#Variablen setzen
fwcmd="/sbin/ipfw"
dsl_extern="ng0"
dsl_intern="fxp0"
lan_fest="sis0"
lan_funk="rl0"
#Pipes und Queues
${fwcmd} pipe 1 config bw 142Kbytes/s
${fwcmd} pipe 2 config bw 47Kbytes/s
${fwcmd} queue 1 config pipe 1 weight 100 #Downlod wichtig
${fwcmd} queue 2 config pipe 1 weight 50 #Download nicht so wichtig
${fwcmd} queue 3 config pipe 2 weight 100 #Upload wichtig
${fwcmd} queue 4 config pipe 2 weight 50 #Upload nicht so wichtig
#Allgemeines fuer ng0 Verbindung zum Internet
${fwcmd} add deny all from any to 192.168.0.0/16 out via ${dsl_extern}
${fwcmd} add deny all from any to 172.16.0.0/12 out via ${dsl_extern}
${fwcmd} add deny all from any to 10.0.0.0/8 out via ${dsl_extern}
${fwcmd} add deny all from any to 0.0.0.0/8 out via ${dsl_extern}
${fwcmd} add deny all from any to 127.0.0.0/8 out via ${dsl_extern}
${fwcmd} add deny all from any to 169.254.0.0/16 out via ${dsl_extern}
${fwcmd} add deny all from any to 192.0.2.0/24 out via ${dsl_extern}
${fwcmd} add deny all from any to 204.152.64.0/23 out via ${dsl_extern}
${fwcmd} add deny all from any to 224.0.0.0/3 out via ${dsl_extern}
${fwcmd} add deny all from 192.168.0.0/16 to any in via ${dsl_extern}
${fwcmd} add deny all from 172.16.0.0/12 to any in via ${dsl_extern}
${fwcmd} add deny all from 10.0.0.0/8 to any in via ${dsl_extern}
${fwcmd} add deny all from 127.0.0.0/8 to any in via ${dsl_extern}
${fwcmd} add deny all from 0.0.0.0/8 to any in via ${dsl_extern}
${fwcmd} add deny all from 169.254.0.0/16 to any in via ${dsl_extern}
${fwcmd} add deny all from 192.0.2.0/24 to any in via ${dsl_extern}
${fwcmd} add deny all from 204.152.64.0/23 to any in via ${dsl_extern}
${fwcmd} add deny all from 224.0.0.0/3 to any in via ${dsl_extern}
#NAT
${fwcmd} add divert natd all from any to any via ${dsl_extern}
#Interne Kommunikation
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
${fwcmd} add allow all from any to any via $lan_fest
${fwcmd} add allow all from any to any via $lan_funk
#Allgemeines fuer NIC zum DSL Lan
${fwcmd} add allow all from any to 172.16.0.0/16 out via ${dsl_intern} keep-state #Zugriff auf DSL Lan erlauben wegen DHCP etc
${fwcmd} add allow all from 172.16.0.1/32 to any in via ${dsl_intern} keep-state #Zugriff vom Internet GW erlauben wegen DHCP etc
#Anfang eigene Regeln, obige sind immer noetig um Grundsicherheit zu bekokommen
${fwcmd} add allow icmp from any to any icmptypes 8 in via ${dsl_extern} #Anpingen lassen
${fwcmd} add queue 4 all from 10.0.0.4 to any out via ${dsl_extern} keep-state #Upload durch Server
${fwcmd} add queue 4 all from 10.0.0.5 to any out via ${dsl_extern} keep-state #Upload durch Server
${fwcmd} add queue 4 all from 10.0.0.6 to any out via ${dsl_extern} keep-state #Upload durch Server
${fwcmd} add queue 2 tcp from any to 10.0.0.6/32 22 in via ${dsl_extern} setup keep-state #SSH Zugang auf Spiel-Jail
${fwcmd} add queue 2 tcp from any to 10.0.0.4/32 443 in via ${dsl_extern} setup keep-state #HTTP Server SSL
${fwcmd} add queue 2 tcp from any to 10.0.0.5/32 465 in via ${dsl_extern} setup keep-state #SMTP Server SSL
${fwcmd} add queue 2 tcp from any to 10.0.0.3/32 563 in via ${dsl_extern} setup keep-state #NNTP Server SSL
${fwcmd} add queue 2 tcp from any to 10.0.0.5/32 993 in via ${dsl_extern} setup keep-state #IMAP Server SSL
${fwcmd} add queue 2 tcp from any to 10.0.0.4/32 2121 in via ${dsl_extern} setup keep-state #FTP Server SSL - Command Channel
${fwcmd} add queue 2 tcp from any to 10.0.0.4/32 40000-40020 in via ${dsl_extern} setup keep-state #FTP Server SSL - PASV Modus
${fwcmd} add queue 2 tcp from any to 10.0.0.6/32 4661 in via ${dsl_extern} setup keep-state #Emule Ports
${fwcmd} add queue 2 tcp from any to 10.0.0.6/32 4662 in via ${dsl_extern} setup keep-state #Emule Ports
${fwcmd} add queue 2 udp from any to 10.0.0.6/32 4665 in via ${dsl_extern} keep-state #Emule Ports
${fwcmd} add queue 3 all from any to any out via ${dsl_extern} keep-state #Upload durch Clients
${fwcmd} add queue 1 all from any to any in ${dsl_extern} keep-state #Download durch Clients
#Anfang temporaere Testregeln
#Ende eigene Regeln
${fwcmd} add deny all from any to any #Alles blocken, was nicht vorher erlaubt wurde