Firewall.subr

From FBSD_tips

load_table () \
{
FILE=$1
TBL=$2

       cat ${FILE} | \
       while read N
       do
               ipfw table ${TBL} add $N || echo "Issue with $N"
       done
}

ipsec_host () \
{
HOST=$1

        ipfw add allow udp from ${HOST} to me isakmp
        ipfw add allow udp from me to ${HOST} isakmp
        ipfw add allow esp from ${HOST} to me
        ipfw add allow esp from me to ${HOST}
        ipfw add allow ipencap from ${HOST} to me
        ipfw add allow ipencap from me to ${HOST}
}

tcp_allow_out_net () \
{
       NET=$1
       IF=$2

       ipfw add pass tcp from $NET to any out xmit $IF setup
       ipfw add deny tcp from any to $NET in recv $IF setup
       ipfw add pass tcp from $NET to any out xmit $IF established
       ipfw add pass tcp from any to $NET in recv $IF established
}

tcp_allow_out () \
{
       NET=$1
       IF=$2

       ipfw add pass tcp from $NET to any out xmit $IF setup
       ipfw add deny tcp from any to $NET in recv $IF setup
       ipfw add pass tcp from $NET to any out xmit $IF established
       ipfw add pass tcp from any to $NET in recv $IF established
}

tcp_allow_if_port ()
{
       IF=$1
       PORT=$2

       ipfw add pass tcp from any to any $PORT in recv $IF setup
       ipfw add deny tcp from any $PORT to any out xmit $IF setup
       ipfw add pass tcp from any to any $PORT in recv $IF established
       ipfw add pass tcp from any $PORT to any out xmit $IF established
}

allow_if_port ()
{
       IF=$1
       PORT=$2

       ipfw add pass tcp from any to any $PORT in recv $IF setup
       ipfw add pass tcp from any to any $PORT in recv $IF established
       ipfw add pass tcp from any $PORT to any out xmit $IF established

       ipfw add pass udp from any to any $PORT in recv $IF
       ipfw add pass udp from any to any $PORT in recv $IF
       ipfw add pass udp from any $PORT to any out xmit $IF

}

icmp_allow_all_if () \
{
       IF=$1

       ipfw add allow icmp from any to any via $IF
}

udp_allow_all_if () \
{
       IF=$1

       ipfw add allow udp from any to any via $IF
}

udp_allow_if_addr_to_port () \
{
       IF=$1
       ADDR=$2
       PORT=$3

       ipfw add allow udp from $ADDR to any $PORT via $IF
       ipfw add allow udp from any $PORT to $ADDR via $IF
}

udp_allow_if_addr_to_host () \
{
       IF=$1
       ADDR=$2
       HOST=$3

       ipfw add allow udp from $ADDR to $HOST
       ipfw add allow udp from $HOST to $ADDR
}

tcp_allow_all_if () \
{
       IF=$1

       ipfw add allow tcp from any to any via $IF
}

tcp_net_to_net () \
{
       NET1=$1
       IF1=$2
       NET2=$3
       IF2=$4

       ipfw add pass tcp from $NET1 to $NET2 recv $IF1 setup
       ipfw add pass tcp from $NET1 to $NET2 out xmit $IF2 setup
       ipfw add deny tcp from $NET2 to $NET1 recv $IF2 setup
       ipfw add deny tcp from $NET2 to $NET1 out xmit $IF1 setup
       ipfw add pass tcp from $NET1 to $NET2 recv $IF1 established
       ipfw add pass tcp from $NET2 to $NET1 out xmit $IF1 established
}

setup_loopback () \
{
       ############
       # Only in rare cases do you want to change these rules
       #
       ipfw add 100 pass all from any to any via lo0
       ipfw add 200 deny all from any to 127.0.0.0/8
       ipfw add 300 deny ip from 127.0.0.0/8 to any
}