INT_IF} setup
ipfw add pass udp from any to any 53 via ${INT_IF} keep-state
# allow tcp port 3990 on internal interface for chillispot redirection
#
ipfw add pass tcp from any to any 3990 via ${INT_IF} setup
# except for any condition above , reject everything on all interfaces
#
ipfw add deny all from any to any
|
