ipwfadm script for Cable Modem

#!/bin/sh
#
# My ipfwadm rules on a Cable Modem
#
# Frank Keeney frank@pasadena.net
#
# Use at your own risk!

# Similar to script used to secure compromised host
# mention in NY Times article.

#
# My external ip address:
#

EXTIP="169.254.2.2/32"

#
# Misc. startup:
#
echo "1" > /proc/sys/net/ipv4/ip_forward
sbin/depmod -a
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o
#
# Flush rules:
#
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
#
# Set default to deny:
#
ipfwadm -F -p deny
ipfwadm -I -p deny
ipfwadm -O -p deny
#
# Allow masquerading from my internal network:
#
/sbin/ipfwadm -F -a m -S 172.30.30.0/24 -D 0.0.0.0/0
# -----------------------
# EXTERNAL INBOUND RULES:
# -----------------------
#
# Deny packets with localhost, broadcast and multicast addresses:
#
ipfwadm -I -a deny -Weth0 -S 224.0.0.0/3 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 127.0.0.0/8 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 255.0.0.0/8 -D $EXTIP -o
#
# Deny rfc 1918 addresses:
#
ipfwadm -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o
#
# Deny packets without ip address.
#
ipfwadm -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o
#
# Prevent spoofing. Deny incoming packets that have 
# our external address:
ipfwadm -I -a deny -Weth0 -S $EXTIP -o
#
# Allow only specific ICMP:
#
# http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
# http://www.worldgate.com/~marcs/mtu/
#
ipfwadm -I -a accept -Weth0 -S any/0 3 4 11 -P icmp
#
# Allow only ACKed tcp packets to our network:
#
ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 1024:65535 -P tcp -k
#
# For ftp clients:
#
ipfwadm -I -a accept -Weth0 -S any/0 20 -D $EXTIP 1024:65535 -P tcp
#
# Allow telnet and ssh from this network:
#
ipfwadm -I -a accept -Weth0 -S 196.254.92.0/24 -D $EXTIP 22 23 -P tcp
#
# Allow inbound DNS queries on our server:
#
ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 53 -P udp
#
# Allow outbound DNS queries:
#
ipfwadm -I -a accept -Weth0 -S any/0 53 -D $EXTIP 1024:65535 -P udp
#
# Important!! Deny and log anything else:
#
ipfwadm -I -a deny -Weth0 -S any/0 -D any/0 -o
#
# -----------------------
# EXTERNAL OUTBOUND RULES:
# -----------------------
#
# Prevent leakage of rfc 1918 addresses:
#
ipfwadm -O -a deny -Weth0 -S 10.0.0.0/8 -o
ipfwadm -O -a deny -Weth0 -S 172.16.0.0/12 -o
ipfwadm -O -a deny -Weth0 -S 192.168.0.0/16 -o
ipfwadm -O -a deny -Weth0 -D 10.0.0.0/255.0.0.0 -o
ipfwadm -O -a deny -Weth0 -D 172.16.0.0/255.240.0.0 -o
ipfwadm -O -a deny -Weth0 -D 192.168.0.0/255.255.0.0 -o
#
# Allow everything else:
#
ipfwadm -O -a accept -Weth0 -S any/0
#
# Deny and log anything else:
#
ipfwadm -O -a deny -Weth0 -S any/0 -o
# -----
# Misc:
# -----
#
# Allow localhost:
#
ipfwadm -I -a accept -Wlo -S any/0 -D any/0
ipfwadm -O -a accept -Wlo -S any/0 -D any/0
#
# Allow everything on the internal network:
#
ipfwadm -I -a accept -Weth1 -S any/0 -D any/0
ipfwadm -O -a accept -Weth1 -S any/0 -D any/0
#
# End of script.

Reference:

Information from CERT:

http://www.cert.org/ftp/tech_tips/packet_filtering

12.30.1998 12:10:35 AM