-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathworkstation-ipfw.conf
178 lines (108 loc) · 6.09 KB
/
workstation-ipfw.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
################ Start of IPFW rules file ###############################
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
net="em0" # interface name of NIC attached to Internet
#################################################################
# No restrictions on the Loopback Interface
#################################################################
$cmd 00005 allow ip from any to any via lo0
#################################################################
# Allow the packet through if it has previously been added to the
# the "dynamic" rules table by an 'allow keep-state' statement.
#################################################################
$cmd 00010 check-state :default
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP.s DNS
# Dupplicate these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00020 allow tcp from me to 192.168.1.1 53 out via $net setup keep-state
$cmd 00025 allow udp from me to 192.168.1.1 53 out via $net keep-state
# Allow outbound TCP
$cmd 00030 allow tcp from me to any 49152–65535 out via $net setup keep-state
# Allow outbound UDP
$cmd 00035 allow udp from me to any 49152–65535 out via $net setup keep-state
# Allow outbound ping
$cmd 00050 allow icmp from me to any out via $net keep-state
# Allow outbound whois
$cmd 00090 allow tcp from me to any 43 out via $net setup keep-state
# Deny and log everything else that is trying to get out.
# This rule enforces the block all by default logic.
$cmd 00099 deny log all from any to any out via $net
#################################################################
# Interface facing Public Internet (Inbound Section)
# Check packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces.
# Adjust this rule block for your internal network topology.
# Everything except the first rule is blocked by default.
# $cmd 00300 deny all from 192.168.0.0/16 to any in via $net #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $net #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $net #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $net #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $net #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $net #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $net #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $net #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $net #Class D & E multicast
$cmd 00309 deny all from any to ::1 in via $net
$cmd 00310 deny all from ::1 to any in via $net
$cmd 00311 deny all from fe80::/10 to any in via $net #IPv6 link-local addresses
$cmd 00312 deny all from fc00::/7 to any in via $net #IPv6 unique local addresses
$cmd 00313 deny all from 240.0.0.0/4 to any in via $net #IPv4 future use addresses
$cmd 00314 deny all from ff00::/8 to any in via $net #IPv6 multicast addresses
$cmd 00315 deny all from ::1 to any in via $net #IPv6 loopback
$cmd 00316 deny all from any to ::1 in via $net #IPv6 loopback
# Deny public pings
$cmd 00320 deny icmp from any to any in via $net
# Deny ident
$cmd 00330 deny tcp from any to any 113 in via $net
# Deny all Netbios services. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
$cmd 00350 deny tcp from any to any 137 in via $net
$cmd 00351 deny udp from any to any 137 in via $net
$cmd 00352 deny tcp from any to any 138 in via $net
$cmd 00353 deny udp from any to any 138 in via $net
$cmd 00354 deny tcp from any to any 139 in via $net
$cmd 00355 deny udp from any to any 139 in via $net
# Deny TorPark onion routing
$cmd 00356 deny tcp from any to any 81 in via $net
$cmd 00357 deny udp from any to any 81 in via $net
# Deny any late arriving packets
$cmd 00340 deny all from any to any frag in via $net
# Deny ACK packets that did not match the dynamic rule table
$cmd 00345 deny tcp from any to any established in via $net
# Allow in standard www function in case you have a web server
# Uncomment the following two lines to enable the rules and allow traffic.
# $cmd 00400 allow tcp from any to me 80 in via $net setup limit src-addr 2
# $cmd 00401 allow tcp from any to me 443 in via $net setup limit src-addr 2
# Allow inbound SSH
# Ideally you should declare what ip or groups of ips can access
# instead of setting 'any'. Blocked by default, remove comment to permit.
# $cmd 00450 allow tcp from any to me 22 in via $net setup keep-state
# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $net
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
## Consider outbound traffic is allowed only in the 49152–65535 port range.
## To check the default ephemeral port range in your system issue these commands:
## sudo sysctl net.inet.ip.portrange.first
## sudo sysctl net.inet.ip.portrange.last
## To modify the default ephemeral port range issue the following command:
## sudo sysctl net.inet.ip.portrange.first=49152
## sudo sysctl net.inet.ip.portrange.last=65535
## To make this permanent modify the /etc/sysctl.conf file in your system and add:
## net.inet.ip.portrange.first=49152
## net.inet.ip.portrange.last=65535
## References in the URL: https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-configure-the-ipfw-firewall-on-freebsd/