#!/bin/sh
# Copyright (C) 2003 Jimmy Scott <http://www.devbox.be>
# $DevBox: Firewall.bin,v 1.3 2004/09/15 22:05:47 jimmy Exp $

# sysctl crap
sysctl -w net.inet.tcp.blackhole=2
sysctl -w net.inet.udp.blackhole=1
sysctl -w net.inet.ip.fw.verbose=1
sysctl -w net.inet6.ip6.fw.verbose=1

# defines
fwcmd="/sbin/ipfw -q"
fw6cmd="/sbin/ip6fw -q"
log="" # add 'log' to log, remember logs go to kern.info !
logudp="" # add 'log' to log, remember logs go to kern.info !

# more defines, fuck ipv6
hif=`sysctl -n net.inet.ip.portrange.hifirst`
hil=`sysctl -n net.inet.ip.portrange.hilast`
lof=`sysctl -n net.inet.ip.portrange.lowfirst`
lol=`sysctl -n net.inet.ip.portrange.lowlast`

# Flush everything
${fwcmd}  -f flush
${fw6cmd} -f flush

# Process dyanamic rules
${fwcmd}  add 00005 check-state
#${fw6cmd} add 00005 check-state # not yet implemented

# Setup loopback interface
${fwcmd}  add 02000 allow ip   from any to any via lo*
${fw6cmd} add 02000 allow ipv6 from any to any via lo*
${fwcmd}  add 02010 deny ${log} ip   from 127.0.0.0/8 to any in
${fw6cmd} add 02010 deny ${log} ipv6 from ::1 to any in
${fwcmd}  add 02020 deny ${log} ip   from any to 127.0.0.0/8 in
${fw6cmd} add 02020 deny ${log} ipv6 from any to ::1 in

# Deny multicast traffic
${fwcmd}  add 02050 deny ${log} ip   from any to 224.0.0.0/3 in
${fw6cmd} add 02050 deny ${log} ipv6 from any to ff00::/8 in

# Allow established TCP traffic
${fwcmd}  add 03000 allow tcp  from any to any established
${fw6cmd} add 03000 allow tcp  from any to any established

# Allow IP fragments to pass
${fwcmd}  add 03010 allow ip   from any to any frag
${fw6cmd} add 03010 allow ipv6 from any to any frag # ?!

# Allow outgoing TCP
${fwcmd}  add 03050 allow ${log} tcp from any to any out setup
${fw6cmd} add 03050 allow ${log} tcp from any to any out setup

# Allow outgoing UDP
${fwcmd}  add 03060 allow ${logudp} udp from any to any out keep-state
${fw6cmd} add 03060 allow ${logudp} udp from any to any out
${fw6cmd} add 03061 allow ${logudp} udp from any to any ${hif}-${hil} in
${fw6cmd} add 03062 allow ${logudp} udp from any to any ${lol}-${lof} in

# Allow incomming DHCP replies
${fwcmd}  add 03100 allow ${log} udp from any 67 to any 68 in
${fw6cmd} add 03100 allow ${log} udp from any 67 to any 68 in

# Allow incomming WWW
#${fwcmd}  add 03200 allow ${log} tcp from any to any 80 in setup
#${fw6cmd} add 03200 allow ${log} tcp from any to any 80 in setup

# Allow incomming FTP
#${fwcmd}  add 03500 allow ${log} tcp from any to any 21 in setup
#${fw6cmd} add 03500 allow ${log} tcp from any to any 21 in setup

# Allow incomming passive FTP
#${fwcmd}  add 03600 allow ${log} tcp from any to any 1024-65535 in setup
#${fw6cmd} add 03600 allow ${log} tcp from any to any 1024-65535 in setup

# Allow incomming SSH
${fwcmd}  add 03700 allow ${log} tcp from any to any 22 in setup
${fw6cmd} add 03700 allow ${log} tcp from any to any 22 in setup

# Deny incomming ping requests
${fwcmd}  add 05000 deny ${log} icmp      from any to any icmptypes 8 in
${fw6cmd} add 05000 deny ${log} ipv6-icmp from any to any icmptypes 128 in

# Deny incomming other info requests
${fwcmd}  add 05100 deny ${log} icmp      from any to any icmptypes 13,15,17 in
#ipv6 had less crap

# Allow all other ICMP, it's use is limited by the kernel
${fwcmd}  add 06000 allow ${log} icmp from any to any
${fw6cmd} add 06000 allow ${log} ipv6-icmp from any to any

# Deny everything else
${fwcmd} add 65534 deny ${log} ip   from any to any
${fwcmd} add 65534 deny ${log} ipv6 from any to any