re: ipfwadm

To: Michael Fox <m_fox@mail.fairfax.com.au>
Cc: debian-user@lists.debian.org
Subject: re: ipfwadm
From: Nuno Carvalho <nemanuel@student.dei.uc.pt>
Date: Sun, 20 Dec 1998 22:47:49 +0000 (WET)
Message-id: <[🔎] Pine.LNX.4.05.9812202244030.7635-200000@cavern.dei.uc.pt>
In-reply-to: <[🔎] 19981220222002.14153.qmail@fairfax.com.au>

On Mon, 21 Dec 1998, Michael Fox wrote:

> Anyone care to show me a quick and dirty ipfwadm script to allow
> ftp/http/irc/mail/dns in/out from linux machine..
> 
> I'd like to enable ipfw filters.. but stuck on the writing of the ipfw.sh
> script I would run.. examples would be great..

 I'm using that one in attachment. It was made by a nice person I'd found
on #debian channel.

 I just added the last line of script about not let outgoing packets.

 Hope that help.

 Best regards,
   Nuno Carvalho

จจจจจจจจจจจจจจจจจจจจจจจจจจจจจจ
   Nuno Emanuel F. Carvalho
 Dep. Informatics Engineering
    University of Coimbra

  PGP key available at finger
จจจจจจจจจจจจจจจจจจจจจจจจจจจจจจ

#! /bin/sh
echo -n "Installing firewall : "
ports="telnet discard domain www ssh"
udps="domain"
act="reject"            # deny (waiting.. waiting..)
                        # or reject (connection refused)
 my_ip=<your ip>
 mymask=""

 ipfwadm -If             # Flush rules
 ipfwadm -I -p accept    # accept by default

# accept anything from this machine and its network
 ipfwadm -I -a accept -S 127.0.0.1/255.255.255.0 -D 0.0.0.0/0.0.0.0
 ipfwadm -I -a accept -S ${my_ip}${mymask} -D 0.0.0.0/0.0.0.0

# allow all ICMP packets to go through.

 ipfwadm -I -a accept -P icmp -S 0.0.0.0/0.0.0.0 -D 0.0.0.0/0.0.0.0

# allow anyone to connect to these TCP ports..
 for port in $ports ; do 
  ipfwadm -I -a accept -P tcp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port
 done

 ipfwadm -I -a accept -P tcp -S ${my_ip} -D ${my_ip}${mymask} smtp

# ..and these UDP ports
 for port in $udps ; do 
  ipfwadm -I -a accept -P udp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port
 done

# deny all other Well-Known Services
 ipfwadm -I -a ${act} -P tcp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023
 ipfwadm -I -a ${act} -P udp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023

#done

###
## don't allow outgoing packets on such ports
###
 ipfwadm -Of
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} domain
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} discard
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} daytime
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} time
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} sunrpc
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} exec
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} login
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} cmd
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} shell
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} printer
 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} 6000   # xterm

 ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} finger

echo "done."

Reply to:

References:
- re: ipfwadm
  - From: "Michael Fox" <m_fox@mail.fairfax.com.au>

Prev by Date: Re: Why?!
Next by Date: hard drive error message
Previous by thread: re: ipfwadm
Next by thread: Re: ipfwadm
Index(es):
- Date
- Thread