読者です 読者をやめる 読者になる 読者になる

自分の ipfw.rule

server

なんだかんだで長年使い続けてる ipfw.rule 

 

#!/bin/sh

fw_cmd="/sbin/ipfw -q"
fw_add="${fw_cmd} add"
IIF="re0"
OIF="ng0"
my_net="192.168.0.0/24"


# flush old rules
${fw_cmd} -f flush

# Established、フラグメント化パケットは通過
${fw_add} 100 check-state
${fw_add} 110 allow tcp from any to any established
${fw_add} 120 allow all from any to any frag


# lo0用の設定
${fw_add} 200 allow all from any to any via lo0
${fw_add} 210 deny all from any to 127.0.0.0/8 via ${OIF}
${fw_add} 220 deny all from 127.0.0.0/8 to any via ${OIF}
${fw_add} 230 allow all from any to any via ${IIF}


# 外部からのPIP宛を拒否
${fw_add} 300 deny all from any to 10.0.0.0/8 via ${OIF}
${fw_add} 310 deny log all from any to 172.16.0/12 via ${OIF}
${fw_add} 320 deny log all from any to 192.168.0.0/16 via ${OIF}

# RESERVED-1, DHCP auto-config, NET-TEST, MULTICAST(Class D), Class E アドレスへのアクセス拒否
${fw_add} 330 deny all from any to 0.0.0.0/8 via ${OIF}
${fw_add} 340 deny all from any to 169.254.0.0/16 via ${OIF}
${fw_add} 350 deny all from any to 192.0.2.0/24 via ${OIF}
${fw_add} 360 deny all from any to 240.0.0.0/4 via ${OIF}

 

# deny rules
 ${fw_add} deny log tcp from any 137-139,445 to any via ${OIF}
 ${fw_add} deny log tcp from any to any 137-139,445 via ${OIF}
 ${fw_add} deny log udp from any 137-139,445 to any via ${OIF}
 ${fw_add} deny log udp from any to any 137-139,445 via ${OIF}

 

# my network
${fw_add} allow udp from ${my_net} to me 53 keep-state
${fw_add} allow udp from ${my_net} to me 123 keep-state
${fw_add} allow tcp from ${my_net} to me 137-139,445 keep-state
${fw_add} allow tcp from ${my_net} to me via setup
${fw_add} allow all from ${my_net} to me keep-state
${fw_add} allow all from me to ${my_net} keep-state

# outer network
${fw_add} allow tcp from any to me 20 keep-state
${fw_add} allow tcp from any to me 21 keep-state
${fw_add} allow tcp from any to me 22 keep-state
${fw_add} allow tcp from any to me 25 keep-state
${fw_add} allow tcp from any to me 53 keep-state
${fw_add} allow udp from any to me 53 keep-state
${fw_add} allow udp from me to any 53 keep-state
${fw_add} allow tcp from any to me 80 keep-state
${fw_add} allow tcp from any to me 110 keep-state
${fw_add} allow tcp from any to me 443 keep-state
${fw_add} allow tcp from any to me 587 keep-state
${fw_add} allow tcp from any to me 6667 keep-state

# icmp from/to outer network
${fw_add} allow icmp from any to any in icmptypes 0,3,4,8,11,12
${fw_add} allow icmp from any to any out icmptypes 0,3,4,8,11,12

 

# ntp
${fw_add} allow udp from ${my_net} to any 123 keep-state
${fw_add} allow tcp from ${my_net} to any 123 keep-state

# steam
${fw_add} allow tcp from ${my_net} to any 27015-27030 setup
${fw_add} allow udp from ${my_net} to any 27000-27037 keep-state
${fw_add} allow udp from ${my_net} to any 27014-27050 keep-state
${fw_add} allow udp from ${my_net} to any 4380 keep-state

# 許可されている以外の外部からの接続はログ撮って拒否
${fw_add} deny log all from any to any in via ${OIF} setup
# 上記以外の内部から外部へのTCPアクセスの許可
${fw_add} allow tcp from any to any out via ${OIF}
# それ以外は拒否
${fw_add} deny log udp from any to any