#!/bin/sh ################################################# # ipfw Firewall Commands ################################################# /sbin/ipfw -q -f flush cmd="/sbin/ipfw -q add" cmd_table="/sbin/ipfw -q table" ################################################# # Create tables ################################################# # siempie_net $cmd_table 1 add 10.0.0.0/28 $cmd_table 1 add 10.110.0.0/20 $cmd_table 1 add 172.16.0.0/28 $cmd_table 1 add 192.168.10.0/24 $cmd_table 1 add 192.168.20.0/24 # router ips $cmd_table 2 add 10.0.0.1 $cmd_table 2 add 172.16.0.1 $cmd_table 2 add 192.168.10.254 $cmd_table 2 add 192.168.15.254 $cmd_table 2 add 192.168.20.254 $cmd_table 2 add 192.168.25.254 # reverse proxies $cmd_table 3 add rp01.siempie.local $cmd_table 3 add rp02.siempie.local ################################################# # Table 22 for ssh abuse (check sshguard) ################################################# $cmd 00901 drop log ip from 'table(22)' to any ################################################# # Allow Loopback and Deny Loopback Spoofing ################################################# $cmd pass all from any to any via lo0 $cmd drop all from any to 127.0.0.0/8 $cmd drop all from 127.0.0.0/8 to any $cmd drop tcp from any to any frag ################################################# # Stateful rules ################################################# $cmd check-state $cmd pass tcp from any to any established $cmd pass all from any to any out keep-state ################################################# # Allow ICMP ################################################# $cmd pass icmp from any to any icmptypes 8 ################################################# # Allow NTP # ############################################### $cmd pass udp from any to any ntp ################################################# # Allow DHCP ################################################# $cmd pass udp from any 68 to 255.255.255.255 67 $cmd pass udp from any 67 to any 68 $cmd pass udp from any 67 to 255.255.255.255 68 ################################################# # Allow LLDP ################################################# $cmd pass udp from any to 255.255.255.255 5678 ################################################# # Allow any connection out, keeping state ################################################# $cmd pass tcp from any to any via lagg0 setup keep-state $cmd pass udp from any to any via lagg0 setup keep-state $cmd pass icmp from any to any keep-state ################################################# # Deny Port scanning (Nmap) ################################################# $cmd 00600 drop log logamount 50 ip from any to any ipoptions rr $cmd 00610 drop log logamount 50 ip from any to any ipoptions ts $cmd 00620 drop log logamount 50 ip from any to any ipoptions lsrr $cmd 00630 drop log logamount 50 ip from any to any ipoptions ssrr $cmd 00640 drop log logamount 50 tcp from any to any tcpflags syn,fin $cmd 00650 drop log logamount 50 tcp from any to any tcpflags syn,rst ################################################# # Global ################################################# # SSH $cmd 59000 pass tcp from any to bastion.siempie.local ssh keep-state # world -> bastion | ssh $cmd 59001 pass tcp from bastion.siempie.local to any ssh keep-state # bastion -> world | ssh $cmd 59002 pass tcp from 'table(1)' to nas.siempie.local ssh keep-state # siempie-lans -> nas | ssh $cmd 59003 pass tcp from nas.siempie.local to 'table(1)' ssh keep-state # nas -> siempie-lans | ssh # DNS $cmd 59005 pass udp from any to 'table(2)' 53 keep-state # allow dns to router # Web $cmd 59010 pass tcp from any to not 'table(1)' 80 # allow outbound 80 $cmd 59011 pass tcp from any to not 'table(1)' 443 # allow outbound 443 ################################################# # Services ################################################# # Wireguard $cmd 61000 pass udp from wireguard.siempie.local to any 51820 keep-state # wireguard -> world | wireguard $cmd 61001 pass udp from any to wireguard.siempie.local 51820 keep-state # world -> wireguard | wireguard # Ansible $cmd 61005 pass tcp from ansible.siempie.local to any ssh keep-state # ansible -> world | sshd # Arr $cmd 61010 pass tcp from arr.siempie.local to nas.siempie.local 2049 keep-state # arr -> nas | nfs $cmd 61011 pass tcp from 'table(3)' to arr.siempie.local 8686 keep-state # rp -> lidarr | http $cmd 61012 pass tcp from 'table(3)' to arr.siempie.local 7878 keep-state # rp -> sonarr | http $cmd 61013 pass tcp from 'table(3)' to arr.siempie.local 8989 keep-state # rp -> radarr | http # Blackbeard $cmd 61014 pass tcp from blackbeard.siempie.local to nas.siempie.local 2049 keep-state # blackbeard -> nas | nfs $cmd 61015 pass tcp from 'table(3)' to blackbeard.siempie.local 8686 keep-state # rp -> lidarr | http $cmd 61016 pass tcp from 'table(3)' to blackbeard.siempie.local 7878 keep-state # rp -> sonarr | http $cmd 61017 pass tcp from 'table(3)' to blackbeard.siempie.local 8989 keep-state # rp -> radarr | http $cmd 61018 pass tcp from blackbeard.siempie.local to arr.siempie.local 22 keep-state # Emby $cmd 61020 pass tcp from emby.siempie.local to nas.siempie.local 2049 keep-state # emby -> nas | nfs $cmd 61021 pass tcp from 'table(3)' to emby.siempie.local 8096 keep-state # rp -> emby | http $cmd 61022 pass tcp from arr.siempie.local to emby.siempie.local 8096 keep-state # arr -> emby | http $cmd 61023 pass tcp from blackbeard.siempie.local to emby.siempie.local 8096 keep-state # blackbeard -> emby | http $cmd 61024 pass tcp from 192.168.20.0/24 to emby.siempie.local 8096 keep-state # client-network -> emby | http # Gitea $cmd 61030 pass tcp from 'table(3)' to gitea.siempie.local 3000 keep-state # rp -> gitea-siempie | http $cmd 61031 pass tcp from 'table(3)' to gitea.siempie.local 3001 keep-state # rp -> gitea-hackerboys | http $cmd 61032 pass tcp from 'table(3)' to gitea.siempie.local 3002 keep-state # rp -> gitea-simoncornet | http # Grafana $cmd 61040 pass tcp from 'table(3)' to grafana.siempie.local 3000 keep-state # rp -> grafana | http $cmd 61042 pass udp from 'table(1)' to grafana.siempie.local 25826 keep-state # influxdb/collectd # Hackerboys $cmd 61050 pass tcp from hackerboys.siempie.local to nas.siempie.local 2049 keep-state # hackerboys -> nas | nfs $cmd 61051 pass tcp from 'table(3)' to hackerboys.siempie.local 3000 keep-state # rp -> rocketchat | http # Jitsi $cmd 61055 pass tcp from 'table(3)' to jitsi.siempie.local 443 keep-state # rp -> jitsi | https $cmd 61056 pass udp from any to jitsi.siempie.local 10000-20000 keep-state # voice # Mattermost $cmd 61060 pass tcp from mattermost.siempie.local to nas.siempie.local 2049 keep-state # mattermost -> nas | nfs $cmd 61061 pass tcp from 'table(3)' to mattermost.siempie.local 8065 keep-state # rp -> mattermost | http # Nextcloud $cmd 61070 pass tcp from nextcloud.siempie.local to nas.siempie.local 2049 keep-state # nextcloud -> nas | nfs $cmd 61071 pass tcp from 'table(3)' to nextcloud.siempie.local 443 keep-state # rp -> nextcloud | https $cmd 61072 pass tcp from nextcloud.siempie.local to smtp.transip.email 465 keep-state # nextcloud -> transip | smtp # phpIPAM $cmd 61075 pass tcp from 'table(3)' to phpipam.siempie.local 80 keep-state # rp -> phpipam | http # Rainloop $cmd 61090 pass tcp from rainloop.siempie.local to any 993 keep-state # imap $cmd 61091 pass tcp from rainloop.siempie.local to any 465 keep-state # smtp $cmd 61092 pass tcp from 'table(3)' to rainloop.siempie.local 80 keep-state # rp -> rainloop | http # Reverse Proxies $cmd 61100 pass tcp from 'table(3)' to nas.siempie.local 2049 keep-state # nfs $cmd 61101 pass tcp from 'table(3)' to 'table(2)' 80 keep-state # rp -> router | http $cmd 61102 pass { tcp or udp } from 'table(3)' to any 53 keep-state # dns $cmd 61103 pass tcp from lb.siempie.local to 'table(3)' 80 keep-state # lb -> rp | http $cmd 61104 pass tcp from lb.siempie.local to 'table(3)' 443 keep-state # lb -> rp | https # Rundeck $cmd 61115 pass tcp from rundeck.siempie.local to nas.siempie.local 2049 keep-state # nfs $cmd 61116 pass tcp from rundeck.siempie.local to any ssh keep-state # ssh $cmd 61117 pass tcp from 'table(3)' to rundeck.siempie.local 4440 keep-state # rp -> rundeck | http # Smokeping $cmd 61120 pass tcp from 'table(3)' to smokeping.siempie.local 80 keep-state # rp -> smokeping | http # Stack $cmd 61135 pass tcp from stack.siempie.local to nas.siempie.local 2049 keep-state # stack -> nas | nfs # Vault $cmd 61140 pass tcp from vault.siempie.local to nas.siempie.local 2049 keep-state # vault -> nas | nfs $cmd 61141 pass tcp from 'table(3)' to vault.siempie.local 443 keep-state # rp -> bitwarden | https # Unifi $cmd 61150 pass tcp from 'table(3)' to unifi.siempie.local 8443 keep-state # rp -> unifi | http $cmd 61151 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 3478 keep-state # ap-livingroom $cmd 61152 pass tcp from ap-livingroom.siempie.local to unifi.siempie.local 8080 keep-state # ap-livingroom $cmd 61153 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 10001 keep-state # ap-livingroom $cmd 61154 pass udp from ap-attic.siempie.local to unifi.siempie.local 3478 keep-state # ap-attic $cmd 61155 pass tcp from ap-attic.siempie.local to unifi.siempie.local 8080 keep-state # ap-attic $cmd 61156 pass udp from ap-attic.siempie.local to unifi.siempie.local 10001 keep-state # ap-attic # Loadbalancer $cmd 61160 pass tcp from any to lb.siempie.local 80 keep-state # world -> lb | http $cmd 61161 pass tcp from any to lb.siempie.local 443 keep-state # world -> lb | https $cmd 61162 pass tcp from grafana.siempie.local to lb.siempie.local 81 keep-state # stats # SABnzbd $cmd 61170 pass tcp from 'table(3)' to sabnzbd.siempie.local 8080 keep-state # rp -> sabnzbd | http $cmd 61172 pass tcp from arr.siempie.local to sabnzbd.siempie.local 8080 keep-state # arr -> sabnzbd | http $cmd 61173 pass tcp from blackbeard.siempie.local to sabnzbd.siempie.local 8080 keep-state # blackbeard -> sabnzbd | http # Do-Chat $cmd 61175 pass tcp from do-chat.siempie.local to nas.siempie.local 2049 keep-state # do-chat -> nas | nfs $cmd 61176 pass tcp from 'table(3)' to do-chat.siempie.local 3000 keep-state # rocketchat | http # AdGuard-Home $cmd 61179 pass tcp from 'table(3)' to adguard.siempie.local 443 keep-state # rp -> adguard | https $cmd 61180 pass { tcp or udp } from adguard.siempie.local to any 53 keep-state # adguard -> world | dns $cmd 61181 pass tcp from adguard.siempie.local to any 853 keep-state # adguard -> world | dot # $cmd 61182 pass udp from nas.siempie.local to adguard.siempie.local 53 keep-state # router -> adguard | dns $cmd 61183 pass tcp from 'table(2)' to adguard.siempie.local 443 keep-state # router -> adguard | doh $cmd 61184 pass udp from 159.180.12.237 to adguard.siempie.local 53 keep-state # florian -> adguard | dns $cmd 61185 pass udp from 83.128.133.1 to adguard.siempie.local 53 keep-state # fresia -> adguard | dns # Do-Splunk $cmd 61190 pass udp from any to splunk.do.local 514 keep-state # allow syslog $cmd 61191 pass tcp from 'table(3)' to splunk.do.local 8000 keep-state # rp -> splunk | http # VMware $cmd 61195 pass tcp from esx01.siempie.local to nas.siempie.local 2049 keep-state # esx01 -> nas | nfs $cmd 61196 pass tcp from esx02.siempie.local to nas.siempie.local 2049 keep-state # esx02 -> nas | nfs $cmd 61197 pass tcp from esx03.siempie.local to nas.siempie.local 2049 keep-state # esx03 -> nas | nfs ################################################# # Drop rules ################################################# # Drop specific traffic $cmd 61200 drop ip from any to any 137 # block netbios $cmd 61201 drop ip from any to 224.0.22 any # block IGMPv3 $cmd 61202 drop ip from any to 224.0.0.251 5353 # block mDNS $cmd 61203 drop ip from any to 224.0.0.252 5355 # block LLMNR $cmd 61204 drop ip from any to 239.254.127.63 48000 # block unifi stats $cmd 61205 drop ip from any to 239.255.255.250 1900 # block SSDP $cmd 61206 drop ip from any to 255.255.255.255 10001 # block unifi discovery spam # Default deny bridge0 $cmd 61299 drop all from any to any via bridge0 # Default deny bridge1 $cmd 61399 drop all from any to any via bridge1 # Default deny bridge2 $cmd 61499 drop all from any to any via bridge2 # Default deny bridge3 $cmd 61599 drop all from any to any via bridge3 # Default deny bridge4 $cmd 61699 drop all from any to any via bridge4 # Default deny + log $cmd drop log all from any to any