#!/bin/bash
#
# Start using firewalls on dnsc
# -----------------------------
#
#
# 12-Jan-05 amo Date-of-Birth
#
#
# Original Source
# ---------------
#	ftp://ftp.xos.nl/pub/linux/ipfwadm
#
# FAQ
#	http://www.fwtk.org/ipfwadm/faq/ipfwadm-faq.html
#
#
# ipfwadm usage
# --------------
#	http://www.fwtk.org/ipfwadm/faq/ipfwadm-faq-4.html
#
#
# No NAT
#	http://sourceforge.net/docman/display_doc.php?docid=1452&group_id=13751
#
#
# http://howtos.linux.com/howtos/Cipe+Masq-7.shtml
#
# eth0 - eth1
# http://www.faqs.org/docs/linux_network/x-087-2-firewall.example.html
#
# http://www.ecst.csuchico.edu/~dranch/ LINUX/ipmasq/examples/rc.firewall-2.0-stronger
#
# https://secure.linuxports.com/howto/IP-MASQ/x1428.htm
#
# http://sourceforge.net/docman/display_doc.php?docid=1452&group_id=13751
#
# http://library.n0i.net/linux-unix/administration/nag2/
#
#
#
# ===================
# 2-Line Firewall
# ===================
#	http://www.tldp.org/HOWTO/Firewall-HOWTO-7.html
#	http://www.fwtk.org/ipfwadm/faq/ipfwadm-faq-4.html ( rc.local )
#	http://k12linux.mesd.k12.or.us/nag2/x-087-2-firewall.original.html
#	ipfwadm -F -p deny
#	ipfwadm -F -a -m -S 192.168.100.0/24 -D 0/0
#
#
# =================
# 4-Line Firewall
# =================
#	http://library.n0i.net/linux-unix/administration/nag2/x-087-2-firewall.original.html
#
#	# flush all of the forwarding rules
#	ipfwadm -F -f
#
#	# by default, deny or disallow forwarding
#	ipfwadm -F -p deny
#
#	# allow outgoing httpd
#	ipfwadm -F -a accept -P tcp -S 172.16.1.0/24 -D 0/0 80
#
#	# accept incoming httpd
#	ipfwadm -F -a accept -P tcp -S 0/0 80 -D 172.16.1.0/24
#
# 	# use "birectional trick" in lieu of the above 2 lines
#	# ipfwadm -F -a accept -P tcp -S 172.16.1.0/24 -D 0/0 80 -b
#	
#
#
# Masquerade Connections
# ----------------------
#	netstat -M
#
# view of all Forwarding packet rules 	( /proc/net/ip_forward )
# 	ipfwadm -Fnle
#	ipfwadm -F -l
#	ipfwadm -F -l -e
#
# view of all Icoming packet rules ( /proc/net/ip_input )
#	ipfwadm -Inle
#
# view of all Outgoing packet rules ( /proc/net/ip_output )
#	ipfwadm -Onle
#
#
#
# Deny Everything 
# ================
#
# first like some people i know i deny everything incoming...
ipfwadm -I -p deny
#
# Then i deny all forwarding period...
ipfwadm -F -p deny
#
# Then to close everything off i deny all outgoing transmissions...
# ipfwadm -O -p deny 
#
# masquerading
# ------------
# ipfwadm -F -a -m -S 192.168.100.0/24 -D 0/0
#
#
# Flush all the rules
# ====================
ipfwadm -I -f
ipfwadm -F -f
ipfwadm -O -f
ipfwadm -A -f
#
# # allows for incoming packets to 192.168.100.10 from local network flowing anywhere
# ipfwadm -I -a accept -V 192.168.100.10 -S 192.168.100.0/24 -D 0/0
#
# # spoof checking for any external interface traffic that claims to be coming from inside the network
# ipfwadm -I -a deny -V ip_of_external_perimeter_interface -S 192.168.100.0/24 -D 0/0 -o
#
# Loopback is ok
ipfwadm -I -a accept -V 127.0.0.1 -S 0/0 -D 0/0 
#
# 
# # deny a certain ip from accessing a specific bad_ip site
# ipfwadm -I -a reject -V ip_of_external_perimeter_interface -S 192.168.100.0/24 -D bad_ip/32 -o
#
#
# # fall through rule to deny all others incoming and log associated unfriendly packets
# ipfwadm -I -a deny -S 0/0 -D 0/0 -o
#
#
# # allow any traffic flowing out from my local internal trusted interface
# # to travel from anywhere to my local network
# ipfwadm -O -V ip_address_trusted_internal_trusted_interface -S 0/0 -D 192.168.100.0/24
#
#
# # deny anything that is flowing out of ip_of__external_perimeter_interface regardless
# # of where the packet originates sending packets towards internal network period and record
# #
# ipfwadm -O -a deny -V ip_address_of_external_perimeter_interface -S 0/0 -D 192.168.100.0/24 -o
#
#
# # real good idea to not allow any masquerading that you haven't authorized
# ipfwadm -O -a deny -V ip_address_of_external_perimeter_interface -S 192.168.100.0/24 -D 0/0 -o
#
#
# # forwarding of DNS forwarding to your network.
# ipfwadm -F -a accept -b -P udp -S 0/0 53 -D 192.168.100.0/24
#
# # forward outgoing email
# ipfwadm -F -a accept -b -P tcp -S 192.168.100.100/32 25 -D 0/0 1024:65535
#
# # forward incoming email
# ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.100/32 25
#
# # Forward outgoging and incoming http
# ipfwadm -F -a accept -b -P tcp -S 192.168.100.0/24 80 -D 0/0 1024:65535
#
# ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.150 80
#
# # deny all other Forwarding
# ipfwadm -F -a deny -S 0/0 -D 0/0 -o
# 
# 
# ======
# PING
# ======
#	http://www.fwtk.org/ipfwadm/faq/ipfwadm-faq-4.html ( rc.local )
#	http://library.n0i.net/linux-unix/administration/nag2/x-087-2-firewall.original.html
#
# # here all type '8' messages are allowed
# ipfwadm -I -a accept -P icmp -V ip_address_trusted_internal_interface -S 192.168.100.0/24 8 -D 0/0
#
# # echo request is [F]orwarded as long as [S]ource address is wherever and destination wherever
# ipfwadm -F -a accept -P icmp -S 0/0 8 -D 0/0
#
# # allow echo request from -V external interface to come or go from anywhere but log it.
# ipfwadm -O -a accept -P icmp -V ip _address_of_external_perimeter_interface -S 0/0 8 -D 0/0 -o
#
#
# # here all type '0' messages are allowed
# ipfwadm -I -a accept -P icmp -V ip_address_untrusted_external_interface -S 0/0 0 -D 0/0
#
# # echo reply is [F]orwarded as long as [S]ource address is anywhere and [D]estination is wherever.
# ipfwadm -F -a accept -P icmp -S 0/0 0 -D 0/0 
#
# # allow 'echo reply' originating from -V trusted_internal_interface with a [S]ource from anywhere to
# ipfwadm -O -a accept -P icmp -V ip _address_of_internal_trusted_interface -S 0/0 0 -D 192.168.100.0/24 -o
#
#
#
#
ipfwadm -I -a ACCEPT -D 157.22.35.0/24 53 tcp # DNS (tcp) 
ipfwadm -F -a ACCEPT -D 157.22.35.0/24 53 tcp # DNS (tcp) 
ipfwadm -I -a ACCEPT -D 157.22.35.0/24 53 udp # DNS (udp) 
ipfwadm -F -a ACCEPT -D 157.22.35.0/24 53 udp # DNS (udp) 
#
#
# http://securitypronews.com/2002/0418.html
# #
# # accept incoming SMTP and DNS connections, but only to the Mail/Name Server
# #
# ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 53 25
# ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53
#
# # ipfwadm -F -a accept -P udp -S 0/0 53 -D 172.16.37.0/24 53 1024:65535
# 
# # accept and pass through anything originating inside
# ipfwadm -F -a accept -P tcp -S 172.16.37.0/24 -D 0/0
#
# # deny most other incoming TCP/udp connections and log them
# ipfwadm -F -a deny -o -y -P tcp -S 0/0 -D 172.16.37.0/24
# ipfwadm -F -a deny -o    -P udp -S 0/0 -D 172.16.37.0/24
#
#
#
ipfwadm -I -a ACCEPT -D 157.22.35.0/24 22 tcp # ssh
ipfwadm -F -a ACCEPT -D 157.22.35.0/24 22 tcp # ssh
#
# ipfwadm -I -a ACCEPT -D 157.22.35.0/24 22 tcp # FTP --> this example is wrong - they probably meant ssh
# ipfwadm -F -a ACCEPT -D 157.22.35.0/24 22 tcp # FTP 
# 
ipfwadm -I -a ACCEPT -D 157.22.35.0/24 25 tcp # SMTP (mail) 
ipfwadm -F -a ACCEPT -D 157.22.35.0/24 25 tcp # SMTP (mail) 
#
# ( Correct, ftp uses 20 and 21 )
# ipfwadm -a deny -P tcp -S 0/0 20 -D 172.16.1.0/24 -y		# FTP
# ipfwadm -a accept -P tcp -S 172.16.1.0/24 -D 0/0 20 -b
#
# ipfwadm -a deny -P tcp -S 0/0 21 -D 172.16.1.0/24 -y
# ipfwadm -a accept -P tcp -S 172.16.1.0/24 -D 0/0 21 -b
#
#
ipfwadm -I -a ACCEPT -D 157.22.35.0/24 80 tcp # HTTP (Web) 
ipfwadm -F -a ACCEPT -D 157.22.35.0/24 80 tcp # HTTP (Web) 
#
ipfwadm -I -a ACCEPT -D 157.22.35.0/24 123 tcp # HTTP (Web) 
ipfwadm -F -a ACCEPT -D 157.22.35.0/24 123 tcp # HTTP (Web) 
#
# ipfwadm -I -a ACCEPT -D 157.22.35.0/24 443 tcp # HTTPS (Web - Secure) 
# ipfwadm -F -a ACCEPT -D 157.22.35.0/24 443 tcp # HTTPS (Web - Secure) 
#
#
# Turn on Packet Forwarding
# -------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
# End of file