re: ipfwadm
On Mon, 21 Dec 1998, Michael Fox wrote:
> Anyone care to show me a quick and dirty ipfwadm script to allow
> ftp/http/irc/mail/dns in/out from linux machine..
>
> I'd like to enable ipfw filters.. but stuck on the writing of the ipfw.sh
> script I would run.. examples would be great..
I'm using that one in attachment. It was made by a nice person I'd found
on #debian channel.
I just added the last line of script about not let outgoing packets.
Hope that help.
Best regards,
Nuno Carvalho
จจจจจจจจจจจจจจจจจจจจจจจจจจจจจจ
Nuno Emanuel F. Carvalho
Dep. Informatics Engineering
University of Coimbra
PGP key available at finger
จจจจจจจจจจจจจจจจจจจจจจจจจจจจจจ
#! /bin/sh
echo -n "Installing firewall : "
ports="telnet discard domain www ssh"
udps="domain"
act="reject" # deny (waiting.. waiting..)
# or reject (connection refused)
my_ip=<your ip>
mymask=""
ipfwadm -If # Flush rules
ipfwadm -I -p accept # accept by default
# accept anything from this machine and its network
ipfwadm -I -a accept -S 127.0.0.1/255.255.255.0 -D 0.0.0.0/0.0.0.0
ipfwadm -I -a accept -S ${my_ip}${mymask} -D 0.0.0.0/0.0.0.0
# allow all ICMP packets to go through.
ipfwadm -I -a accept -P icmp -S 0.0.0.0/0.0.0.0 -D 0.0.0.0/0.0.0.0
# allow anyone to connect to these TCP ports..
for port in $ports ; do
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port
done
ipfwadm -I -a accept -P tcp -S ${my_ip} -D ${my_ip}${mymask} smtp
# ..and these UDP ports
for port in $udps ; do
ipfwadm -I -a accept -P udp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port
done
# deny all other Well-Known Services
ipfwadm -I -a ${act} -P tcp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023
ipfwadm -I -a ${act} -P udp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023
#done
###
## don't allow outgoing packets on such ports
###
ipfwadm -Of
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} domain
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} discard
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} daytime
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} time
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} sunrpc
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} exec
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} login
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} cmd
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} shell
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} printer
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} 6000 # xterm
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} finger
echo "done."
Reply to:
- References:
- re: ipfwadm
- From: "Michael Fox" <m_fox@mail.fairfax.com.au>