API tools faq
paste
Guest User

Untitled

a guest
Jul 20th, 2018
100
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.30 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2.  
  3. # This is an attempt at an ipfw config for a cluster with a master node and many
  4. # compute nodes. The master node is acting as a gateway for the compute nodes
  5. # in the LAN (192.168.0.0/24).
  6. #
  7. # A jail running on one of the compute nodes with address 192.168.0.118 is to be
  8. # accessible from the outside (using redirect_addr 192.168.0.118
  9. # 129.173.118.118). The address 129.173.118.118 is an alias for the WAN
  10. # interface that will only be used to direct traffic to this jail.
  11. #
  12. # Incoming traffic on port 44622 should be redirected to port 22 on the compute
  13. # node with address 192.168.0.101.
  14. #
  15. # No outgoing traffic is to be blocked from either the master node or the
  16. # compute nodes.
  17.  
  18. # Ensure net.inet.ip.fw.one_pass is set to 0
  19.  
  20. cmd="/sbin/ipfw -q"
  21. lanif="bge0"
  22. wanif="bge1"
  23.  
  24. # flush existing rules
  25. $cmd -f flush
  26.  
  27. # incoming nat
  28. $cmd nat 1 config if $wanif \
  29. reset \
  30. same_ports \
  31. unreg_only \
  32. redirect_port tcp 192.168.0.101:22 44622 \
  33. redirect_addr 192.168.0.118 129.173.118.118
  34.  
  35. # set up loopback
  36. $cmd add allow all from any to any via lo0
  37. $cmd add deny all from any to 127.0.0.0/8
  38. $cmd add deny ip from 127.0.0.0/8 to any
  39.  
  40. # no restrictions on bridge0 or tun0
  41. $cmd add allow all from any to any via bridge0
  42. $cmd add allow all from any to any via tun0
  43.  
  44. # no restrictions on lanif
  45. $cmd add allow all from any to any via $lanif
  46.  
  47. # catch spoofing from outside
  48. $cmd add deny ip from any to any in not antispoof
  49.  
  50. # incoming traffic that needs nat
  51. $cmd add nat 1 ip4 from any to me in recv $wanif
  52.  
  53. # this rule must be directly after incoming nat
  54. $cmd add check-state
  55.  
  56. # outgoing traffic to block here
  57.  
  58. # allow all other outgoing connections by skipping processing to the outbound nat rule, 10000
  59. $cmd add skipto 10000 tcp from any to any out xmit $wanif setup keep-state
  60. $cmd add skipto 10000 udp from any to any out xmit $wanif keep-state
  61.  
  62. # incoming
  63. $cmd add allow tcp from any to me 80,443,44422 in recv $wanif setup keep-state
  64.  
  65. # Rules for allowing packets to services which are listening on a LAN interface behind the NAT
  66. $cmd add skipto 10000 tcp from any to any 44622 in recv $wanif setup keep-state
  67.  
  68. # nat for outgoing packets
  69. $cmd add 10000 nat 1 ip4 from any to any out xmit $wanif
  70. #$cmd add 10000 nat 1 ip4 from 192.168.0.0/24 to any out
  71.  
  72. # allow anything else
  73. $cmd add allow ip from any to any via $wanif
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!