Firewalling Tiger (V)
With the rules to access the SNMP server on Tiger.
#!/bin/sh
# To list the current rules
# sudo /sbin/ipfw list
## The startup of this script is controlled by the files on:
## /Library/StartupItems/Firewall/
# Variables to simplify maintenance
ipf="/sbin/ipfw"
# LAN Arenales
LAN="10.120.10.0/29"
# Judith
judith="10.120.10.2"
# You can add more servers, these are comma delimited
DNS_SERVERS="10.120.10.0/29"
NTPD_SERVERS="10.120.10.2, clock.via.net, 0.south-america.pool.ntp.org"
# Enable firewall logging
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
# Disable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=0
# Flush existing rules
${ipf} -f flush
# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state
# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0
# Allow established connections
${ipf} add allow tcp from any to any established
## ------------------------------------
## Incoming connections
## ------------------------------------
# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8
# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state
# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68
# Allow snmp
${ipf} add allow udp from ${judith} to me 161-162
# Allow Synergy connections
${ipf} add allow tcp from ${LAN} to me 24800 keep-state
## ------------------------------------
## Outgoing connections
## ------------------------------------
# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state
# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state
# Allow ntpd traffic
${ipf} add allow tcp from me to ${NTPD_SERVERS} 123 keep-state
${ipf} add allow udp from me to ${NTPD_SERVERS} 123 keep-state
# Allowed so SNMPD connections can return to Judith
${ipf} add allow udp from me to ${judith}
# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state
# Allow IMAPS
${ipf} add allow tcp from me to any 993 keep-state
# Allow Messenger
${ipf} add allow tcp from me to any 1863 keep-state
# Allow RDP traffic
${ipf} add allow tcp from me to any 3389 keep-state
# Allow HTTP alternative access
${ipf} add allow tcp from me to any 8080 keep-state
# Allow Webmin
${ipf} add allow tcp from me to any 10000 keep-state
# Allow Synergy connections to the server on Tango
${ipf} add allow tcp from me to ${LAN} 24800 keep-state
# Allow me to get to my DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state
# Allow ICMP traffic out
${ipf} add allow icmp from me to any out keep-state
## ------------------------------------
## Close down
${ipf} add deny log ip from any to any
# EoF #
#!/bin/sh
# To list the current rules
# sudo /sbin/ipfw list
## The startup of this script is controlled by the files on:
## /Library/StartupItems/Firewall/
# Variables to simplify maintenance
ipf="/sbin/ipfw"
# LAN Arenales
LAN="10.120.10.0/29"
# Judith
judith="10.120.10.2"
# You can add more servers, these are comma delimited
DNS_SERVERS="10.120.10.0/29"
NTPD_SERVERS="10.120.10.2, clock.via.net, 0.south-america.pool.ntp.org"
# Enable firewall logging
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
# Disable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=0
# Flush existing rules
${ipf} -f flush
# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state
# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0
# Allow established connections
${ipf} add allow tcp from any to any established
## ------------------------------------
## Incoming connections
## ------------------------------------
# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8
# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state
# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68
# Allow snmp
${ipf} add allow udp from ${judith} to me 161-162
# Allow Synergy connections
${ipf} add allow tcp from ${LAN} to me 24800 keep-state
## ------------------------------------
## Outgoing connections
## ------------------------------------
# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state
# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state
# Allow ntpd traffic
${ipf} add allow tcp from me to ${NTPD_SERVERS} 123 keep-state
${ipf} add allow udp from me to ${NTPD_SERVERS} 123 keep-state
# Allowed so SNMPD connections can return to Judith
${ipf} add allow udp from me to ${judith}
# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state
# Allow IMAPS
${ipf} add allow tcp from me to any 993 keep-state
# Allow Messenger
${ipf} add allow tcp from me to any 1863 keep-state
# Allow RDP traffic
${ipf} add allow tcp from me to any 3389 keep-state
# Allow HTTP alternative access
${ipf} add allow tcp from me to any 8080 keep-state
# Allow Webmin
${ipf} add allow tcp from me to any 10000 keep-state
# Allow Synergy connections to the server on Tango
${ipf} add allow tcp from me to ${LAN} 24800 keep-state
# Allow me to get to my DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state
# Allow ICMP traffic out
${ipf} add allow icmp from me to any out keep-state
## ------------------------------------
## Close down
${ipf} add deny log ip from any to any
# EoF #
Labels: Apple, IPFW Firewall, Os X, Scripts, Security, Synergy
posted by hictio at 5:22 PM
0 Comments:
Post a Comment
<< Home