Author: Unknown
Email: Unknown
Date Submitted: April 16, 1998
Edited by: David S. Jackson <dsj@dsj.net>
Status: New Entry
Releases: | All |
Platform: | All |
Category: | Encryption and Security |
Category Listing: | What's the best way to incorporate IPFWADM commands into my startup files? |
Documentation about ipfwadm is not specific about exactly how to insert ipfwadm commands into your startup files. Most people insert the commands into their /etc/rc.d/rc.local file, but many ways exist for doing this. Here is yet another spiffy way.
#!/bin/sh FILTER=/sbin/ipfwadm ME=204.209.156.4 LOCAL=127.0.0.1 if [ "$1" = "-h" -o "$1" = "-help" ] ; then echo " $0: filter incoming network packets" echo " usage: $0 [-flush] [-help]" echo " -flush: flush all filters" echo " -help: display this message" exit 0 fi for i in A I O F do $FILTER -$i -f done if [ "$1" = "-f" -o "$1" = "-flush" ] ; then exit 0 fi # default policy if a packet doesn't match any other rule. $FILTER -I -p accept # deny all spoofing. $FILTER -I -a deny -S $ME -D $ME -W eth0 $FILTER -I -a deny -S $LOCAL -D $ME -W eth0 # deny traffic from impossible/private/reserved addresses. $FILTER -I -a deny -S 10.0.0.0 -D $ME -W eth0 $FILTER -I -a deny -S 172.16.0.0 -D $ME -W eth0 $FILTER -I -a deny -S 192.168.0.0 -D $ME -W eth0 # deny traffic from these losers. BEER=199.166.37.16 HOOK=206.184.205.216 OPENBSD=199.185.137.3 THEOS=199.185.137.1 $FILTER -I -a deny -S $BEER -D $ME -W eth0 $FILTER -I -a deny -S $HOOK -D $ME -W eth0 $FILTER -I -a deny -S $OPENBSD -D $ME -W eth0 $FILTER -I -a deny -S $THEOS -D $ME -W eth0 # deny traffic aimed at the X server. $FILTER -I -a deny -P tcp -S $ME -D $ME 5999:6100 -W eth0 # explictly deny traffic aimed at the following UDP services: SNMP=161 SUNRPC=111 SYSLOG=514 XDMCP=177 $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SNMP -W eth0 $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SUNRPC -W eth0 $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SYSLOG -W eth0 $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $XDMCP -W eth0 # explicitly deny all traffic aimed at the following TCP services: EXEC=512 LOGIN=513 NETSTAT=15 RTELNET=107 SHELL=514 TFTPD=69 $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $EXEC -W eth0 $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $LOGIN -W eth0 $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $NETSTAT -W eth0 $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $RTELNET -W eth0 $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $SHELL -W eth0 $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $TFTPD -W eth0 exit 0
echo "network packet filtering..." /usr/local/bin/pf
man ipfw and man ipfwadm.