-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathipfw.rules
278 lines (239 loc) · 10.5 KB
/
ipfw.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
#!/bin/sh
# Exit on errors and undefined variables
set -eu
# Define the firewall command
fwcmd="/sbin/ipfw"
# Define interfaces and ports
bridge_if="" # Adjust as needed for your bridge interface
ssh_ips="" # List of allowed SSH source IPs
ssh_port="" # SSH port to allow
user_tcp_ports="" # User TCP ports to allow
log_default_deny="yes" # Whether to log the default deny rules
# Define martian (and multicast) IP ranges to deny
martians_ip4="0.0.0.0/8,\
127.0.0.0/8,\
169.254.0.0/16,\
192.0.2.0/24,\
192.88.99.0/24,\
198.18.0.0/15,\
198.51.100.0/24,\
203.0.113.0/24,\
204.152.64.0/23,\
233.252.0.0/24,\
240.0.0.0/4,\
255.255.255.255/32"
martians_ip6="::/128,\
::1/128,\
100::/64,\
2001::/32,\
2001:20::/28"
martians_ip6_2="2001:db8::/32,\
2002::/16,\
3fff::/20,\
5f00::/16"
multicast_ip4="224.0.0.0/4"
multicast_ip6="ff00::/8"
# Check if IPv6 is available by detecting any IPv6 addresses
ipv6_available=$(ifconfig | grep -qF "inet6" && echo 1 || echo 0)
# Flush existing rules
${fwcmd} -q flush
#################################
# Loopback Traffic Handling
#################################
# Allow all traffic on the loopback interface (lo0)
${fwcmd} add 100 allow ip from any to any via lo0
#################################
# IPFW Table Handling
#################################
# Deny traffic from Fail2Ban table
${fwcmd} table fail2ban create or-flush type addr
${fwcmd} add 200 deny log ip from 'table(fail2ban)' to any
#################################
# ICMP Flood Protection
#################################
# Dummynet pipe to limit ICMPv4/ICMPv6 bandwidth
${fwcmd} pipe 1 config bw 100Kbit/s queue 1 droptail
# Limit ICMPv4 echo requests and replies (ping flood protection)
${fwcmd} add 300 pipe 1 icmp from any to me icmptypes 8,0 in
# IPv6 ICMPv6 echo requests and replies (ping flood protection)
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 400 pipe 1 ipv6-icmp from any to me6 icmp6types 128,129 in
# Deny fragmented ICMPv6 Neighbor Discovery Protocol (NDP) packets to prevent DoS attacks (RFC6980)
${fwcmd} add 500 deny log ipv6-icmp from any to any ext6hdr frag icmp6types 130,131,132,133,134,135,136,143
fi
#################################
# Fragmented Packet Handling
#################################
# Reassemble fragmented packets
${fwcmd} add 600 reass ip from any to any
#################################
# User Traffic Shaping
#################################
# Dummynet pipes to limit user bandwidth
${fwcmd} pipe 2 config bw 1Mbit/s buckets 4096 queue 50 mask src-ip 0xffffffff dst-ip 0xffffffff
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} pipe 3 config bw 1Mbit/s buckets 4096 queue 50 mask src-ip6 60 dst-ip6 60
fi
# Limit user connection bandwidth
if [ -n "$user_tcp_ports" ]; then
#pipe_ports=$(echo "$ssh_port,$user_tcp_ports" | sed -E 's/^,+//;s/,+$//')
${fwcmd} add 700 pipe 2 ip4 from any to me "$user_tcp_ports" in
${fwcmd} add 800 pipe 2 ip4 from me "$user_tcp_ports" to any out
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 900 pipe 3 ip6 from any to me6 "$user_tcp_ports" in
${fwcmd} add 1000 pipe 3 ip6 from me6 "$user_tcp_ports" to any out
fi
fi
#################################
# Stateful Traffic Handling
#################################
# Check the state of all connections to allow established connections
${fwcmd} add 1100 check-state
#################################
# Loopback Protection and IPv6 Network Functionality
#################################
# Deny traffic to and from the IPv4 loopback network (127.0.0.0/8)
${fwcmd} add 1200 deny ip from any to 127.0.0.0/8
${fwcmd} add 1210 deny ip from 127.0.0.0/8 to any
# IPv6 loopback and network functionality rules (if IPv6 is available)
if [ "$ipv6_available" -eq 1 ]; then
# Deny traffic to and from the IPv6 loopback address (::1)
${fwcmd} add 1300 deny ip from any to ::1
${fwcmd} add 1310 deny ip from ::1 to any
# Deny routing header type 0 (RH0) to prevent amplification and redirection attacks (RFC5095)
${fwcmd} add 1400 deny log ip6 from any to any ext6hdr rthdr0
# Allow IPv6 Duplicate Address Detection (DAD) packets
${fwcmd} add 1500 allow ipv6-icmp from :: to ff02::/16
# Allow ICMPv6 Router Solicitation (RS), Router Advertisement (RA), Neighbor Solicitation (NS), and Neighbor Advertisement (NA) for link-local traffic
${fwcmd} add 1600 allow ipv6-icmp from fe80::/10 to fe80::/10
${fwcmd} add 1700 allow ipv6-icmp from fe80::/10 to ff02::/16
# Allow ICMPv6 Neighbor Solicitation (NS) and Neighbor Advertisement (NA) for address resolution (unicast, link-local, and multicast)
${fwcmd} add 1800 allow ipv6-icmp from any to any icmp6types 135,136
fi
#################################
# Outbound Traffic
#################################
# Allow all ICMPv4 outbound
${fwcmd} add 1900 allow icmp from any to any icmptypes 8 out record-state
${fwcmd} add 1910 allow icmp from any to any out
if [ "$ipv6_available" -eq 1 ]; then
# Allow all ICMPv6 outbound
${fwcmd} add 2000 allow ipv6-icmp from any to any icmp6types 128 out record-state
${fwcmd} add 2010 allow ipv6-icmp from any to any out
fi
# Allow all outbound traffic with stateful handling
${fwcmd} add 2100 allow ip from any to any out record-state
#################################
# Block Banned and Spoofed IPs
#################################
# Anti-spoofing: Deny traffic with invalid source addresses
${fwcmd} add 2200 deny ip from any to any not verrevpath in
#################################
# Anti-DoS and Recon Prevention
#################################
# Block packets with IP options
${fwcmd} add 2300 deny log ip from any to any ipoptions ssrr in
${fwcmd} add 2310 deny log ip from any to any ipoptions lsrr in
${fwcmd} add 2320 deny log ip from any to any ipoptions rr in
${fwcmd} add 2330 deny log ip from any to any ipoptions ts in
#################################
# ICMP Rules for Network Functionality
#################################
# Allow ICMPv4 Echo Reply, Destination Unreachable, Echo Request, and Time Exceeded
${fwcmd} add 2400 allow icmp from any to any icmptypes 0,3,8,11 in
# Allow ICMPv6 Destination Unreachable, Packet Too Big, Time Exceeded, Echo Request/Reply, and RA
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 2500 allow ipv6-icmp from any to any icmp6types 1,2,3,128,129,133,134 in
fi
# Deny all other ICMPv4 and ICMPv6 traffic
${fwcmd} add 2600 deny log icmp from any to any in
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 2700 deny log ipv6-icmp from any to any in
fi
#################################
# DHCP and Broadcast Traffic
#################################
# Allow DHCPv4 traffic
${fwcmd} add 2800 allow ip4 from 0.0.0.0 68 to 255.255.255.255 67 proto udp
${fwcmd} add 2810 allow ip4 from any 67 to any 68 proto udp
# Allow DHCPv6 traffic (if IPv6 is available)
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 2900 allow ip6 from fe80::/10 546 to ff02::1:2 547 proto udp
${fwcmd} add 2910 allow ip6 from fe80::/10 547 to fe80::/10 546 proto udp
fi
#################################
# Block Martians and Multicast Traffic
#################################
# Block inbound multicast traffic
if [ -n "$multicast_ip4" ]; then
${fwcmd} add 3000 deny ip from "$multicast_ip4" to any in
${fwcmd} add 3010 deny ip from any to "$multicast_ip4" in
fi
if [ -n "$multicast_ip6" ] && [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 3100 deny ip from "$multicast_ip6" to any in
${fwcmd} add 3110 deny ip from any to "$multicast_ip6" in
fi
# Block martian IP ranges
if [ -n "$martians_ip4" ]; then
${fwcmd} add 3200 deny ip from "$martians_ip4" to any in
${fwcmd} add 3210 deny ip from any to "$martians_ip4" in
fi
if [ -n "$martians_ip6" ] && [ -n "$martians_ip6_2" ] && [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 3300 deny ip from "$martians_ip6" to any in
${fwcmd} add 3310 deny ip from any to "$martians_ip6" in
${fwcmd} add 3320 deny ip from "$martians_ip6_2" to any in
${fwcmd} add 3330 deny ip from any to "$martians_ip6_2" in
fi
#################################
# Inbound Traffic (User-Defined Services)
#################################
# Allow new SSH connections from allowed source IPs to the firewall
if [ -n "$ssh_ips" ] && [ -n "$ssh_port" ]; then
${fwcmd} add 3399 count log ip4 from "$ssh_ips" to me "$ssh_port" tcpflags syn,!ack,!fin,!rst in
${fwcmd} add 3400 allow ip4 from "$ssh_ips" to me "$ssh_port" tcpflags syn,!ack,!fin,!rst in limit dst-addr 2
fi
# Allow user connections to the firewall, with source IP limit for DoS mitigation
if [ -n "$user_tcp_ports" ]; then
${fwcmd} add 3499 count log ip4 from any to me "$user_tcp_ports" tcpflags syn,!ack,!fin,!rst in
${fwcmd} add 3500 allow ip4 from any to me "$user_tcp_ports" tcpflags syn,!ack,!fin,!rst in limit src-addr 10
fi
# IPv6 SSH and user rules (if IPv6 is available)
if [ "$ipv6_available" -eq 1 ]; then
if [ -n "$ssh_ips" ] && [ -n "$ssh_port" ]; then
${fwcmd} add 3599 count log ip6 from "$ssh_ips" to me6 "$ssh_port" tcpflags syn,!ack,!fin,!rst in
${fwcmd} add 3600 allow ip6 from "$ssh_ips" to me6 "$ssh_port" tcpflags syn,!ack,!fin,!rst in limit dst-addr 2
fi
if [ -n "$user_tcp_ports" ]; then
${fwcmd} add 3699 count log ip6 from any to me6 "$user_tcp_ports" tcpflags syn,!ack,!fin,!rst in
${fwcmd} add 3700 allow ip6 from any to me6 "$user_tcp_ports" tcpflags syn,!ack,!fin,!rst in limit src-addr 10
fi
fi
#################################
# Inbound Internal Traffic
#################################
# Deny any inbound traffic to me that hasn't been explicitly allowed
if [ "$log_default_deny" = "yes" ]; then
${fwcmd} add 3800 deny log ip from any to me in
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 3900 deny log ip from any to me6 in
fi
else
${fwcmd} add 3800 deny ip from any to me in
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 3900 deny ip from any to me6 in
fi
fi
# Allow all traffic passing through the bridge interface (if available)
if [ -n "$bridge_if" ] && ifconfig "$bridge_if" >/dev/null 2>&1; then
${fwcmd} add 4000 allow ip from any to any tcpflags syn,!ack,!fin,!rst in via "$bridge_if" record-state
${fwcmd} add 4010 allow ip from any to any proto udp in via "$bridge_if" record-state
fi
#################################
# Final Rule: Deny all other traffic
#################################
# Deny any traffic that hasn't been explicitly allowed
if [ "$log_default_deny" = "yes" ]; then
${fwcmd} add 65534 deny log ip from any to any
else
${fwcmd} add 65534 deny ip from any to any
fi