#!/bin/sh
#
# Initialization script to set up tight rules-based firewalling and 
# masquerading for private LAN <-> internet gateways
# (C) 1998 Ian Hall-Beyer
#
# Contributors:
# Raymond Moyers <rmoyers@nop.org> - Original script framework
#
# rc.firewall
#
# set the following variables to match your network
INTERNALIF="eth1"
INTERNALNET="192.168.1.0/24"
INTERNALIP="192.168.1.1"
#
EXTERNALIF="eth0"
EXTERNALNET="0.0.0.0/0"
EXTERNALIP="0.0.0.0"
#
#
## Flush everything
#
#/sbin/ipfwadm -A -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -I -f
/sbin/ipfwadm -F -f
#
## set default policy
#
/sbin/ipfwadm -O -p accept
/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -F -p deny
#
##  temp icmp block
#
#/sbin/ipfwadm -I -a deny -W $EXTERNALIF -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0
#
## Open inside interface
#
/sbin/ipfwadm -I -a accept -W $INTERNALIF -S 0.0.0.0/0 -D 0.0.0.0/0
#
###############################################################
# Insert trusted networks here
#
#/sbin/ipfwadm -I -a accept -S <TRUSTED NET> -D 0.0.0.0/0
###############################################################
#
## Specific blocks for 
## MS-SQL-1433 
## NFS-2049 
## postgresSQL-5432
## X11disp:0-:2-6000-6002
#
/sbin/ipfwadm -I -a deny -W $EXTERNALIF -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 1433 2049 5432
/sbin/ipfwadm -I -a deny -W $EXTERNALIF -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 1433 2049 5432
/sbin/ipfwadm -I -a deny -W $EXTERNALIF -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 5999:6003
/sbin/ipfwadm -I -a deny -W $EXTERNALIF -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 5999:6003
#
## High unpriv ports
#
/sbin/ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 1023:65535
/sbin/ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 1023:65535
#
## Basic Services
#
/sbin/ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 20 21 22 23 25 53 80 113 443
/sbin/ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 53
#
## ICMP pings
#
/sbin/ipfwadm -I -a accept -W $EXTERNALIF -P icmp -S 0.0.0.0/0 -D 0.0.0.0/0
#
#
## IP MasQ
#
## dont MasQ internal-internal traffic
#
/sbin/ipfwadm -F -a accept -S $INTERNALNET -D $INTERNALNET
#
## dont MasQ external interface direct
#
/sbin/ipfwadm -F -a accept -S $EXTERNALIP -D 0.0.0.0/0
#
## masq all internal IP's going outside
#
/sbin/ipfwadm -F -a m -S $INTERNALNET -D 0.0.0.0/0
#