fwcmd="ipfw add"
# Set these to your outside interface network and netmask and ip.
oif="em0"
onet="xx.xx.xx.0"
omask="255.255.255.192"
oip="xx.xx.xx.31"
# Set these to your inside interface network and netmask and ip.
iif="re0"
inet="172.17.3.0"
imask="255.255.255.0"
iip="172.17.3.1"
# Flush all rules
ipfw -q flush
# Stop spoofing.
${fwcmd} deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} deny all from ${onet}:${omask} to any in via ${iif}
# Setup the NAT
${fwcmd} divert natd all from any to any via ${oif}
# Stop RFC1918 nets on the outside interface.
${fwcmd} deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface.
${fwcmd} deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} deny all from any to 240.0.0.0/4 via ${oif}
# Special early rules for protocols handled on the gateway machine,
# so that these packets don't have to go through natd which is slow.
${fwcmd} allow tcp from any to ${oip} 22 in via ${oif} # ssh
${fwcmd} allow tcp from ${oip} 22 to any out via ${oif}
${fwcmd} allow tcp from ${oip} 22 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 25 in via ${oif} # smtp
${fwcmd} allow tcp from ${oip} 25 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 53 in via ${oif} # tcpdns
${fwcmd} allow tcp from ${oip} 53 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 80 in via ${oif} # http
${fwcmd} allow tcp from ${oip} 80 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 443 in via ${oif} # https
${fwcmd} allow tcp from ${oip} 443 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 993 in via ${oif} # imaps
${fwcmd} allow tcp from ${oip} 993 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 25565 in via ${oif} # minecraft
# Stop RFC1918 nets on the outside interface.
${fwcmd} deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface.
${fwcmd} deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} deny all from 240.0.0.0/4 to any via ${oif}
# Allow anything on the internal net.
${fwcmd} allow all from any to any via ${iif}
# Allow anything outbound from this net.
${fwcmd} allow all from ${onet}:${omask} to any out via ${oif}
# Deny anything outbound from other nets.
${fwcmd} deny log all from any to any out via ${oif}
# Allow TCP through if setup succeeded.
${fwcmd} allow tcp from any to any established