Author: Unknown
Email: Unknown
Date Submitted: April 16, 1998
Edited by: David S. Jackson <dsj@dsj.net>
Status: New Entry
Releases: All
Platform: All
Category: Encryption and Security
Category Listing: What's the best way to incorporate IPFWADM commands into my startup files?


Issue:

Documentation about ipfwadm is not specific about exactly how to insert ipfwadm commands into your startup files. Most people insert the commands into their /etc/rc.d/rc.local file, but many ways exist for doing this. Here is yet another spiffy way.

Response:


    #!/bin/sh

    FILTER=/sbin/ipfwadm
    ME=204.209.156.4
    LOCAL=127.0.0.1

    if [ "$1" = "-h" -o "$1" = "-help" ] ; then

        echo " $0: filter incoming network packets"
        echo " usage: $0 [-flush] [-help]"
        echo "  -flush: flush all filters"
        echo "  -help:  display this message"
        exit 0
    fi

    for i in A I O F
    do
        $FILTER -$i -f
    done

    if [ "$1" = "-f" -o "$1" = "-flush" ] ; then
        exit 0
    fi

    # default policy if a packet doesn't match any other rule.
    $FILTER -I -p accept

    # deny all spoofing.
    $FILTER -I -a deny -S $ME    -D $ME -W eth0
    $FILTER -I -a deny -S $LOCAL -D $ME -W eth0

    # deny traffic from impossible/private/reserved addresses.
    $FILTER -I -a deny -S 10.0.0.0 -D $ME -W eth0
    $FILTER -I -a deny -S 172.16.0.0 -D $ME -W eth0
    $FILTER -I -a deny -S 192.168.0.0 -D $ME -W eth0

    # deny traffic from these losers.
    BEER=199.166.37.16
    HOOK=206.184.205.216
    OPENBSD=199.185.137.3
    THEOS=199.185.137.1
    $FILTER -I -a deny -S $BEER    -D $ME -W eth0
    $FILTER -I -a deny -S $HOOK    -D $ME -W eth0
    $FILTER -I -a deny -S $OPENBSD -D $ME -W eth0
    $FILTER -I -a deny -S $THEOS   -D $ME -W eth0

    # deny traffic aimed at the X server.
    $FILTER -I -a deny -P tcp -S $ME -D $ME 5999:6100 -W eth0

    # explictly deny traffic aimed at the following UDP services:
    SNMP=161
    SUNRPC=111
    SYSLOG=514
    XDMCP=177
    $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SNMP   -W eth0
    $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SUNRPC -W eth0
    $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $SYSLOG -W eth0
    $FILTER -I -a deny -P udp -S 0.0.0.0/0 -D $ME $XDMCP  -W eth0

    # explicitly deny all traffic aimed at the following TCP services:
    EXEC=512
    LOGIN=513
    NETSTAT=15
    RTELNET=107
    SHELL=514
    TFTPD=69
    $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $EXEC    -W eth0
    $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $LOGIN   -W eth0
    $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $NETSTAT -W eth0
    $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $RTELNET -W eth0
    $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $SHELL   -W eth0
    $FILTER -I -a deny -P tcp -S 0.0.0.0/0 -D $ME $TFTPD   -W eth0

    exit 0

References:

man ipfw and man ipfwadm.