rwoeber · June 6, 2011 10:25
diff --git a/gistfile1.sh b/gistfile1.sh
 #!/bin/sh

 # inspired by 1fbsdguru's stuff at:
 # http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/
 # do not forget to set right ip!

 ip="my.ip.address"
 IPF="ipfw -q add"

 # Loopback 
 ${IPF} 100 pass all from any to any via lo0
 ${IPF} 200 deny all from any to 127.0.0.0/8
 ${IPF} 300 deny ip from 127.0.0.0/8 to any

 # Allow anything outbound from this address.
 ${IPF} allow all from ${ip} to any out
 ${IPF} allow all from ${ip} to any out

 # Deny anything outbound from other addresses.
 ${IPF} deny log all from any to any out

 # Allow TCP through if setup succeeded.
 ${IPF} allow tcp from any to any established

 # Allow IP fragments to pass through.
 ${IPF} allow all from any to any frag

 # Allow all IPv6 packets through - they are handled by the separate
 # ipv6 firewall rules in rc.firewall6.
 ${IPF} allow ipv6 from any to any

 # Allow inbound ssh, email, tcp-dns, http, https, imap, imaps,
 # pop3, pop3s.
 ${IPF} allow tcp from any to ${ip} 22 setup
 ${IPF} allow tcp from any to ${ip} 222 setup
 ${IPF} allow tcp from any to ${ip} 25 setup
 ${IPF} allow tcp from any to ${ip} 53 setup
 ${IPF} allow tcp from any to ${ip} 80 setup
 ${IPF} allow tcp from any to ${ip} 443 setup
 ${IPF} allow tcp from any to ${ip} 143 setup
 ${IPF} allow tcp from any to ${ip} 993 setup
 ${IPF} allow tcp from any to ${ip} 110 setup
 ${IPF} allow tcp from any to ${ip} 995 setup

 # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
 # without logging.
 ${IPF} reset tcp from any to ${ip} 113 setup
 ${IPF} reset tcp from any to ${ip} 139 setup
 ${IPF} reset tcp from any to ${ip} 389 setup
 ${IPF} reset tcp from any to ${ip} 445 setup

 # Deny some chatty UDP broadcast protocols without logging.
 ${IPF} deny udp from any 137 to any
 ${IPF} deny udp from any to any 137
 ${IPF} deny udp from any 138 to any
 ${IPF} deny udp from any 513 to any
 ${IPF} deny udp from any 525 to any

 # Allow inbound DNS and NTP replies.  This is somewhat of a hole,
 # since we're looking at the incoming port number, which can be
 # faked, but that's just the way DNS and NTP work.
 ${IPF} allow udp from any 53 to ${ip}
 ${IPF} allow udp from any 123 to ${ip}

 # Allow inbound DNS queries.
 ${IPF} allow udp from any to ${ip} 53

 # Allow inbound NTP queries.
 ${IPF} allow udp from any to ${ip} 123

 # Allow traceroute to function, but not to get in.
 ${IPF} unreach port udp from any to ${ip} 33435-33524

 # Allow some inbound icmps - echo reply, dest unreach, source quench,
 # echo, ttl exceeded.
 ${IPF} allow icmp from any to any icmptypes 0,3,4,8,11

 # Everything else is denied and logged.
 ${IPF} deny log all from any to any
	#!/bin/sh

	# inspired by 1fbsdguru's stuff at:
	# http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/
	# do not forget to set right ip!

	ip="my.ip.address"
	IPF="ipfw -q add"

	# Loopback
	${IPF} 100 pass all from any to any via lo0
	${IPF} 200 deny all from any to 127.0.0.0/8
	${IPF} 300 deny ip from 127.0.0.0/8 to any

	# Allow anything outbound from this address.
	${IPF} allow all from ${ip} to any out
	${IPF} allow all from ${ip} to any out

	# Deny anything outbound from other addresses.
	${IPF} deny log all from any to any out

	# Allow TCP through if setup succeeded.
	${IPF} allow tcp from any to any established

	# Allow IP fragments to pass through.
	${IPF} allow all from any to any frag

	# Allow all IPv6 packets through - they are handled by the separate
	# ipv6 firewall rules in rc.firewall6.
	${IPF} allow ipv6 from any to any

	# Allow inbound ssh, email, tcp-dns, http, https, imap, imaps,
	# pop3, pop3s.
	${IPF} allow tcp from any to ${ip} 22 setup
	${IPF} allow tcp from any to ${ip} 222 setup
	${IPF} allow tcp from any to ${ip} 25 setup
	${IPF} allow tcp from any to ${ip} 53 setup
	${IPF} allow tcp from any to ${ip} 80 setup
	${IPF} allow tcp from any to ${ip} 443 setup
	${IPF} allow tcp from any to ${ip} 143 setup
	${IPF} allow tcp from any to ${ip} 993 setup
	${IPF} allow tcp from any to ${ip} 110 setup
	${IPF} allow tcp from any to ${ip} 995 setup

	# Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
	# without logging.
	${IPF} reset tcp from any to ${ip} 113 setup
	${IPF} reset tcp from any to ${ip} 139 setup
	${IPF} reset tcp from any to ${ip} 389 setup
	${IPF} reset tcp from any to ${ip} 445 setup

	# Deny some chatty UDP broadcast protocols without logging.
	${IPF} deny udp from any 137 to any
	${IPF} deny udp from any to any 137
	${IPF} deny udp from any 138 to any
	${IPF} deny udp from any 513 to any
	${IPF} deny udp from any 525 to any

	# Allow inbound DNS and NTP replies. This is somewhat of a hole,
	# since we're looking at the incoming port number, which can be
	# faked, but that's just the way DNS and NTP work.
	${IPF} allow udp from any 53 to ${ip}
	${IPF} allow udp from any 123 to ${ip}

	# Allow inbound DNS queries.
	${IPF} allow udp from any to ${ip} 53

	# Allow inbound NTP queries.
	${IPF} allow udp from any to ${ip} 123

	# Allow traceroute to function, but not to get in.
	${IPF} unreach port udp from any to ${ip} 33435-33524

	# Allow some inbound icmps - echo reply, dest unreach, source quench,
	# echo, ttl exceeded.
	${IPF} allow icmp from any to any icmptypes 0,3,4,8,11

	# Everything else is denied and logged.
	${IPF} deny log all from any to any