Ipfw

IPFW

Commands:

  • Reload:

    sh /usr/local/etc/ipfw.sh

  • List:

    ipfw list

Example config:

#!/bin/sh
# Flush out first before we begin.
ipfw -q -f flush

#=======================================================#
# Command                                               #
#=======================================================#
cmd="ipfw -q add"

#=======================================================#
# Interfaces                                            #
#=======================================================#
ext_if="epair0b"

#=======================================================#
# Firewall settings                                     #
#=======================================================#
# Loopback
$cmd 00010 allow all from any to any via lo0
$cmd 00020 deny all from 127.0.0.0/8 to any
$cmd 00030 deny all from any to 127.0.0.0/8
$cmd 00040 deny tcp from any to any frag

# Stateful
$cmd 00110 check-state

# Ping
$cmd 00210 allow icmp from me to any out via $ext_if keep-state

# Outgoing ports
# FTP
$cmd 00410 allow tcp from me to any dst-port 20 out via $ext_if setup keep-state
$cmd 00420 allow tcp from me to any dst-port 21 out via $ext_if setup keep-state
# HTTP/S
$cmd 00430 allow tcp from me to any dst-port 80 out via $ext_if setup keep-state
$cmd 00440 allow tcp from me to any dst-port 443 out via $ext_if setup keep-state
# DNS for nginx OCP stapling
$cmd 00450 allow tcp from me to 8.8.8.8 dst-port 53 out via $ext_if setup keep-state
$cmd 00455 allow udp from me to 8.8.8.8 dst-port 53 out via $ext_if keep-state
$cmd 00460 allow tcp from me to 8.8.4.4 dst-port 53 out via $ext_if setup keep-state
$cmd 00465 allow udp from me to 8.8.4.4 dst-port 53 out via $ext_if keep-state

# Stateless
# Mail
$cmd 00510 allow tcp from 10.0.0.7 to me src-port 25 in via $ext_if
$cmd 00511 allow tcp from me to 10.0.0.7 dst-port 25 out via $ext_if
# DNS
$cmd 00520 allow tcp from 10.0.0.8 to me src-port 53 in via $ext_if
$cmd 00521 allow tcp from me to 10.0.0.8 dst-port 53 out via $ext_if
$cmd 00525 allow udp from 10.0.0.8 to me src-port 53 in via $ext_if
$cmd 00526 allow udp from me to 10.0.0.8 dst-port 53 out via $ext_if
# Webserver
$cmd 00530 allow tcp from any to me dst-port 80 in via $ext_if
$cmd 00531 allow tcp from me to any src-port 80 out via $ext_if
$cmd 00540 allow tcp from any to me dst-port 443 in via $ext_if
$cmd 00541 allow tcp from me to any src-port 443 out via $ext_if
# Plex
$cmd 00550 allow tcp from any to me dst-port 32400 in via $ext_if
$cmd 00551 allow tcp from me to any src-port 32400 out via $ext_if
$cmd 00560 allow tcp from 10.0.0.5 to me src-port 32400 in via $ext_if
$cmd 00561 allow tcp from me to 10.0.0.5 dst-port 32400 out via $ext_if
# Books
$cmd 00570 allow tcp from 10.0.0.13 to me src-port 8083 in via $ext_if
$cmd 00571 allow tcp from me to 10.0.0.13 dst-port 8083 out via $ext_if
# Home
$cmd 00580 allow tcp from 192.168.1.24 to me src-port 8123 in via $ext_if
$cmd 00581 allow tcp from me to 192.168.1.24 dst-port 8123 out via $ext_if
# Bitwarden
$cmd 00590 allow tcp from 192.168.1.24 to me src-port 11080 in via $ext_if
$cmd 00591 allow tcp from me to 192.168.1.24 dst-port 11080 out via $ext_if
# OnlyOffice
$cmd 00610 allow tcp from 192.168.1.24 to me src-port 14080 in via $ext_if
$cmd 00611 allow tcp from me to 192.168.1.24 dst-port 14080 out via $ext_if

# Deny the rest
$cmd 10000 deny log all from any to any