#!/usr/local/bin/bash # # Rate Limits for securing a network # # These will help log DOS attacks and keep internal DOS problems to a minimum # # need the following crontab entries for these to work: # */5 * * * * /sbin/ipfw -q resetlog 00215; /sbin/ipfw -q resetlog 00315; /sbin/ipfw -q resetlog 00415 >/dev/null 2>&1 # */10 * * * * /sbin/ipfw -q resetlog 00216 >/dev/null 2>&1 # */60 * * * * /sbin/ipfw -q resetlog 00217; /sbin/ipfw -q resetlog 00317; /sbin/ipfw -q resetlog 00417 >/dev/null 2>&1 # # # Zoidial, Inc. # Eric Thern eric@zoidial.com # April 2002 # ipfw delete 210 211 215 216 217 310 311 315 316 317 410 411 415 416 417 # # ICMP Rate limits and logging # # rate limit icmp from any internal address to any external address # ipfw add 00210 pipe 1 icmp from 10.0.0.0/24 to any frag ipfw add 00210 pipe 1 icmp from 192.168.0.192/27 to any frag ipfw pipe 1 config bw 5Kbit/s queue 5Kbytes ipfw add 00211 pipe 2 icmp from 10.0.0.0/24 to any ipfw add 00211 pipe 2 icmp from 192.168.0.192/27 to any ipfw pipe 2 config bw 10Kbit/s queue 10Kbytes # # log icmp traffic # ipfw add 00215 count log logamount 100 icmp from any to any frag ipfw add 00216 count log logamount 100 icmp from any to any icmptypes 8,0 ipfw add 00217 count log logamount 50 icmp from any to 10.0.0.0/24 icmptypes 3,4,5,9,10,11,12,13,14,15,16,17,18 ipfw add 00217 count log logamount 50 icmp from any to 192.168.0.192/27 icmptypes 3,4,5,9,10,11,12,13,14,15,16,17,18 # # UDP Rate limits and logging # # rate limit udp from any internal address to any external address # ipfw add 00310 pipe 4 udp from 10.0.0.0/24 to any frag ipfw add 00310 pipe 4 udp from 192.168.0.192/27 to any frag ipfw pipe 4 config bw 40Kbit/s queue 10Kbytes ipfw add 00311 pipe 5 udp from 10.0.0.0/24 to any ipfw add 00311 pipe 5 udp from 192.168.0.192/27 to any ipfw pipe 5 config bw 40Kbit/s queue 20Kbytes # allow DNS and NTP to have their own pipe config ipfw add 00312 pipe 5 udp from any 53 to any ipfw add 00312 pipe 5 udp from any to any 53 ipfw add 00312 pipe 5 udp from any 123 to any 123 ipfw pipe 6 config bw 200Kbit/s queue 20Kbytes # # log udp traffic # ipfw add 00315 count log logamount 100 udp from any to any frag ipfw add 00317 count log logamount 50 udp from any to not 10.0.0.0/24 53 ipfw add 00317 count log logamount 50 udp from any to not 192.168.0.192/27 53 # # IGMP Rate limits and logging # # rate limit igmp from any internal address to any external address # ipfw add 00410 pipe 7 igmp from 10.0.0.0/24 to any frag ipfw add 00410 pipe 7 igmp from 192.168.0.192/27 to any frag ipfw pipe 7 config bw 5Kbit/s queue 5Kbytes ipfw add 00411 pipe 8 igmp from 10.0.0.0/24 to any ipfw add 00411 pipe 8 igmp from 192.168.0.192/27 to any ipfw pipe 8 config bw 5Kbit/s queue 5Kbytes # # log igmp traffic # ipfw add 00415 count log logamount 100 igmp from any to any frag ipfw add 00417 count log logamount 50 igmp from any to 10.0.0.0/24 ipfw add 00417 count log logamount 50 igmp from any to 192.168.0.192/27