#  
# Firewall configuration file 
# $Id$ 
# Generated by: dotfile ipfwadm 
# see http://www.wolfenet.com/~jhardin/ipfwadm.html for details 
#  

#---------->General Settings<----------
# General settings 
# dialup ISP via PPP, dynamic IP address
# Initialization

# Define some variables to make things a bit clearer below
# Any system anywhere
export ANY="0.0.0.0/0"
# The Internet connection
export INET="-W ppp0"
# The local network port
export LETH="-V 55.23.0.0 -W eth0"
# The local network
export LNET="55.23.0.0/255.255.0.0"
# The firewall (this system on the local network)
export FWALL="55.23.0.0/32"
# The firewall's Internet address (if known or determinable)
export INET_IP="$ANY"
# Some ipfwadm flags for the TCP protocol
export OpenNewConn="-y"
export ConnEstablished="-k"

# Reset to known state
/sbin/ipfwadm -I -f           # flush existing input rules
/sbin/ipfwadm -O -f           # flush existing output rules
/sbin/ipfwadm -F -f           # flush existing forwarding rules

# Set default policy
/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -O -p deny
/sbin/ipfwadm -F -p deny


#---------->ISP Settings<----------
# ISP settings 

# Anti-Spoofing
/sbin/ipfwadm -I -a deny -o $INET -S 127.0.0.0/8
/sbin/ipfwadm -I -a deny -o $INET -S $LNET

# Autorisation du trafic sur le reseau local
/sbin/ipfwadm -I -a accept -V 55.23.2.50
/sbin/ipfwadm -O -a accept -V 55.23.2.50
/sbin/ipfwadm -I -a accept -V 127.0.0.1
/sbin/ipfwadm -O -a accept -V 127.0.0.1

# per RFC1597 (see http://andrew2.andrew.cmu.edu/rfc/rfc1597.html)
# the following network addresses must not be routed to the Internet:
# 10.0.0.0/8
/sbin/ipfwadm -O -a reject $INET -S 10.0.0.0/8
/sbin/ipfwadm -O -a reject $INET -D 10.0.0.0/8
/sbin/ipfwadm -I -a deny -o $INET -S 10.0.0.0/8
/sbin/ipfwadm -I -a deny -o $INET -D 10.0.0.0/8
# 172.16.0.0/12
/sbin/ipfwadm -O -a reject $INET -S 172.16.0.0/12
/sbin/ipfwadm -O -a reject $INET -D 172.16.0.0/12
/sbin/ipfwadm -I -a deny -o $INET -S 172.16.0.0/12
/sbin/ipfwadm -I -a deny -o $INET -D 172.16.0.0/12
# 192.168.0.0/16
/sbin/ipfwadm -O -a reject $INET -S 192.168.0.0/16
/sbin/ipfwadm -O -a reject $INET -D 192.168.0.0/16
/sbin/ipfwadm -I -a deny -o $INET -S 192.168.0.0/16
/sbin/ipfwadm -I -a deny -o $INET -D 192.168.0.0/16


#---------->IP Masquerade Settings<----------
# IP-Masq settings 
# Not masquerading


#---------->Deny/Services (Point-to-Point)<----------


#---------->Allow/Services (Point-to-Point)<----------


#---------->Deny/Services (Per-Host, Internet Hosts)<----------


#---------->Deny/Services (Per-Host, Local Hosts)<----------


#---------->Allow/Services (Per-Host, Internet Hosts)<----------
# Per-Internet-Host Services Allowed 
# allow anyone on the local net to request udp service domain (port 53) from Internet network/host 0.0.0.0/0
/sbin/ipfwadm -O -a accept $INET -P udp -S $INET_IP -D 0.0.0.0/0 domain
/sbin/ipfwadm -I -a accept $INET -P udp -D $INET_IP -S 0.0.0.0/0 domain
/sbin/ipfwadm -O -a accept $INET -P udp -S $LNET -D 0.0.0.0/0 domain
/sbin/ipfwadm -F -a accept $INET -P udp -S $LNET -D 0.0.0.0/0 domain
/sbin/ipfwadm -F -a accept $LETH -P udp -D $LNET -S 0.0.0.0/0 domain
/sbin/ipfwadm -I -a accept $INET -P udp -D $LNET -S 0.0.0.0/0 domain
# allow anyone on the local net to request tcp service ftp (port 21) from Internet network/host 0.0.0.0/0
/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D 0.0.0.0/0 ftp
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S 0.0.0.0/0 ftp
/sbin/ipfwadm -O -a accept $INET -P tcp -S $LNET -D 0.0.0.0/0 ftp
/sbin/ipfwadm -F -a accept $INET -P tcp -S $LNET -D 0.0.0.0/0 ftp
/sbin/ipfwadm -F -a accept $LETH -P tcp $ConnEstablished -D $LNET -S 0.0.0.0/0 ftp
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $LNET -S 0.0.0.0/0 ftp
/sbin/ipfwadm -I -a accept $INET -P tcp -S 0.0.0.0/0 ftp-data -D $INET_IP 1024:65535
/sbin/ipfwadm -O -a accept $INET -P tcp $ConnEstablished -D 0.0.0.0/0 ftp-data -S $INET_IP 1024:65535
/sbin/ipfwadm -I -a accept $INET -P tcp -S 0.0.0.0/0 ftp-data -D $LNET 1024:65535
/sbin/ipfwadm -F -a accept $LETH -P tcp -S 0.0.0.0/0 ftp-data -D $LNET 1024:65535
/sbin/ipfwadm -F -a accept $INET -P tcp $ConnEstablished -D 0.0.0.0/0 ftp-data -S $LNET 1024:65535
/sbin/ipfwadm -O -a accept $INET -P tcp $ConnEstablished -D 0.0.0.0/0 ftp-data -S $LNET 1024:65535
# allow anyone on the local net to request tcp service smtp (port 25) from Internet network/host 0.0.0.0/0
/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D 0.0.0.0/0 smtp
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S 0.0.0.0/0 smtp
/sbin/ipfwadm -O -a accept $INET -P tcp -S $LNET -D 0.0.0.0/0 smtp
/sbin/ipfwadm -F -a accept $INET -P tcp -S $LNET -D 0.0.0.0/0 smtp
/sbin/ipfwadm -F -a accept $LETH -P tcp $ConnEstablished -D $LNET -S 0.0.0.0/0 smtp
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $LNET -S 0.0.0.0/0 smtp
# allow anyone on the local net to request tcp service www (port 80) from Internet network/host 0.0.0.0/0
/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D 0.0.0.0/0 www
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S 0.0.0.0/0 www
/sbin/ipfwadm -O -a accept $INET -P tcp -S $LNET -D 0.0.0.0/0 www
/sbin/ipfwadm -F -a accept $INET -P tcp -S $LNET -D 0.0.0.0/0 www
/sbin/ipfwadm -F -a accept $LETH -P tcp $ConnEstablished -D $LNET -S 0.0.0.0/0 www
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $LNET -S 0.0.0.0/0 www


#---------->Allow/Services (Per-Host, Local Hosts)<----------


#---------->Deny/Services (Global)<----------


#---------->Allow/Services (Global)<----------


#---------->Placeholder<----------
# Default Internet Policy 
# allow traceroute to send packets to the Internet
/sbin/ipfwadm -O -a accept $INET -P udp -S $INET_IP -D $ANY 33434:33523
/sbin/ipfwadm -F -a accept $INET -P udp -S $LNET -D $ANY 33434:33523
/sbin/ipfwadm -O -a accept $INET -P udp -S $LNET -D $ANY 33434:33523
#
# End of Firewall Configuration