jwiegley / jw.firewall
watch download tarball
public
Forks0Right
Watchers1Right
Description: A rigorous set of firewall scripts for BSD ipfw, and Linux iptables
Homepage:
Clone URL: git://github.com/jwiegley/jw.firewall.git
jw.firewall / limit
100755 36 lines (25 sloc) 1.157 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

#!/bin/bash
 
# example: limit tap0 66.210.250.45 [tor]
 
vpn_intf=$1
vpn_addr=$2
torify=$3
 
IPFW="/sbin/ipfw -q"
 
#$IPFW set disable 4		# Disable outbound ICMP and DHCP
$IPFW set disable 11		# Disable all outbound traffic
 
$IPFW delete set 12
$IPFW set disable 12
 
# Allow only OpenVPN traffic
$IPFW add 12000 set 12 allow udp from me to $vpn_addr 1194 out keep-state
$IPFW add 12010 set 12 allow tcp from me to $vpn_addr 22 out setup keep-state
$IPFW add 12020 set 12 allow icmp from me to $vpn_addr out keep-state
 
$IPFW add 12100 set 12 allow tcp from any to any via $vpn_intf setup keep-state
$IPFW add 12110 set 12 allow ip from any to any via $vpn_intf keep-state
 
# If we are torrified, also block DNS traffic from leaking out
if [[ ! -z "$torify" ]]; then
    $IPFW add 12200 set 12 reject udp from any 53 to any out keep-state
    $IPFW add 12210 set 12 reject udp from any to any 53 out keep-state
fi
 
# Finally, continue to allow access to and from Parallels
$IPFW add 12300 set 12 allow tcp from any to any via \{ en2 or en3 \} setup keep-state
$IPFW add 12310 set 12 allow ip from any to any via \{ en2 or en3 \} keep-state
 
$IPFW set enable 12