Legal (copyleft): Permission to copy and derive is granted freely. No guarantees. Use at your own risk. Document created in 2011.
This is a basic firewall script for a FreeBSD system that connects to the Internet as a DHCP client (to a broadband modem or router). Follow the instructions in its comments.
#!/bin/sh # Start firewall. # # This firewall was developed on FreeBSD 8.0 for a computer # connected to the Internet as a DHCP client. # The possibility of this computer being the server/router/NAT was ignored. # # This is a replacement for the default FreeBSD firewall script. # To start this firewall script at startup, edit /etc/rc.conf: # .............................................................................. # # Enable firewall. # firewall_enable="YES" # firewall_script="/etc/custom_firewall" # .............................................................................. # # Hints, tips: # To find the IP addresses of DNS servers etc for DHCP: # cat /var/db/dhclient.leases* #------------------------------------------------------------------------------- #------------------ CONFIGURATION BEGIN ------------------- FWCMD="ipfw -q" ROUTER_DNS_SERVER_1=123.123.123.123 # -- EDIT ME -- ROUTER_DNS_SERVER_2=123.123.123.123 # -- EDIT ME -- #------------------ CONFIGURATION END -------------------- # Load ipfw kernel module. kldload ipfw 2>/dev/null # Flush/reset firewall. $FWCMD -f flush # Protect loopback/local. $FWCMD add 100 pass all from any to any via lo0 $FWCMD add 200 deny all from any to 127.0.0.0/8 $FWCMD add 300 deny ip from 127.0.0.0/8 to any # Allow this to send packets anywhere. $FWCMD add pass all from me to any # Allow packets from private networks. $FWCMD add pass all from 10.0.0.0/8 to me $FWCMD add pass all from 192.168.0.0/16 to me # Allow router and DNS servers. [ "$ROUTER_DNS_SERVER_1" != "" ] && $FWCMD add pass all from $ROUTER_DNS_SERVER_1 to me [ "$ROUTER_DNS_SERVER_2" != "" ] && $FWCMD add pass all from $ROUTER_DNS_SERVER_2 to me [ "$ROUTER_DNS_SERVER_3" != "" ] && $FWCMD add pass all from $ROUTER_DNS_SERVER_3 to me [ "$ROUTER_DNS_SERVER_4" != "" ] && $FWCMD add pass all from $ROUTER_DNS_SERVER_4 to me [ "$ROUTER_DNS_SERVER_5" != "" ] && $FWCMD add pass all from $ROUTER_DNS_SERVER_5 to me # Allow established connections. $FWCMD add pass tcp from any to any established