[[firewall:natscript]]
 
Här är du: Start » Firewall ipfw script for Mac OS X » natscript

Firewall script | NatScript | ReadMe 

#!/bin/sh
#
#######################################################################
# Firewall and NAT startup script for Mac OS X 10.2                   #
# By Fredrik Jonsson <mailto(colon)fredrik(at)combonet(dot)se>        #
# Home page: <http://xdeb.org/fredrik/comp/firewall.phtml>            #
# Date: 2003-09-10 v1.0b5                                             #
# The resources I have found most helpful are:                        #
# <http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO>                     #
# <http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO> #
# <http://www.afp548.com/Articles/system/natserver.html>              #
# <http://www3.sympatico.ca/dccote/firewall.html>                     #
# <http://www.sial.org/howto/osx/firewall/>                           #
# <http://www.macosxhints.com/article.php?story=20030830130455582>    #
# Dru Lavigne <http://www.onlamp.com/pub/ct/15>                       #
# BrickHouse <http://brianhill.dyndns.org/>                           #
# Port numbers from:                                                  #
# <http://www.iana.org/assignments/port-numbers>                      #
# <http://www.akerman.ca/port-table.html>                             #
# <http://www.akerman.ca/port-table.html>                             #
# <http://docs.info.apple.com/article.html?artnum=106439>             #
#######################################################################

# Common setup for startup scripts
. /etc/rc.common

############################################################
## Define your variables                                  ##
############################################################

fwcmd="/sbin/ipfw -q"		# path to ipfw, -q for quiet mode
natd_script="/usr/local/etc/rc.natd"	# path to rc.natd
exif="en0"					# set to external interface name
inif="en1"					# set to internal interface name
inip="192.168.0.1"			# set to internal ip address
innr="192.168.0.0/24"		# set to internal network range
exip="123.456.789.123"		# set to external ip address,
                            #   use "any" if dynamic
                              
############################################################

ConsoleMessage "Configuring Firewall and NAT"

StartService ()
{
	if [ "${FIREWALL:=-YES-}" = "-NO-" ]; then exit; fi

	CheckForNetwork

	if [ "${NETWORKUP:=-YES-}" = "-NO-" ]; then exit; fi

	#################################################
	## Enable IP Firewall Logging and set logging limit
	#
	ConsoleMessage "Enabling IP Firewall Logging"
	if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then
		/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1 > /dev/null
		/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=10000 > /dev/null
	fi

	#################################################
	## Enable IP Forwarding
	#
	ConsoleMessage "Enabling IP Forwarding"
	if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ] ; then
		/usr/sbin/sysctl -w net.inet.ip.forwarding=1 > /dev/null
	fi

	#################################################
	## Set longer ACK lifetime so ssh etc. don't timeout so quickly
	#
	if [ `/usr/sbin/sysctl -n net.inet.ip.fw.dyn_ack_lifetime` == 300 ] ; then
		/usr/sbin/sysctl -w net.inet.ip.fw.dyn_ack_lifetime=1800 > /dev/null
	fi

	#################################################
	## Set the maximum number of dynamic rules
	## Default is 256/1000, this will double it.
	## Check how many you are using with the command
	## % sysctl -n net.inet.ip.fw.dyn_count
	#
	# if [ `/usr/sbin/sysctl -n net.inet.ip.fw.dyn_buckets` == 256 ] ; then
	#	/usr/sbin/sysctl -w net.inet.ip.fw.dyn_buckets=512 > /dev/null
	#	/usr/sbin/sysctl -w net.inet.ip.fw.dyn_max=2000 > /dev/null
	# fi

	#################################################
	## Set up second NIC
	## Do this in the network preference pane instead
	#
	# /sbin/ifconfig ${inif} ${inip} netmask 255.255.255.0

	#################################################
	## Start natd
	#
	if [ -f ${natd_script} ] ; then		# Check if a rc.natd exist
		ConsoleMessage "Starting natd with rc.natd"
		/usr/sbin/natd -config ${natd_script}
	else
		ConsoleMessage "Starting natd"
		/usr/sbin/natd -log -log_denied -use_sockets -same_ports -interface ${exif}
		## If your IP is dynamic use this line instead
		# /usr/sbin/natd -log -log_denied -use_sockets -same_ports -dynamic -interface ${exif}
	fi

	## To learn more about these options read the man pages
	## % man natd



	#################################################
	## Clear all rules
	#
	ConsoleMessage "Flushing existing ipfw ruleset"
	${fwcmd} -f flush



	############################################################
	## Essential rules that more or less everyone needs       ##
	############################################################

	ConsoleMessage "Setting up ipfw"

	#################################################
	## Allow your loop back to work
	#
	${fwcmd} add 1000 allow ip from any to any via lo0

	#################################################
	## Stop and log spoofing of your loopback
	#
	${fwcmd} add 1010 deny log ip from any to 127.0.0.0/8
	${fwcmd} add 1011 deny log ip from 127.0.0.0/8 to any

	#################################################
	## Stop and log spoofing attack attempts
	#
	${fwcmd} add 1020 deny log ip from ${innr} to ${exip} in via ${exif}
	${fwcmd} add 1021 deny log ip from ${exip} to ${exip} in via ${exif}

	#################################################
	## Enable Network Address translation, NAT, diverting
	#
	ConsoleMessage "Enabling NAT"
	${fwcmd} add 1500 divert natd ip from any to any via ${exif}

	#################################################
	## *** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY ***
	## Will open up the Firewall completely!
	#
	# ${fwcmd} add 2000 allow log logamount 500 ip from any to any
	# ${fwcmd} add 2001 allow ip from any to any

	#################################################
	## Allow all packett that has previously been added to the 
	## "dynamic" rules table by an allow keep-state statement. 
	#
	${fwcmd} add 2500 check-state

	#################################################
	## Allow all traffic on the private LAN and run it through the
	## dynamic rules table so the IP address are in sync with natd.
	#
	${fwcmd} add 2510 allow ip from ${innr} to any via ${inif} keep-state
	${fwcmd} add 2511 allow ip from ${exip} to any via ${inif} keep-state

	#################################################
	## Deny all fragments as bogus packets
	#
	${fwcmd} add 2520 deny ip from any to any frag in via ${exif}

	#################################################
	## Deny ACK packets that did not match the dynamic rule table
	#
	${fwcmd} add 2530 deny tcp from any to any established in via ${exif}

	#################################################
	## Deny Source Routed Packets
	#
	${fwcmd} add 2540 unreach host log ip from any to any ipopt ssrr,lsrr via ${exif}

	#################################################
	## Send a RESET to all ident packets
	## Disable if you are actually running Auth/Identd
	#
	${fwcmd} add 2550 reset tcp from any to any 113 in via ${exif}

	#################################################
	## Allow DHCP/BOOTP (external/internal)
	#
	${fwcmd} add 2600 allow udp from any 67-68 to any 67-68 via ${exif}
	${fwcmd} add 2601 allow udp from any 67-68 to any 67-68 via ${inif}

	#################################################
	## Allow DHCP Broadcast (external/internal)
	#
	${fwcmd} add 2610 allow udp from any to 255.255.255.255 67-68 via ${exif}
	${fwcmd} add 2611 allow udp from any to 255.255.255.255 67-68 via ${inif}

	#################################################
	## Allow all ICMP Packets for diagnostic purposes
	## you probably wish to leave this commented out
	#
	# ${fwcmd} add 2620 allow icmp from any to any via ${exif}

	#################################################
	## Allow Required ICMP Traffic
	## path-mtu, source quench plus outgoing traceroute and ping
	#
	${fwcmd} add 2630 allow icmp from any to any icmptypes 3,4
	${fwcmd} add 2631 allow icmp from any to any icmptypes 0,11 in
	${fwcmd} add 2632 allow icmp from any to any icmptypes 8 out



	############################################################
	## Outbound rules                                         ##
	############################################################

	#################################################
	## Allow DNS
	#
	${fwcmd} add 3000 allow udp from any 1024-65535 to any 53 out via ${exif} keep-state

	#################################################
	## Allow Network Time (NTP)
	#
	${fwcmd} add 3010 allow udp from any to any 1024-65535,123 out via ${exif} keep-state

	#################################################
	## Allow passive FTP control channel
	#
	${fwcmd} add 3020 allow tcp from ${exip} to any 21 out via ${exif} setup keep-state
	${fwcmd} add 3021 allow tcp from ${exip} to any 10000-65000 out via ${exif} setup keep-state

	#################################################
	## Allow all traffic from the firewall going out on the external interface
	#
	${fwcmd} add 3502 allow ip from ${exip} to any out via ${exif} keep-state


	############################################################
	## Inbound rules for Standard Services on port 0-1023     ##
	############################################################

	#################################################
	## File Transfer, FTP
	#
	# ${fwcmd} add 4010 allow tcp from any to ${exip} 20-21 in via ${exif} setup keep-state

	#################################################
	## Remote Login, SSH
	#
	# ${fwcmd} add 4020 allow tcp from any to ${exip} 22 in via ${exif} setup keep-state

	#################################################
	## SMTP Mail (Normal/SSL)
	#
	# ${fwcmd} add 4030 allow tcp from any to ${exip} 25 in via ${exif} setup keep-state
	# ${fwcmd} add 4031 allow tcp from any to ${exip} 465 in via ${exif} setup keep-state

	#################################################
	## DNS
	#
	# ${fwcmd} add 4040 allow udp from any to ${exip} 53 in via ${exif} keep-state

	#################################################
	## World Wide Web (Normal/SSL)
	#
	# ${fwcmd} add 4050 allow tcp from any to ${exip} 80 in via ${exif} setup keep-state
	# ${fwcmd} add 4051 allow tcp from any to ${exip} 443 in via ${exif} setup keep-state

	#################################################
	## POP3 Mail (Normal/SSL)
	#
	# ${fwcmd} add 4060 allow tcp from any to ${exip} 110 in via ${exif} setup keep-state
	# ${fwcmd} add 4061 allow tcp from any to ${exip} 995 in via ${exif} setup keep-state

	#################################################
	## Auth/Identd (TCP/UDP)
	#
	# ${fwcmd} add 4070 allow tcp from any to ${exip} 113 in via ${exif} setup keep-state
	# ${fwcmd} add 4071 allow udp from any to ${exip} 113 in via ${exif} keep-state

	#################################################
	## Samba/CIFS (TCP/UDP)
	#
	# ${fwcmd} add 4080 allow tcp from any to ${exip} 137-139 in via ${exif} setup keep-state
	# ${fwcmd} add 4081 allow udp from any to ${exip} 137-139 in via ${exif} keep-state

	## Deny with no log, I get to many entries from people trying to crack Windows servers
	# ${fwcmd} add 4082 deny tcp from any to ${exip} 137-139 in via ${exif}
	# ${fwcmd} add 4083 deny udp from any to ${exip} 137-139 in via ${exif}

	#################################################
	## IMAP Mail (Normal/SSL)
	#
	# ${fwcmd} add 4090 allow tcp from any to ${exip} 143 in via ${exif} setup keep-state
	# ${fwcmd} add 4091 allow tcp from any to ${exip} 993 in via ${exif} setup keep-state

	#################################################
	## SNMP
	#
	# ${fwcmd} add 4100 allow tcp from any to ${exip} 161,162 in via ${exif} setup keep-state
	# ${fwcmd} add 4101 allow udp from any to ${exip} 161,192 in via ${exif} keep-state

	#################################################
	## IRC Chat  (TCP/UDP)
	#
	# ${fwcmd} add 4110 allow tcp from any to ${exip} 194 in via ${exif} setup keep-state
	# ${fwcmd} add 4111 allow udp from any to ${exip} 194 in via ${exif} keep-state

	#################################################
	## Apple web/remote Admin Apps
	#
	# ${fwcmd} add 4120 allow tcp from any to ${exip} 311 in via ${exif} setup keep-state
	# ${fwcmd} add 4121 allow tcp from any to ${exip} 625 in via ${exif} setup keep-state
	# ${fwcmd} add 4122 allow tcp from any to ${exip} 660 in via ${exif} setup keep-state

	#################################################
	## Timbuktu Pro (TCP/UDP)
	#
	# ${fwcmd} add 4130 allow tcp from any to ${exip} 407 in via ${exif} setup keep-state
	# ${fwcmd} add 4131 allow udp from any to ${exip} 407 in via ${exif} keep-state

	#################################################
	## Network Browser (SLP)
	#
	# ${fwcmd} add 4140 allow udp from any to ${exip} 427 in via ${exif} keep-state

	#################################################
	## Retrospect
	#
	# ${fwcmd} add 4150 allow tcp from any to ${exip} 497 in via ${exif} setup keep-state

	#################################################
	## LPR (printing)
	#
	# ${fwcmd} add 4160 allow tcp from any to ${exip} 515 in via ${exif} setup keep-state

	#################################################
	## QuickTime Streaming Server, RTSP (TCP/UDP)
	#
	# ${fwcmd} add 4170 allow tcp from any to ${exip} 554 in via ${exif} setup keep-state
	# ${fwcmd} add 4171 allow udp from any to ${exip} 554 in via ${exif} keep-state
	# ${fwcmd} add 4172 allow udp from any to ${exip} 6970-6999 in via ${exif} keep-state
	# ${fwcmd} add 4173 allow udp from any to ${exip} 7070 in via ${exif} keep-state

	#################################################
	## Apple File Protocol (AFP)
	#
	# ${fwcmd} add 4180 allow tcp from any to ${exip} 548 in via ${exif} setup keep-state

	#################################################
	## IPP (Internet Printing Protocol)
	#
	# ${fwcmd} add 4190 allow tcp from any to ${exip} 631 in via ${exif} setup keep-state



	############################################################
	## Inbound rules for User Services on port 1024-65535     ##
	############################################################

	#################################################
	## iSync/Rendezvous  (TCP/UDP)
	#
	# ${fwcmd} add 5010 allow tcp from any to ${exip} 3004 in via ${exif} setup keep-state
	# ${fwcmd} add 5011 allow udp from any to ${exip} 3004 in via ${exif} keep-state

	#################################################
	## iTunes 4 streaming  (TCP/UDP)
	#
	# ${fwcmd} add 5020 allow tcp from any to ${exip} 3689 in via ${exif} setup keep-state
	# ${fwcmd} add 5021 allow udp from any to ${exip} 3689 in via ${exif} keep-state

	#################################################
	## ICQ Chat  (TCP/UDP)
	#
	# ${fwcmd} add 5030 allow tcp from any to ${exip} 4000 in via ${exif} setup keep-state
	# ${fwcmd} add 5031 allow udp from any to ${exip} 4000 in via ${exif} keep-state

	#################################################
	## FileMaker Pro (TCP/UDP)
	#
	# ${fwcmd} add 5040 allow tcp from any to ${exip} 5003 in via ${exif} setup keep-state
	# ${fwcmd} add 5041 allow udp from any to ${exip} 5003 in via ${exif} keep-state

	#################################################
	## iChat/AOL Instant Messenger
	#
	## iChat/AOL file transfers 
	# ${fwcmd} add 5050 allow tcp from any to ${exip} 5190 in via ${exif} setup keep-state
	# ${fwcmd} add 5051 allow udp from any to ${exip} 5190 in via ${exif} keep-state
	#
	## iChat/Rendezvous  file transfers
	# ${fwcmd} add 5052 allow tcp from any to ${exip} 5298 in via ${exif} setup keep-state
	# ${fwcmd} add 5053 allow udp from any to ${exip} 5298 in via ${exif} keep-state
	# ${fwcmd} add 5054 allow tcp from any to ${exip} 17421 in via ${exif} setup keep-state
	#
	## iChat AV
	# ${fwcmd} add 5055 allow udp from any to ${exip} 5060 in via ${exif} keep-state
	# ${fwcmd} add 5056 allow udp from any to ${exip} 16384-16403 in via ${exif} keep-state

	#################################################
	## Rendezvous (mDNSResponder)
	#
	# ${fwcmd} add 5060 allow udp from any to ${exip} 5353 in via ${exif} keep-state

	#################################################
	## Gnutella/Limewire
	#
	# ${fwcmd} add 5070 allow tcp from any to ${exip} 6346 in via ${exif} setup keep-state

	#################################################
	## BitTorrent
	#
	# ${fwcmd} add 5080 allow tcp from any to ${exip} 6881-6999 in via ${exif} setup keep-state

	#################################################
	## NetFone
	#
	# ${fwcmd} add 5090 allow tcp from any to ${exip} 10200-10210 in via ${exif} setup keep-state
	## If you use port forwarding you must have a rule that lets the traffic
	## in to the private LAN. This is one example for NetFone.
	# ${fwcmd} add 5091 allow tcp from any to ${innr} 10200-10210 in via ${exif} setup keep-state


	############################################################
	## Generic inbound rules to wrap things up                ##
	############################################################

	#################################################
	## Deny all other Privileged Ports (TCP/UDP)
	#
	${fwcmd} add 6000 deny log tcp from any to ${exip} 1-1023 in via ${exif}
	${fwcmd} add 6010 deny log udp from any to ${exip} 1-1023 in via ${exif}

	#################################################
	## Deny all other Non-Privileged Ports (TCP/UDP)
	#
	${fwcmd} add 6100 deny log tcp from any to ${exip} 1024-65535 in via ${exif}
	${fwcmd} add 6110 deny log udp from any to ${exip} 1024-65535 in via ${exif}

	## Allow all Non-Privileged Ports (TCP/UDP)
	# ${fwcmd} add 6120 allow tcp from any to ${exip} 1024-65535 in via ${exif} setup keep-state
	# ${fwcmd} add 6130 allow udp from any to ${exip} 1024-65535 in via ${exif} keep-state

	#################################################
	## Deny everything else
	#
	${fwcmd} add 7000 deny log ip from any to any
}
# End of StartService


StopService ()
{
	#################################################
	## Clear all rules
	#
	ConsoleMessage "Flushing existing ipfw ruleset"
	${fwcmd} -f flush
	
	#################################################
	## Stop natd
	#
	# ConsoleMessage "Stopping natd"
	# kill `cat /private/var/run/natd.pid`
}


RestartService () { StopService; StartService; }

RunService "$1"
 
firewall/natscript.txt · Senast uppdaterad: 2007-07-07 16:35 av frjo
 
Recent changes RSS feed Creative Commons License Driven by DokuWiki