#!/bin/sh # Règles de filtrage ipfw pour 'Adam" # voir http://www.freebsd-fr.org/doc/fr/books/handbook/book.html#FIREWALLS # # Setup system for firewall service. # # # Suck in the configuration variables. # if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi # # Set quiet mode if requested # fwcmd="/sbin/ipfw" # Vide les règles actuelles: # -------------------------- ${fwcmd} -f flush # # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # # set these to your network and netmask and ip # adam="134.157.13.1" net="134.157.13.0" mask="255.255.255.192" broadcast="134.157.13.63" mailhost="134.157.13.3" cantor="134.157.13.2" loghost="134.157.13.103" winserveur="134.157.13.105" # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through # pas utilisé ${fwcmd} add pass all from any to any frag # Allow DNS queries out in the world ${fwcmd} add pass udp from ${adam} to any 53 keep-state # Allow NTP queries out avec ntp.math.jussieu.fr ${fwcmd} add pass udp from ${adam} to 134.157.251.254 123 keep-state # Allow syslog messages avec loghost.math.jussieu.fr ${fwcmd} add allow udp from ${adam} to ${loghost} 514 keep-state # Allow ICMP avec tout le monde ${fwcmd} add allow icmp from any to any # Pour eviter les logs inutiles # ============================= # SMB ${fwcmd} add allow udp from ${net}:${mask} 137-138 to ${broadcast} 137-138 ${fwcmd} add allow udp from ${winserveur} 1604 to ${broadcast} 1604 ${fwcmd} add allow udp from any to 255.255.255.255 1604 # En entree # ========= # On autorise tout l'Internet à initier une connexion en SSH vers 'adam' # --------------------------------------------------------------------- ${fwcmd} add allow tcp from any to ${adam} 22 setup # Retour DNS des serveurs parents # ------------------------------- ${fwcmd} add allow udp from 134.157.13.103 53 to ${adam} ${fwcmd} add allow udp from 134.157.0.129 53 to ${adam} # Auth avec riemann # ----------------- ${fwcmd} add allow tcp from ${mailhost} to ${adam} 113 # En sortie # ========= # Vers 'cantor' - FTP - BB # ------------------------ ${fwcmd} add allow tcp from ${adam} to ${cantor} 1984 setup ${fwcmd} add allow tcp from ${adam} to ${cantor} 21 setup # Vers 'cache' - SQUID # --------------------------------- ${fwcmd} add allow tcp from ${adam} to 134.157.13.103 3128 setup # Vers 'riemann' - SMTP - POP - IMAP # ---------------------------------- ${fwcmd} add allow tcp from ${adam} to ${mailhost} 25 setup ${fwcmd} add allow tcp from ${adam} to ${mailhost} 110 setup ${fwcmd} add allow tcp from ${adam} to ${mailhost} 143 setup # Vers les 'borel4/5', 'galois1/2', 'grobner1/2', 'redhat73' - SSH # ----------------------------------------------------------------- ${fwcmd} add allow tcp from ${adam} to 134.157.13.114 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.13.115 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.13.116 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.13.117 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.13.118 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.13.119 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.13.112 22 setup # Vers les postes clients - SSH # ----------------------------- ${fwcmd} add allow tcp from ${adam} to 134.157.33.0/24 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.51.0/24 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.61.0/24 22 setup # Vers 'winserveur' - ICA # ----------------------- ${fwcmd} add allow tcp from ${adam} to ${winserveur} 1494 setup # Vers 'cantorII' et 'nfs' - SSH # ------------------------------ ${fwcmd} add allow tcp from ${adam} to 134.157.13.9 22 setup ${fwcmd} add allow tcp from ${adam} to 134.157.13.125 22 setup # Pour les mises a jour systeme # ----------------------------- # FTP vers ftp.jussieu.fr et CVS vers cvsup3.fr.freebsd.org ${fwcmd} add allow ip from ${adam} to ftp.jussieu.fr ${fwcmd} add allow ip from ${adam} to cvsup2.fr.freebsd.org # On interdit et logge tout le reste # ================================== ${fwcmd} add 65000 deny log ip from any to any