#!/bin/bash # ipfwc - IPFWADM frontend # members.xoom.com/i0wnu (c) March 1999 by Mixter # This is intended for dialup configuration. # If you plan to use this on a LAN/Ethernet, # I strongly recommend to edit this completely # ipfwc is free - however if you change it, # please send me the modified script - Mixter # usage: ipfwc [-show/-secure/-fbi] i=/sbin/ipfwadm if=ppp0 nf=-n of=-o dmask=0.0.0.0/0 # The ports are for MY box. If you run different daemons, change them! # If you enable "FBI" security, some daemons will cease to work! if [ $# = 0 ] then echo PACKET FILTER: Resetting default configuration. $i -If ; $i -Ip accept $i -Of ; $i -Op accept $i -Ff ; $i -Fp deny # PORTMAP, SYSLOG, MOUNTD, NFSD, CFSD for port in 111 514 635 2049 3049 do $i -Ia reject -P tcp -W $if $nf $of -D $dmask $port $i -Ia reject -P udp -W $if $nf $of -D $dmask $port done # UNREACH, QUENCH, REDIRECT, ECHO, TS/INFO/ADDRESS QUERY for itype in 3 4 5 8 13 15 17 do $i -Ia reject -P icmp -W $if $nf $of -S $dmask $itype done # TRACEROUTE SUCKS :) $i -Ia deny -P udp -W $if $nf $of -D $dmask 33400:33500 fi if [ $# != 0 ] then case "$1" in '-secure') echo PACKET FILTER: Enabling HIGH security level\! $i -If ; $i -Ip accept $i -Of ; $i -Op accept $i -Ff ; $i -Fp deny for port in 21 23 25 53 79 80 111 514 635 2049 3049 do $i -Ia deny -P tcp -W $if $nf $of -D $dmask $port $i -Ia deny -P udp -W $if $nf $of -D $dmask $port done $i -Ia deny -P icmp -W $if $nf $of $i -Ia deny -P udp -W $if $nf $of -D $dmask 1024:65534 ;; '-fbi') echo PACKET FILTER: Enabling PARANOID security level\! $i -If ; $i -Ip accept $i -Of ; $i -Op accept $i -Ff ; $i -Fp deny $i -Ia deny -P tcp $nf $of -y $i -Ia deny -P icmp $nf $of $i -Ia deny -P udp -W $if $nf $of # The number 0xFF (255) is used for a match with the # second and further fragments of ICMP packets. # The port number 0xFFFF (65535) is used for a match # with the second and further fragments of TCP or UDP # packets. (From the ipfwadm Man-Page :P) $i -Ia deny -P tcp $nf $of -y -D $dmask 65535 $i -Ia deny -P tcp $nf $of -y -S $dmask 65535 $i -Ia deny -P icmp $nf $of -S $dmask 255 ;; esac fi ipfwadm -Fl ipfwadm -Ol ipfwadm -Il