Wednesday, January 23, 2008

Firewalling Tiger (IV)

A new update on the firewall script, added new rules to allow NTPD sync with the servers defined on the 'NTPD_SERVERS' variable; it does work with NTPD servers that have a "static" FQDN or if you use an IP address, but, for instance, unless you reload this script periodically, it will fail to sync with the server '0.south-america.pool.ntp.org' since the IP address of this server changes.
That's a special server used specifically to provide NTPD sync to as many clients as it can.


#!/bin/sh

# Variables to simplify maintenance
ipf="/sbin/ipfw"

LAN="192.168.2.0/24"

# You can add more servers, these are comma delimited
DNS_SERVERS="192.168.2.2"
NTPD_SERVERS="192.168.2.2, clock.via.net, 0.south-america.pool.ntp.org"

## ------------------------------------

# Enable firewall logging
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Disable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=0

# Flush existing rules
${ipf} -f flush

# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state

# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0

# Allow established connections
${ipf} add allow tcp from any to any established

## ------------------------------------
## Incoming connections
## ------------------------------------

# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8

# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state

# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68

## ------------------------------------
## Outgoing connections
## ------------------------------------

# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state

# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state

# Allow ntpd traffic
${ipf} add allow tcp from me to ${NTPD_SERVERS} 123 keep-state
${ipf} add allow udp from me to ${NTPD_SERVERS} 123 keep-state

# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state

# Allow IMAPS
${ipf} add allow tcp from me to any 993 keep-state

# Allow Messenger
${ipf} add allow tcp from me to any 1863 keep-state

# Allow Webmin
${ipf} add allow tcp from me to any 10000 keep-state

# Allow me to get to my DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state

# Allow ICMP traffic out
${ipf} add allow icmp from me to any out keep-state

## ------------------------------------
## Close down

${ipf} add deny log ip from any to any

# EoF #

Labels: , , , ,

0 Comments:

Post a Comment

<< Home