#!/bin/sh fwcmd="/sbin/ipfw -q" # /usr/sbin/natd -alias_address 192.168.230.5 -interface en0 -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -enable_natportmap -natportmap_interface en0 # /usr/sbin/natd -interface ppp0 -dynamic -clamp_mss -punch_fw 20000 /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1 /usr/sbin/sysctl -w net.inet.ip.forwarding=1 /usr/sbin/sysctl -w net.inet.ip.check_interface=1 ${fwcmd} flush net_hsc="192.70.106.0/24" net_consultants="192.70.106.64/26" net_stage="192.70.106.128/27" net_maison="192.168.230.0/24" itesec="192.70.106.33" ports_consultants="22,80,443" portsudp_consultants="53" port_mail="25" # Les reseaux qu'on autorise a router #nets_forward="192.168.230.0/24 192.168.231.0/24" #nets_forward="192.168.230.1" #nat_interface="ppp0" nets_forward="" nat_interface="" # loopback ${fwcmd} add pass all from any to any via lo0 ${fwcmd} add deny all from any to 127.0.0.0/8 # Ajouter ici les regles pour le forwarding de port: # ${fwcmd} add fwd 127.0.0.1:8080 tcp from 192.168.230.6 to any 80 # Static : ./netsed tcp 8080 192.70.106.100 80 s/pouette/prout # Dynamic : ./netsed tcp 8080 0 0 s/pouette/prout # Passage de etats ${fwcmd} add check-state # Si y a de la nat on lancd natd avec les bonnes options if [ x$nat_interface != "x" ]; then echo Setting NAT # Oue c'est crade mais y a pas de pid :-/ killall natd && sleep 10 # ouais c'est super crade :-/ /usr/sbin/natd -interface $nat_interface -dynamic -clamp_mss -punch_fw 20000:1000 -same_ports # Alors la ... On passe les paquets qui me sont destines dans # le natd pour recuperer les paquets a denatter ${fwcmd} add divert natd ip from any to me recv $nat_interface fi # tout autorise en sortie depuis moi ${fwcmd} add allow tcp from me to any setup keep-state out ${fwcmd} add allow udp from me to any keep-state out ${fwcmd} add allow icmp from me to any keep-state out ${fwcmd} add allow igmp from me to any keep-state out # Tout autorise depuis la maison ${fwcmd} add allow tcp from $net_maison to me any setup keep-state in ${fwcmd} add allow udp from $net_maison to me any keep-state in ${fwcmd} add allow icmp from $net_maison to me any keep-state in # Depuis HSC on autorise quelques ports ${fwcmd} add allow tcp from $net_consultants to me dst-port $ports_consultants setup keep-state in ${fwcmd} add allow udp from $net_consultants to me dst-port $portsudp_consultants keep-state in ${fwcmd} add allow icmp from $net_consultants to me icmptypes 8 keep-state in # Pour recevoir mon mail ... ${fwcmd} add allow tcp from $itesec to me dst-port $port_mail setup keep-state in # Tout les reseaux peuvent me pinger ${fwcmd} add allow icmp from any to me icmptypes 8 keep-state in # igmp ntp ${fwcmd} add allow igmp from any to 224.0.0.1 ${fwcmd} add allow igmp from any to 224.0.1.1 ${fwcmd} add allow igmp from any to 224.0.0.2 ${fwcmd} add allow igmp from any to 224.0.0.4 ${fwcmd} add allow udp from any to 224.0.1.1 dst-port 123 # DHCP ${fwcmd} add allow udp from any to 255.255.255.255 dst-port 67,68 ${fwcmd} add allow udp from any to any dst-port 67,68 # On se protege ${fwcmd} add deny log udp from any to me in ${fwcmd} add deny log tcp from any to me in ${fwcmd} add deny log icmp from any to me in ${fwcmd} add deny log ip from any to me in # On laisse passer les paquets des reseaux qu'on route # on les passe plus loin ... for net in ${nets_forward} do ${fwcmd} add skipto 30000 ip from ${net} to any keep-state #${fwcmd} add skipto 30000 ip from any to ${net} done # On bloque toute le reste ${fwcmd} add 20000 deny udp from any to any dst-port 137,138 ${fwcmd} add 20000 deny log udp from any to any ${fwcmd} add 20000 deny log tcp from any to any ${fwcmd} add 20000 deny log icmp from any to any ${fwcmd} add 20000 deny log ip from any to any # ici les reseaux qu'on route if [ x$nat_interface != "x" ]; then # s'il faut natter ${fwcmd} add 30000 divert natd ip from any to any xmit $nat_interface fi # Allez hop ... ${fwcmd} add allow ip from any to any