[Cc][Ll][Ii][Ee][Nn][Tt]) ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. # # Configuration: # firewall_client_net: Network address of local IPv4 network. # firewall_client_net_ipv6: Network address of local IPv6 network. ############ # set this to your local network net="$firewall_client_net" #net6="$firewall_client_net_ipv6" # Allow limited broadcast traffic from my own net. ${fwcmd} add pass all from ${net} to 255.255.255.255 # Allow any traffic to or from my own net. ${fwcmd} add pass all from me to ${net} ${fwcmd} add pass all from ${net} to me if [ -n "$net6" ]; then ${fwcmd} add pass all from me to ${net6} ${fwcmd} add pass all from ${net6} to me fi if [ -n "$net6" ]; then # Allow any link-local multicast traffic ${fwcmd} add pass all from fe80::/10 to ff02::/16 ${fwcmd} add pass all from ${net6} to ff02::/16 # Allow DHCPv6 ${fwcmd} add pass udp from fe80::/10 to me 546 fi # Pipe to throttle outbound traffic #${fwcmd} pipe 1 config bw 1Mbit/s burst 0 ${fwcmd} pipe 1 config bw 825Kbit/s ## Queues for outbound balancing # mail ${fwcmd} queue 11 config pipe 1 weight 7 # everything else ${fwcmd} queue 12 config pipe 1 weight 1 # Pipe to throttle inbound traffic ${fwcmd} pipe 2 config bw 3Mbit/s ## Queues for inbound balancing # mail ${fwcmd} queue 21 config pipe 2 weight 7 # everything else ${fwcmd} queue 22 config pipe 2 weight 1 # Allow incoming email ${fwcmd} add queue 21 tcp from any to me 25 ${fwcmd} add queue 11 tcp from me to any src-port 25 # Allow TCP through if setup succeeded ${fwcmd} add queue 12 tcp from me to any established ${fwcmd} add queue 22 tcp from any to me established # Allow IP fragments to pass through ${fwcmd} add queue 12 all from me to any frag ${fwcmd} add queue 22 all from any to me frag # Disallow outgoing email ${fwcmd} add deny tcp from me to any 25 setup ${fwcmd} add deny tcp from me to any 465 setup ${fwcmd} add deny tcp from me to any 587 setup # Disallow outgoing ident ${fwcmd} add deny tcp from me to any 113 setup # Allow incoming SSH setup ${fwcmd} add queue 22 tcp from any to me 22 setup # allow incoming http #${fwcmd} add queue 22 tcp from any to me 80 setup ${fwcmd} add queue 22 tcp from any to me 443 setup # Allow setup of outgoing TCP connections only ${fwcmd} add queue 12 tcp from me to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # allow mtu discovery ${fwcmd} add queue 12 icmp from me to any icmptypes 3 ${fwcmd} add queue 22 icmp from any to me icmptypes 3 # allow source quench ${fwcmd} add queue 12 icmp from me to any icmptypes 4 ${fwcmd} add queue 22 icmp from any to me icmptypes 4 # allow ping ${fwcmd} add queue 12 icmp from me to any icmptypes 8,0 ${fwcmd} add queue 22 icmp from any to me icmptypes 8,0 # allow traceroute ${fwcmd} add queue 12 icmp from me to any icmptypes 11 ${fwcmd} add queue 22 icmp from any to me icmptypes 11 ${fwcmd} add queue 12 udp from me to any dst-port 33435-33524 ${fwcmd} add queue 22 udp from any to me dst-port 33435-33524 # Allow DNS queries out in the world ${fwcmd} add queue 12 udp from me to any 53 ${fwcmd} add queue 22 udp from any 53 to me # Allow NTP queries out in the world ${fwcmd} add queue 12 udp from me to any 123 ${fwcmd} add queue 22 udp from any 123 to me # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;;