Author: Unknown
Email: Unknown
Date Submitted: April 16, 1998
Edited by: David S. Jackson <dsj@dsj.net>
Status: New Entry
| Releases: | All |
| Platform: | All |
| Category: | Encryption and Security |
| Category Listing: | What's the best way to incorporate IPFWADM commands into my startup files? |
Documentation about ipfwadm is not specific about exactly how to insert ipfwadm commands into your startup files. Most people insert the commands into their /etc/rc.d/rc.local file, but many ways exist for doing this. Here is yet another spiffy way.
#!/bin/sh
FILTER=/sbin/ipfwadm
ME=204.209.156.4
LOCAL=127.0.0.1
if [ "$1" = "-h" -o "$1" = "-help" ] ; then
echo " $0: filter incoming network packets"
echo " usage: $0 [-flush] [-help]"
echo " -flush: flush all filters"
echo " -help: display this message"
exit 0
fi
for i in A I O F
do
$FILTER -$i -f
done
if [ "$1" = "-f" -o "$1" = "-flush" ] ; then
exit 0
fi
# default policy if a packet doesn't match any other rule.
$FILTER -I -p accept
# deny all spoofing.
$FILTER -I -a deny -S $ME -D $ME -W eth0
$FILTER -I -a deny -S $LOCAL -D $ME -W eth0
# deny traffic from impossible/private/reserved addresses.
$FILTER -I -a deny -S 10.0.0.0 -D $ME -W eth0
$FILTER -I -a deny -S 172.16.0.0 -D $ME -W eth0
$FILTER -I -a deny -S 192.168.0.0 -D $ME -W eth0
# deny traffic from these losers.
BEER=199.166.37.16
HOOK=206.184.205.216
OPENBSD=199.185.137.3
THEOS=199.185.137.1
$FILTER -I -a deny -S $BEER -D $ME -W eth0
$FILTER -I -a deny -S $HOOK -D $ME -W eth0
$FILTER -I -a deny -S $OPENBSD -D $ME -W eth0
$FILTER -I -a deny -S $THEOS -D $ME -W eth0
# deny traffic aimed at the X server.
$FILTER -I -a deny -P tcp -S $ME -D $ME 5999:6100 -W eth0
# explictly deny traffic aimed at the following UDP services:
SNMP=161
SUNRPC=111
SYSLOG=514
XDMCP=177
$FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SNMP -W eth0
$FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SUNRPC -W eth0
$FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SYSLOG -W eth0
$FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $XDMCP -W eth0
# explicitly deny all traffic aimed at the following TCP services:
EXEC=512
LOGIN=513
NETSTAT=15
RTELNET=107
SHELL=514
TFTPD=69
$FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $EXEC -W eth0
$FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $LOGIN -W eth0
$FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $NETSTAT -W eth0
$FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $RTELNET -W eth0
$FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $SHELL -W eth0
$FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $TFTPD -W eth0
exit 0
echo "network packet filtering..."
/usr/local/bin/pf
man ipfw and man ipfwadm.