我的 ipfw 防火墙规则

前段时间学习了下 FreeBSD 的 ipfw,这个防火墙的语法规则非常简单,基本就是自然语法,很容易懂。

当然,我这样的懒人是不会深入学习的,基本上是看了下语法结构就写了个自己的防火墙配置。

本配置文件可用于一般的家用,开放了普通的 tcp、udp、ssh 和电子邮件端口,写得比较粗糙,还需要进一步完善,求高人指点。

#!/bin/sh
/sbin/ipfw -q -f flush

# Allow Loopback Interface
/sbin/ipfw -q add 00010 allow all from any to any via lo0

# Allow packet through with dynamic rules
/sbin/ipfw -q add 00015 check-state

# Allow my access out
/sbin/ipfw -q add 00050 allow all from any to any keep-state
/sbin/ipfw -q add 00060 allow ip from me to any

# Allow access to DNS
/sbin/ipfw -q add 00100 allow tcp from any to 221.228.255.1 53 out setup keep-state
/sbin/ipfw -q add 00110 allow udp from any to 221.228.255.1 53 out keep-state

# Allow access to DHCP server
/sbin/ipfw -q add 00140 allow log udp from any to any 67 out keep-state

# Allow out non-secure standard www function
/sbin/ipfw -q add 00180 allow tcp from any to any 80 out setup keep-state
/sbin/ipfw -q add 00190 allow tcp from any to any 443 out setup keep-state
/sbin/ipfw -q add 00200 allow tcp from any to me 80 in setup limit src-addr 10
/sbin/ipfw -q add 00210 allow tcp from any to me 443 in setup limit src-addr 10

# Allow e-mail function
/sbin/ipfw -q add 00230 allow tcp from any to any 25 out setup keep-state
/sbin/ipfw -q add 00240 allow tcp from any to me 25 in setup limit src-addr 1
/sbin/ipfw -q add 00250 allow tcp from any to any 110 out setup keep-state
/sbin/ipfw -q add 00260 allow tcp from any to me 110 in setup limit src-addr 1

# Allow out FreeBSD functions
/sbin/ipfw -q add 00270 allow tcp from me to any out setup keep-state uid root

# Allow out ping
/sbin/ipfw -q add 00280 allow icmp from any to any out keep-state

# Allow out secure FTP, Telnet, and SCP by SSH
/sbin/ipfw -q add 00290 allow tcp from any to any 22 out setup keep-state

# Deny public pings
/sbin/ipfw -q add 00310 deny icmp from any to any in

# Allow in secure FTP, Telnet, and SCP from public Internet by SSH
/sbin/ipfw -q add 00410 allow tcp from any to me 22 in setup limit src-addr 2

# Allow FTP
/sbin/ipfw -q add 00500 allow tcp from any to me 21 in setup keep-state
/sbin/ipfw -q add 00510 allow tcp from me 20,21 to any out keep-state

# Deny all connections
/sbin/ipfw -q add 60000 deny log all from any to any