#!/usr/nekoware/bin/bash # https://wiki.preterhuman.net/Firewall-NAT_with_IPFilter chkconfig routed off chkconfig gated off chkconfig ipfilterd off wget -c ftp://ftp.nekochan.net/pub/irix/General/6.5.16_ipfilter_3.4.27.tardist inst -f 6.5.16_ipfilter_3.4.27.tardist chkconfig ipfilter on echo ' #Handling the loopbackdevice pass out quick on lo0 pass in quick on lo0 #Block known "black hats" block in quick on ef0 from 64.207.134.34 to any block in quick on ef0 from 129.175.81.121 to any block in quick on ef0 from 216.133.229.216 to any #Manage the Connection to the internet (all keep state) pass out quick on ef0 proto tcp from any to any flags R/R pass out quick on ef0 proto tcp from any to any flags S keep state pass out quick on ef0 proto udp from any to any keep state pass out quick on ef0 proto icmp from any to any keep state pass out quick on ef0 proto tcp from any to any port = 21 flags S keep state #Open Connections from the Internet pass in quick on ef0 proto tcp from any to any port = 22 keep state # SSH pass in quick on ef0 proto tcp from any to any port = 80 keep state # HTTP pass in quick on ef0 proto tcp from any to any port = 443 keep state # HTTPS pass in quick on ef0 proto tcp from any to any port = 3690 keep state # SVN and CVS #Mysql Connects from a special host are allowed pass in quick on ef0 proto tcp from 194.15.95.14 to any port = 3306 keep state #ICMP managen pass in quick on ef0 proto icmp from any to any icmp-type 0 # PING pass out quick on ef0 proto icmp from any to any icmp-type 0 # PING pass in quick on ef0 proto icmp from any to any icmp-type 3 pass in quick on ef0 proto icmp from any to any icmp-type 8 pass out quick on ef0 proto icmp from any to any icmp-type 8 pass in quick on ef0 proto icmp from any to any icmp-type 11 block in log quick on ef0 proto icmp from any to any #Block some weird IP-Packages. block in log quick on ef0 proto tcp all with short block in log quick on ef0 all with opt lsrr block in log quick on ef0 all with opt ssrr #Block all and log block in log on ef0 all ' > /etc/ipf.conf perl -pi -e's/l2tcpseg = ON/l2tcpseg = OFF/' /etc/config/tgconfig.options /etc/init.d/ipf reload # start