| 1234567891011121314151617181920212223242526272829303132333435363738394041424344 |
- #!/bin/sh
- # firewall command
- FwCMD="/sbin/ipfw -q"
- ${FwCMD} -f flush
- # Networks define
- ${FwCMD} table 2 add INTERNAL_NETWORK
- #NAT
- ${FwCMD} nat 1 config log if EXTERNAL_INTERFACE reset same_ports
- ${FwCMD} add 6000 nat 1 ip from table\(2\) to not table\(9\) out xmit EXTERNAL_INTERFACE
- ${FwCMD} add 6001 nat 1 ip from any to me in recv EXTERNAL_INTERFACE
- #Shape
- ${FwCMD} add 12001 pipe tablearg ip from any to table\(4\) via INTERNAL_INTERFACE out
- ${FwCMD} add 12000 pipe tablearg ip from table\(3\) to any via INTERNAL_INTERFACE in
- #security
- ${FwCMD} add 3 deny ip6 from any to any
- ${FwCMD} add 4 deny ip from table\(42\) to any
- ${FwCMD} add 4 deny ip from any to table\(42\)
- ${FwCMD} add 101 allow all from DB_HOST to any
- ${FwCMD} add 101 allow all from any to DB_HOST
- #access for our site and other things
- ${FwCMD} add 62100 allow ip from table\(2\) to table\(17\)
- ${FwCMD} add 62100 allow ip from table\(17\) to table\(2\)
- # allow access to my http for all
- ${FwCMD} add 62000 allow tcp from any to me dst-port 80
- ${FwCMD} add 62000 allow tcp from me to any src-port 80
- # default block policy
- ${FwCMD} add 65533 deny all from table\(2\) to any via INTERNAL_INTERFACE
- ${FwCMD} add 65534 deny all from any to table\(2\) via INTERNAL_INTERFACE
- ${FwCMD} add 65535 allow all from any to any
- # netflow stats
- /usr/local/bin/softflowd -i INTERNAL_INTERFACE -n NF_HOST
|
