On Mon, 21 Dec 1998, Michael Fox wrote: > Anyone care to show me a quick and dirty ipfwadm script to allow > ftp/http/irc/mail/dns in/out from linux machine.. > > I'd like to enable ipfw filters.. but stuck on the writing of the ipfw.sh > script I would run.. examples would be great..
I'm using that one in attachment. It was made by a nice person I'd found on #debian channel. I just added the last line of script about not let outgoing packets. Hope that help. Best regards, Nuno Carvalho ?????????????????????????????? Nuno Emanuel F. Carvalho Dep. Informatics Engineering University of Coimbra PGP key available at finger ??????????????????????????????
#! /bin/sh echo -n "Installing firewall : " ports="telnet discard domain www ssh" udps="domain" act="reject" # deny (waiting.. waiting..) # or reject (connection refused) my_ip=<your ip> mymask="" ipfwadm -If # Flush rules ipfwadm -I -p accept # accept by default # accept anything from this machine and its network ipfwadm -I -a accept -S 127.0.0.1/255.255.255.0 -D 0.0.0.0/0.0.0.0 ipfwadm -I -a accept -S ${my_ip}${mymask} -D 0.0.0.0/0.0.0.0 # allow all ICMP packets to go through. ipfwadm -I -a accept -P icmp -S 0.0.0.0/0.0.0.0 -D 0.0.0.0/0.0.0.0 # allow anyone to connect to these TCP ports.. for port in $ports ; do ipfwadm -I -a accept -P tcp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port done ipfwadm -I -a accept -P tcp -S ${my_ip} -D ${my_ip}${mymask} smtp # ..and these UDP ports for port in $udps ; do ipfwadm -I -a accept -P udp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port done # deny all other Well-Known Services ipfwadm -I -a ${act} -P tcp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023 ipfwadm -I -a ${act} -P udp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023 #done ### ## don't allow outgoing packets on such ports ### ipfwadm -Of ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} domain ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} discard ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} daytime ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} time ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} sunrpc ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} exec ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} login ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} cmd ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} shell ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} printer ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} 6000 # xterm ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} finger echo "done."