nileshgr · June 11, 2021 11:58
diff --git a/ipfw.rules b/ipfw.rules
 #!/bin/sh

 alias ipfw=/sbin/ipfw

 ipfw -f flush

 # Make sure you have ipfw_nat_load=yes in loader.conf 

 # Map port 2201 on first public IP to first jail's port 22
 ipfw nat 1 config ip <public ip> unreg_only same_ports redirect_port tcp 192.168.0.1:22 2201

 # Allow local loopback traffic
 ipfw add 100 allow ip from any to any via lo0

 # Allow local jail <-> jail traffic
 ipfw add 101 allow ip from 192.168.0.0/27 to me via lo1
 ipfw add 102 allow ip from 192.168.0.0/27 to 192.168.0.0/27 via lo1

 # NAT rule for jail1 port 22
 ipfw add 103 nat 1 ip from any to any via re0

 ### Taken from handbook

 # Deny all inbound traffic from non-routable reserved address spaces 
 ipfw add 200 deny all from 192.168.0.0/16 to any in via re0 #RFC 1918 private IP 
 ipfw add 201 deny all from 172.16.0.0/12 to any in via re0 #RFC 1918 private IP 
 ipfw add 202 deny all from 10.0.0.0/8 to any in via re0 #RFC 1918 private IP 
 ipfw add 203 deny all from 127.0.0.0/8 to any in via re0 #loopback 
 ipfw add 204 deny all from 0.0.0.0/8 to any in via re0 #loopback
 ipfw add 205 deny all from 169.254.0.0/16 to any in via re0 #DHCP auto-config 
 ipfw add 206 deny all from 192.0.2.0/24 to any in via re0 #reserved for docs 
 ipfw add 207 deny all from 204.152.64.0/23 to any in via re0 #Sun cluster interconnect 
 ipfw add 208 deny all from 224.0.0.0/3 to any in via re0 #Class D & E multicast 

 # Stateful
 ipfw add 300 check-state

 # Permit out traffic
 ipfw add 400 allow tcp from any to any out setup keep-state
 ipfw add 401 allow ip from any to any out keep-state

 # Fail2Ban IPFW-SSH
 ipfw add 500 deny tcp from 'table(1)' to me dst-port 22 in

 # Allow incoming ports and ICMP echo-request
 ipfw add 600 allow tcp from any to any dst-port 80,443,22 in setup keep-state
 ipfw add 601 allow icmp from any to any icmptypes 8 in keep-state

 # Allow jail ports
 ipfw add 700 allow tcp from any to any dst-port 2201 in setup keep-state
	#!/bin/sh

	alias ipfw=/sbin/ipfw

	ipfw -f flush

	# Make sure you have ipfw_nat_load=yes in loader.conf

	# Map port 2201 on first public IP to first jail's port 22
	ipfw nat 1 config ip <public ip> unreg_only same_ports redirect_port tcp 192.168.0.1:22 2201

	# Allow local loopback traffic
	ipfw add 100 allow ip from any to any via lo0

	# Allow local jail <-> jail traffic
	ipfw add 101 allow ip from 192.168.0.0/27 to me via lo1
	ipfw add 102 allow ip from 192.168.0.0/27 to 192.168.0.0/27 via lo1

	# NAT rule for jail1 port 22
	ipfw add 103 nat 1 ip from any to any via re0

	### Taken from handbook

	# Deny all inbound traffic from non-routable reserved address spaces
	ipfw add 200 deny all from 192.168.0.0/16 to any in via re0 #RFC 1918 private IP
	ipfw add 201 deny all from 172.16.0.0/12 to any in via re0 #RFC 1918 private IP
	ipfw add 202 deny all from 10.0.0.0/8 to any in via re0 #RFC 1918 private IP
	ipfw add 203 deny all from 127.0.0.0/8 to any in via re0 #loopback
	ipfw add 204 deny all from 0.0.0.0/8 to any in via re0 #loopback
	ipfw add 205 deny all from 169.254.0.0/16 to any in via re0 #DHCP auto-config
	ipfw add 206 deny all from 192.0.2.0/24 to any in via re0 #reserved for docs
	ipfw add 207 deny all from 204.152.64.0/23 to any in via re0 #Sun cluster interconnect
	ipfw add 208 deny all from 224.0.0.0/3 to any in via re0 #Class D & E multicast

	# Stateful
	ipfw add 300 check-state

	# Permit out traffic
	ipfw add 400 allow tcp from any to any out setup keep-state
	ipfw add 401 allow ip from any to any out keep-state

	# Fail2Ban IPFW-SSH
	ipfw add 500 deny tcp from 'table(1)' to me dst-port 22 in

	# Allow incoming ports and ICMP echo-request
	ipfw add 600 allow tcp from any to any dst-port 80,443,22 in setup keep-state
	ipfw add 601 allow icmp from any to any icmptypes 8 in keep-state

	# Allow jail ports
	ipfw add 700 allow tcp from any to any dst-port 2201 in setup keep-state