#!/bin/shfwcmd="/sbin/ipfw -q"LanOut="em1"LanIn="em0"IpOut="91.234.180.2

1. #!/bin/sh
2. fwcmd="/sbin/ipfw -q"
3. LanOut="em1"
4. LanIn="em0"
5. IpOut="91.234.180.200"
6. ${fwcmd} -f flush
7. ${fwcmd} add allow all from any to any via lo0
8. ${fwcmd} add check-state
9. ${fwcmd} add deny ip from any to 127.0.0.0/8
10. ${fwcmd} add deny ip from 127.0.0.0/8 to any
11. ${fwcmd} add deny ip from any to 10.0.0.0/8
12. ${fwcmd} add deny ip from any to 169.254.0.0/16
13. ${fwcmd} add deny ip from any to 240.0.0.0/4
14. ${fwcmd} add deny tcp from any to any 135-139,445
15. ${fwcmd} add deny udp from any to any 135-139,445
16. ${fwcmd} add deny icmp from any to any frag
17. ${fwcmd} add deny log icmp from any to 255.255.255.255 in via ${LanIn}
18. ${fwcmd} add deny log icmp from any to 255.255.255.255 out via ${LanIn}
19. ${fwcmd} add deny MAC any ff:ff:ff:ff:ff:ff
20. ${fwcmd} add allow ip from 192.168.0.0/16 to any via ${LanIn}
21. ${fwcmd} add allow ip from any to 192.168.0.0/16 via ${LanIn}
22. #${fwcmd} add allow ip from any to any 21
23. ################# TARIFFS ###############################
24. #---------- tariff WI-FI 900 ---------------------------
25. ${fwcmd} add allow ip from table\(10\) to any in recv ng*
26. ${fwcmd} add allow ip from any to table\(10\) out xmit ng*
27. #################### NAT ##############################
28. ${fwcmd} add nat 1 ip from 172.16.0.0/16 to any
29. ${fwcmd} add nat 1 ip from 192.168.1.0/24 to any
30. ${fwcmd} add nat 1 ip from any to ${IpOut} via ${LanOut}
31. ################ RULES #################################
32. #${fwcmd} add pipe tablearg ip from any to table\(10\) out xmit ng*
33. ${fwcmd} add deny icmp from any to any in icmptype 5,9,13,14,15,16,17
34. ${fwcmd} add allow icmp from any to any
35. ${fwcmd} add deny icmp from any to 255.255.255.255 via ${LanOut}
36. ${fwcmd} add allow ip from any to 172.16.0.0/16 in via ${LanOut}
37. ${fwcmd} add allow ip from any to 192.168.0.0/16 in via ${LanOut}
38. ${fwcmd} add allow ip from 172.16.0.0/16 to any out via ${LanOut}
39. ${fwcmd} add allow ip from 192.168.0.0/16 to any out via ${LanOut}
40. ${fwcmd} add deny ip from 10.0.0.0/8 to any via ${LanOut}
41. ${fwcmd} add deny ip from 0.0.0.0/8 to any via ${LanOut}
42. ${fwcmd} add deny ip from 172.16.0.0/12 to any via ${LanOut}
43. ${fwcmd} add deny ip from 169.254.0.0/16 to any via ${LanOut}
44. ${fwcmd} add deny ip from 192.168.0.0/16 to any via ${LanOut}
45. ${fwcmd} add deny ip from 240.0.0.0/4 to any via ${LanOut}
46. ${fwcmd} add deny ip from 224.0.0.0/4 to any via ${LanOut}
47. ${fwcmd} add deny tcp from any to ${IpOut} in via ${LanOut} tcpflags syn,!ack
48. ${fwcmd} add allow udp from any to any 123 via ${LanOut}
49. ${fwcmd} add deny tcp from any to any 113 via ${LanOut}
50. ${fwcmd} add deny tcp from any to any 113 via ${LanOut}
51. ${fwcmd} add deny tcp from any to any 81 via ${LanOut}
52. ${fwcmd} add deny all from any to any frag
53. ${fwcmd} add allow ip from any to 91.234.180.0/22 via ${LanOut}
54. ${fwcmd} add allow all from any to any
55. ${fwcmd} add deny all from any to any