ipfw configuration
desecurityfirewallsipfw

Hier eine ipfw-konfiguration an der ich gerade bastele. Sie soll einige Ports auf den Host durchreichen, andere in Jails und ermöglichen und limitieren auf welchen Ports Jails und Host nach draußen kommunizieren dürfen. Ausserdem soll der erste Verbindungsaufbau einer SSH-Verbindung um eine Sekunde verzögert werden, was brute force attacken untattraktiver macht.

# /usr/local/etc/2015-10-01.ipfw
# ================================================================================
# clean up/ reset everything...
flush
queue flush
pipe flush
table all flush
resetlog

# ================================================================================
# table 1: dns
table 1 add 213.133.99.99   
table 1 add 213.133.100.100 
table 1 add 213.133.98.98   

# table 2: jails
table 2 add 10.0.0.0/24

# nat 
nat 1 config if vtnet0 redirect_port tcp 10.0.0.100:8080 172.31.1.100:80

# pipes (requires kldload dummynet)
pipe 1 config delay 1000
pipe 2 config delay  200

# ================================================================================
add 100 pass all from any to any via lo0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip  from 127.0.0.0/8 to any    // ipv4 lo0 oubound
add 400 deny all from any to ::1            // ipv6 lo0 inbound
add 500 deny all from ::1 to any            // ipv6 lo0 outbound

add 1000 set 0 allow icmp      from any to me  in via vtnet0 // icmp4 incoming
add 1100 set 1 allow ipv6-icmp from any to me6 in via vtnet0 // icmp6 incoming 
add 1200 set 0 allow icmp      from me to any out via vtnet0 // icmp4 outgoing

# ================================================================================
add 1400 allow udp from me to table(1) 53 out   // allow dns

# slow down first ssh connection (setup) by using pipe 1...
add 1500 allow  tcp from me 22 to any           // ssh->any
add 1600 allow  tcp from any to me 22 not setup // any->me(22), not setup
add 1700 pipe 1 tcp from any to me 22 setup     // any->me(22), setup

# ================================================================================
add 2000 check-state
add 2100 allow ip from me to any setup keep-state out // outgoing connections

# ================================================================================
add 64000 nat 1 udp from any to any                  // udp->nat
add 64000 nat 1 tcp from any to me dst-port 80  in   // tcp->nat
add 64000 nat 1 tcp from me to any              out  // nat->any

# ================================================================================
add 65000 deny log ip from any to any // deny everything else, but log it
top