A simple way to firewall
From FBSD_tips
Contents |
[edit] Rationale
Sometimes when building a firewall where performance is not critical, or the nuance of the allow/deny rules are quite simplistic I find myself valuing simplicity and readability over these other concerns. In these cases I have opted for a script function calling approach. Each function call is a quite descriptive name : it says what it does e.g. open_if_and_tcp_port_to_net would take 3 args, INTERFACE, PORT and NET and open it to that port on tcp. The implementation details are left up to the body of the function. Again, this is not designed to generate the most efficient firewall rulesets, nor a highly technical one but rather an easily understandable one and also to reduce the chances of a typo.
[edit] Implementation
This list of functions is not finished, there is likely redundancy and missing pieces, it is a work in progress.
Here is the download for the shell include file :
curl --output firewall.subr http://bsdtips.utcorp.net/mediawiki/index.php?title=Firewall.subr&action=raw
Function calls:
[edit] load_table
Takes 2 arguments.
- A path to a file holding network/host addresses in any format IPFW recognizes
- The table number to load the addresses into.
This will load an IPFW table with addresses from a file.
[edit] tcp_allow_out_net
Takes 2 arguments.
- A network Specification.
- An interface
This will allow outgoing connections to the network to flow across the interface for TCP.
[edit] tcp_allow_if_port
Takes 2 arguments:
- An interface
- A port
This will allow outgoing connections to any host at a specified port.
[edit] allow_if_port
Takes 2 arguments:
- An interface
- A port number
This will allow incoming TCP and UDP on the specified port and interface.
[edit] icmp_allow_all_if
Takes one argument:
- An interface
This will allow all ICMP traffic on an interface
[edit] udp_allow_all_if
Takes one argument:
- An interface
This will allow all UDP traffic on an interface
[edit] tcp_allow_all_if
Takes one argument:
- An interface
This will allow all TCP traffic on an interface
[edit] udp_allow_if_addr_to_port
Takes 3 arguments:
- An interface
- An address
- A port
This will allow UDP from a specific address to flow to a specific port across an interface.
[edit] udp_allow_if_addr_to_host
Takes 3 arguments:
- An interface
- An address spec
- An address spec
This will allow all UDP traffic between 2 networks or hosts across an interface.
[edit] setup_loopback
Takes no arguments.
This set up the loopback interface properly.
[edit] Examples
[edit] Example 1
#!/bin/sh
OUT_IF="fxp1"
IN_IF="fxp0"
#
# Begin processing
#
ipfw -f flush
setup_loopback
#
# for NATd
/sbin/ipfw add divert natd all from any to any via $OUT_IF
#
# Incoming ssh
tcp_allow_if_port $OUT_IF ssh
tcp_allow_if_port $IN_IF ssh
#
# incoming http
tcp_allow_if_port $OUT_IF 80
#
# bitorrent
tcp_allow_if_port $OUT_IF 2700-2706
#
# OVPN server
tcp_allow_if_port $OUT_IF 1194
#
# whole networks
# wholesale networks out
tcp_allow_out_net 10.200.1.0/24 $OUT_IF
tcp_allow_out_net 10.200.2.0/24 $OUT_IF
#
# icmp
icmp_allow_all_if $IN_IF
icmp_allow_all_if $OUT_IF
#
# Delete this once you are done logging
ipfw add 65534 deny log ip from any to any
