#!/usr/local/bin/bash # # default unerlying firewall for a shellserver # # default rate-limits and counts # # counts for use with mrtg graphing as well # # Zoidial, Inc. # Eric Thern, eric (at) zoidial (dot) com # # November 1st, 2002 # /sbin/ipfw -q delete 1 10 # # set up initial counts for all protocols # /sbin/ipfw -q add 00001 count ip from any to any in /sbin/ipfw -q add 00001 count ip from any to any out /sbin/ipfw -q add 00001 count tcp from any to any in /sbin/ipfw -q add 00001 count tcp from any to any out /sbin/ipfw -q add 00001 count icmp from any to any in /sbin/ipfw -q add 00001 count icmp from any to any out /sbin/ipfw -q add 00001 count udp from any to any in /sbin/ipfw -q add 00001 count udp from any to any out # add global rate-limits of 30K/s with a queue of 10K/s on each IP address found in /home (for the jailed system) # #e=10; for i in `cat /jail/JAIL-IPS`; do `ipfw -q add 00250 pipe $e ip from $i to any; ipfw -q add 00250 pipe $e ip from any to $i; ipfw -q pipe $e config bw 30Kbytes/s queue 10Kbytes`; e=`expr $e + 1`; done # counter variable for per-UID accounting count="/sbin/ipfw -q add 00002 count ip from " # counter variable for per-port or per-ip accounting countport="/sbin/ipfw -q add 00004 count tcp from any" # counter variable for all IP addresses countall1="/sbin/ipfw -q add 00010 count ip from" /sbin/ipfw -q delete 1 2 4 10 200 201 202 210 211 212 220 221 222 250 251 252 500 550 /sbin/ipfw -q add 00001 count ip from any to any in /sbin/ipfw -q add 00001 count ip from any to any out /sbin/ipfw -q add 00001 count tcp from any to any in /sbin/ipfw -q add 00001 count tcp from any to any out /sbin/ipfw -q add 00001 count icmp from any to any in /sbin/ipfw -q add 00001 count icmp from any to any out /sbin/ipfw -q add 00001 count udp from any to any in /sbin/ipfw -q add 00001 count udp from any to any out echo "-" echo "Adding usernames to rule 00002" echo "." for i in `cat /etc/passwd | cut -f1 -d:`; do `${count} any to any uid $i in; ${count} any to any uid $i out`; done echo ".." echo "UID counting finished" echo "-" echo "setting up per-port accounting" echo "." for i in `cat /etc/ports`; do `${countport} to any $i ; ${countport} $i to any`; done echo ".." echo "Finished setting up per-port accounting" echo "-" echo "setting up per-ip accounting" echo "." for i in `ifconfig -a | egrep '(64.71|216.218)' | cut -f2 -d ' '`; do `${countall1} any to $i; ${countall2} $i to any`; done echo ".." echo "Finished setting up per-ip accounting" echo "-" ipfw -q add 00100 allow udp from 216.218.235.0/24 to 216.218.235.0/24 ipfw -q add 00100 allow udp from 216.218.235.0/24 to 64.71.191.192/27 ipfw -q add 00100 allow udp from 64.71.191.192/27 to 64.71.191.192/27 ipfw -q add 00100 allow udp from 64.71.191.192/27 to 216.218.235.0/24 echo "adding ipfw pipe configurations" echo "." ipfw -q add 00200 pipe 1 log logamount 200 udp from any to any frag ipfw -q add 00201 pipe 2 udp from any to any out ipfw -q add 00202 pipe 3 udp from any to any in ipfw -q add 00210 pipe 4 log logamount 200 icmp from any to any frag ipfw -q add 00211 pipe 5 icmp from any to any out ipfw -q add 00212 pipe 6 icmp from any to any in ipfw -q add 00220 pipe 7 log logamount 200 igmp from any to any frag ipfw -q add 00221 pipe 8 igmp from any to any out ipfw -q add 00222 pipe 9 igmp from any to any in ipfw -q add 00500 pipe 10 tcp from 216.218.235.27 80 to any ipfw -q add 00500 pipe 10 tcp from any to 216.218.235.27 80 ipfw -q add 00550 pipe 11 tcp from 216.218.235.28 80 to any ipfw -q add 00550 pipe 11 tcp from any to 216.218.235.28 80 ipfw -q add 00600 pipe 12 tcp from 216.218.235.29 80 to any ipfw -q add 00600 pipe 12 tcp from any to 216.218.235.29 80 echo ".." echo "finished adding ipfw pipes" echo "-" echo "adding the pipe bandwidth configurations" echo "." ipfw -q pipe 1 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 2 config bw 500Kbit/s queue 20Kbytes ipfw -q pipe 3 config bw 500Kbit/s queue 20Kbytes ipfw -q pipe 4 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 5 config bw 0.2Mbit/s queue 10Kbytes ipfw -q pipe 6 config bw 0.2Mbit/s queue 10Kbytes ipfw -q pipe 7 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 8 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 9 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 10 config bw 350Kbit/s queue 10Kbytes ipfw -q pipe 11 config bw 128Kbit/s queue 10Kbytes ipfw -q pipe 12 config bw 28Kbit/s queue 10Kbytes echo ".." echo "finished adding the pipe configs" /etc/irc-firewall echo "-" echo "Script finished"