Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- fwcmd="/sbin/ipfw -q"
- RFC1918="10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12"
- INTERNAL_LANS="10.1.2.96/27,10.1.3.24/29"
- # re0: Interface facing Internet (get IP by DHCP)
- # re1: LAN Internal interface
- # wlan0: Wifi Internal interface
- # tun0: OpenVPN tunnel
- # Flush out the list before we begin.
- ${fwcmd} -f flush
- # Didn't filter on loopback,internal interfaces and OpenVPN tunnel
- ${fwcmd} add pass ip from any to any via lo0
- ${fwcmd} add pass ip from any to any via lo1
- ${fwcmd} add pass ip from any to any via re1
- ${fwcmd} add pass ip from any to any via wlan0
- ${fwcmd} add pass ip from any to any via tun0
- # Create a NAT table
- ${fwcmd} nat 123 config if re0 same_ports unreg_only reset
- # Check incoming packets against NAT table
- ${fwcmd} add nat 123 ip from any to any in via re0
- # Check incoming packets against statefull table
- ${fwcmd} add check-state
- # Allow ICMP from myself
- ${fwcmd} add pass icmp from me to any out via re0 keep-state
- # Allow DNS from myself
- ${fwcmd} add pass udp from me to any 53 out via re0 keep-state
- # Allow NTP from myself
- ${fwcmd} add pass udp from me to any 123 out via re0 keep-state
- # Allow OpenVPN from myself
- ${fwcmd} add pass udp from me to any 1195 out via re0 keep-state
- # Never emit packets with RFC1918 destination on Internet (in case of tunnel down)
- ${fwcmd} add deny ip from any to ${RFC1918} out via re0
- # NAT internal networks when they exit to Internet
- ${fwcmd} add nat 123 ip from ${LANS} to any out via re0
- [manager@router]~> sudo ipfw -a l
- ipfw: DEPRECATED: 'l' matched 'list' as a sub-string
- 00100 0 0 allow ip from any to any via lo0
- 00200 0 0 allow ip from any to any via lo1
- 00300 6 408 allow ip from any to any via re1
- 00400 6 408 allow ip from any to any via wlan0
- 00500 24 2284 allow ip from any to any via tun0
- 00600 134 15118 nat 123 ip from any to any in via re0
- 00700 0 0 check-state
- 00800 0 0 allow icmp from me to any out via re0 keep-state
- 00900 7 484 allow udp from me to any dst-port 53 out via re0 keep-state
- 01000 48 3648 allow udp from me to any dst-port 123 out via re0 keep-state
- 01100 86 10979 allow udp from me to any dst-port 1195 out via re0 keep-state
- 01200 0 0 deny ip from any to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 out via re0
- 01300 0 0 nat 123 ip from 10.239.142.96/27,10.239.143.24/29 to any out via re0
- 65535 0 0 deny ip from any to any
- [manager@router]~> sysrc ifconfig_re0
- ifconfig_re0: DHCP
- [manager@router]~> ifconfig re0
- re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
- options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
- ether 00:0d:b9:33:13:24
- inet6 fe80::20d:b9ff:fe33:1324%re0 prefixlen 64 scopeid 0x1
- inet 192.168.100.70 netmask 0xffffff00 broadcast 192.168.100.255
- nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
- media: Ethernet autoselect (1000baseT <full-duplex>)
- status: active
- [manager@router]~> uname -a
- FreeBSD olivier 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r275821M: Thu Dec 18 01:39:49 CET 2014 root@SM1.orange.bsdrp.net:/usr/obj/EINE.amd64/usr/local/BSDRP/EINE/FreeBSD/src/sys/amd64 amd64
- => How can it get an IP address by DHCP ?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement