Firewalling Tiger (IV)
A new update on the firewall script, added new rules to allow NTPD sync with the servers defined on the 'NTPD_SERVERS' variable; it does work with NTPD servers that have a "static" FQDN or if you use an IP address, but, for instance, unless you reload this script periodically, it will fail to sync with the server '0.south-america.pool.ntp.org' since the IP address of this server changes.
That's a special server used specifically to provide NTPD sync to as many clients as it can.
#!/bin/sh
# Variables to simplify maintenance
ipf="/sbin/ipfw"
LAN="192.168.2.0/24"
# You can add more servers, these are comma delimited
DNS_SERVERS="192.168.2.2"
NTPD_SERVERS="192.168.2.2, clock.via.net, 0.south-america.pool.ntp.org"
## ------------------------------------
# Enable firewall logging
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
# Disable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=0
# Flush existing rules
${ipf} -f flush
# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state
# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0
# Allow established connections
${ipf} add allow tcp from any to any established
## ------------------------------------
## Incoming connections
## ------------------------------------
# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8
# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state
# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68
## ------------------------------------
## Outgoing connections
## ------------------------------------
# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state
# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state
# Allow ntpd traffic
${ipf} add allow tcp from me to ${NTPD_SERVERS} 123 keep-state
${ipf} add allow udp from me to ${NTPD_SERVERS} 123 keep-state
# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state
# Allow IMAPS
${ipf} add allow tcp from me to any 993 keep-state
# Allow Messenger
${ipf} add allow tcp from me to any 1863 keep-state
# Allow Webmin
${ipf} add allow tcp from me to any 10000 keep-state
# Allow me to get to my DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state
# Allow ICMP traffic out
${ipf} add allow icmp from me to any out keep-state
## ------------------------------------
## Close down
${ipf} add deny log ip from any to any
# EoF #
That's a special server used specifically to provide NTPD sync to as many clients as it can.
#!/bin/sh
# Variables to simplify maintenance
ipf="/sbin/ipfw"
LAN="192.168.2.0/24"
# You can add more servers, these are comma delimited
DNS_SERVERS="192.168.2.2"
NTPD_SERVERS="192.168.2.2, clock.via.net, 0.south-america.pool.ntp.org"
## ------------------------------------
# Enable firewall logging
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
# Disable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=0
# Flush existing rules
${ipf} -f flush
# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state
# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0
# Allow established connections
${ipf} add allow tcp from any to any established
## ------------------------------------
## Incoming connections
## ------------------------------------
# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8
# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state
# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68
## ------------------------------------
## Outgoing connections
## ------------------------------------
# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state
# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state
# Allow ntpd traffic
${ipf} add allow tcp from me to ${NTPD_SERVERS} 123 keep-state
${ipf} add allow udp from me to ${NTPD_SERVERS} 123 keep-state
# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state
# Allow IMAPS
${ipf} add allow tcp from me to any 993 keep-state
# Allow Messenger
${ipf} add allow tcp from me to any 1863 keep-state
# Allow Webmin
${ipf} add allow tcp from me to any 10000 keep-state
# Allow me to get to my DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state
# Allow ICMP traffic out
${ipf} add allow icmp from me to any out keep-state
## ------------------------------------
## Close down
${ipf} add deny log ip from any to any
# EoF #
Labels: Apple, IPFW Firewall, Os X, Scripts, Security
posted by hictio at 1:44 PM
0 Comments:
Post a Comment
<< Home