#!/bin/sh

echo Starting firewall. 
#
# some definitions for easier maintenance
#
LOCALNET="192.168.1.0/24"
IFEXTERN="99.99.99.99"
IFINTERN="192.168.1.100"
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"
#
# Flush input and output
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
#
# deny everything
#
/sbin/ipfwadm -O -p deny
/sbin/ipfwadm -I -p deny
#
# Refuse spoofed packets (my network coming from outside)
/sbin/ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET
/sbin/ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN
/sbin/ipfwadm -I -a deny -V $IFEXTERN -S 127.0.0.1
#
# Allow unlimited traffic within the local net
#
/sbin/ipfwadm -I -a accept -V $IFINTERN
/sbin/ipfwadm -O -a accept -V $IFINTERN
/sbin/ipfwadm -I -a accept -V 127.0.0.1
/sbin/ipfwadm -O -a accept -V 127.0.0.1

# Unlimited ICMP traffic (not recommended, but used by PING)
/sbin/ipfwadm -I -a accept -P icmp
/sbin/ipfwadm -O -a accept -P icmp
/sbin/ipfwadm -F -a accept -P icmp

# Unlimited NTP (network time protocol) traffic
/sbin/ipfwadm -O -a accept -P udp -S $IFEXTERN -D $ANYWHERE ntp
/sbin/ipfwadm -I -a accept -P udp -S $ANYWHERE ntp -D $IFEXTERN

#
# ====== External use of our system
#
# Public access for email, WWW, and DNS (add ftp on next line if desired)
/sbin/ipfwadm -I -a accept -P tcp -D $IFEXTERN smtp www domain
/sbin/ipfwadm -I -a accept -P udp -D $IFEXTERN domain
/sbin/ipfwadm -I -a accept -k -P tcp -D $IFEXTERN ftp-data
/sbin/ipfwadm -O -a accept -P tcp -S $IFEXTERN smtp ftp ftp-data www domain
/sbin/ipfwadm -O -a accept -P udp -S $IFEXTERN domain

# let SSL (secure transactions) 443 through 
/sbin/ipfwadm -I -a accept -P tcp -S $ANYWHERE 443 -D $IFEXTERN $UNPRIVPORTS
/sbin/ipfwadm -I -a accept -P tcp -S $ANYWHERE 443 -D $LOCALNET $UNPRIVPORTS
/sbin/ipfwadm -O -a accept -P tcp  -S $IFEXTERN $UNPRIVPORTS -D $ANYWHERE 443
/sbin/ipfwadm -O -a accept -P tcp  -S $LOCALNET $UNPRIVPORTS -D $ANYWHERE 443
#
#
# ========= Internal use of the Internet
#
# outgoing packets originating from our network
#
# p 344 Building Internet Firewalls FTP-1
/sbin/ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS -D $ANYWHERE pop-3 smtp ftp ftp-data www telnet gopher domain
# p 344 Building Internet Firewalls FTP-3
/sbin/ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS -D $ANYWHERE $UNPRIVPORTS
/sbin/ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS -D $ANYWHERE $UNPRIVPORTS
# 
# The following two are absolutely required for DNS to run
#
/sbin/ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS -D $ANYWHERE domain
/sbin/ipfwadm -O -a accept -P udp -S $IFEXTERN $UNPRIVPORTS -D $ANYWHERE domain
#
# Incoming packets
# all the return packets of sessions originating internally. The -k option 
# allows only those packets with the ACK bit set, which means that the 
# packet is being returned by the remote process.
#
/sbin/ipfwadm -I -a accept -k -P tcp -S $ANYWHERE pop-3 smtp ftp www telnet domain -D $ANYWHERE $UNPRIVPORTS
#
# P 344 Building Internet Firewalls FTP-4
/sbin/ipfwadm -I -a accept -k -P tcp -S $ANYWHERE $UNPRIVPORTS -D $ANYWHERE $UNPRIVPORTS
#
# internal incoming  remote ftp dir, get, and put
/sbin/ipfwadm -I -a accept -P tcp -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
/sbin/ipfwadm -I -a accept -P tcp -S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
#
# authorization -- for ftp
/sbin/ipfwadm -I -a accept -P tcp -S $ANYWHERE $UNPRIVPORTS -D $IFEXTERN auth
/sbin/ipfwadm -O -a accept -P tcp -S $IFEXTERN auth -D $ANYWHERE $UNPRIVPORTS
#
# miscellaneous incoming traffic
/sbin/ipfwadm -I -a accept -P udp -S $ANYWHERE ntp domain -D $IFEXTERN $UNPRIVPORTS
#
# list out what we have done
#
#/sbin/ipfwadm -F -l
#/sbin/ipfwadm -I -l
#/sbin/ipfwadm -O -l

echo firewall ON.
echo "Firewall ON." >/var/log/firewall