#!/bin/sh
#
# /etc/rc.d/rc.firewall, define the firewall configuration, invoked from
# rc.local.
#

PATH=/sbin:/bin:/usr/sbin:/usr/bin

FRONT="your.static.PPP.address"
PROTNET="192.168.0.0"
PROTSIZE="/16"
PROTIP="192.168.255.1"

# testing, wait a bit then clear all firewall rules.
# uncomment following lines if you want the firewall to automatically
# disable after 10 minutes.
# (sleep 600; \
# ipfwadm -I -f; \
# ipfwadm -I -p accept; \
# ipfwadm -O -f; \
# ipfwadm -O -p accept; \
# ipfwadm -F -f; \
# ipfwadm -F -p accept; \
# ) &

# Incoming, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
ipfwadm -I -f
ipfwadm -I -p deny
# local interface, local machines, going anywhere is valid
ipfwadm -I -a accept -V $PROTIP -S $PROTNET$PROTSIZE -D 0.0.0.0/0
# remote interface, claiming to be local machines, IP spoofing, get lost
ipfwadm -I -a deny -V $FRONT -S $PROTNET$PROTSIZE -D 0.0.0.0/0 -o
# remote interface, any source, going to permanent PPP address is valid
ipfwadm -I -a accept -V $FRONT -S 0.0.0.0/0 -D $FRONT/32
# loopback interface is valid.
ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o

# Outgoing, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
ipfwadm -O -f
ipfwadm -O -p deny
# local interface, any source going to local net is valid
ipfwadm -O -a accept -V $PROTIP -S 0.0.0.0/0 -D $PROTNET$PROTSIZE
# outgoing to local net on remote interface, stuffed routing, deny
ipfwadm -O -a deny -V $FRONT -S 0.0.0.0/0 -D $PROTNET$PROTSIZE -o
# outgoing from local net on remote interface, stuffed masquerading, deny
ipfwadm -O -a deny -V $FRONT -S $PROTNET$PROTSIZE -D 0.0.0.0/0 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
ipfwadm -O -a deny -V $FRONT -S 0.0.0.0/0 -D $PROTNET$PROTSIZE -o
# anything else outgoing on remote interface is valid
ipfwadm -O -a accept -V $FRONT -S $FRONT/32 -D 0.0.0.0/0
# loopback interface is valid.
ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o

# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
ipfwadm -F -f
ipfwadm -F -p deny
# Masquerade from local net on local interface to anywhere.
ipfwadm -F -a masquerade -W ppp0 -S $PROTNET$PROTSIZE -D 0.0.0.0/0
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o