# (i.e. having the ACK bit set) for the TCP ports we're allowing through.

# This should catch more than 95 % of all valid TCP packets.

$IPFWADM -I -a accept -P tcp -D $OURNET $TCPIN -k -b

# TCP - INCOMING CONNECTIONS

# We will accept connection requests from the outside only on the

# allowed TCP ports.

$IPFWADM -I -a accept -P tcp -W $ANYDEV -D $OURNET $TCPIN -y

# TCP - OUTGOING CONNECTIONS

# We accept all outgoing tcp connection requests on allowed TCP ports.

$IPFWADM -I -a accept -P tcp -W $OURDEV -D $ANYADDR $TCPOUT -y

# UDP - INCOMING

# We will allow UDP datagrams in on the allowed ports.

$IPFWADM -I -a accept -P udp -W $ANYDEV -D $OURNET $UDPIN

# UDP - OUTGOING

# We will allow UDP datagrams out on the allowed ports.

$IPFWADM -I -a accept -P udp -W $OURDEV -D $ANYADDR $UDPOUT

# ICMP - INCOMING

# We will allow ICMP datagrams in of the allowed types.

$IPFWADM -I -a accept -P icmp -W $ANYDEV -D $OURNET $UDPIN

# ICMP - OUTGOING

# We will allow ICMP datagrams out of the allowed types.

$IPFWADM -I -a accept -P icmp -W $OURDEV -D $ANYADDR $UDPOUT

# DEFAULT and LOGGING

# All remaining datagrams fall through to the default

# rule and are dropped. They will be logged if you've

# configured the LOGGING variable above.

#

if [ "$LOGGING" ]

then

        # Log barred TCP

        $IPFWADM -I -a reject -P tcp -o

        # Log barred UDP

        $IPFWADM -I -a reject -P udp -o

        # Log barred ICMP

        $IPFWADM -I -a reject -P icmp -o

fi

#

# end.

Now we'll reimplement it using the ipchains command:

#!/bin/bash

##########################################################################

# IPCHAINS VERSION

# This sample configuration is for a single host firewall configuration

# with no services supported by the firewall machine itself.

##########################################################################

# USER CONFIGURABLE SECTION

# The name and location of the ipchains utility.

IPCHAINS=ipchains

# The path to the ipchains executable.

PATH="/sbin"

# Our internal network address space and its supporting network device.

OURNET="172.29.16.0/24"

OURBCAST="172.29.16.255"

OURDEV="eth0"

# The outside address and the network device that supports it.

ANYADDR="0/0"

ANYDEV="eth1"

# The TCP services we wish to allow to pass - "" empty means all ports

# note: space separated

TCPIN="smtp www"

TCPOUT="smtp www ftp ftp-data irc"

# The UDP services we wish to allow to pass - "" empty means all ports

# note: space separated

UDPIN="domain"

UDPOUT="domain"

# The ICMP services we wish to allow to pass - "" empty means all types

# ref: /usr/include/netinet/ip_icmp.h for type numbers

# note: space separated

ICMPIN="0 3 11"

ICMPOUT="8 3 11"

# Logging; uncomment the following line to enable logging of datagrams

# that are blocked by the firewall.

# LOGGING=1

# END USER CONFIGURABLE SECTION

##########################################################################

# Flush the Input table rules

$IPCHAINS -F input

# We want to deny incoming access by default.

$IPCHAINS -P input deny

# SPOOFING

# We should not accept any datagrams with a source address matching ours

# from the outside, so we deny them.

$IPCHAINS -A input -s $OURNET -i $ANYDEV -j deny

# SMURF

# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.

$IPCHAINS -A input -p icmp -w $ANYDEV -d $OURBCAST -j deny

# We should accept fragments, in ipchains we must do this explicitly.

$IPCHAINS -A input -f -j accept

# TCP

# We will accept all TCP datagrams belonging to an existing connection

# (i.e. having the ACK bit set) for the TCP ports we're allowing through.

# This should catch more than 95 % of all valid TCP packets.

$IPCHAINS -A input -p tcp -d $OURNET $TCPIN ! -y -b -j accept

# TCP - INCOMING CONNECTIONS

# We will accept connection requests from the outside only on the

# allowed TCP ports.

$IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $TCPIN -y -j accept

# TCP - OUTGOING CONNECTIONS

# We accept all outgoing TCP connection requests on allowed TCP ports.

$IPCHAINS -A input -p tcp -i $OURDEV -d $ANYADDR $TCPOUT -y -j accept

# UDP - INCOMING

# We will allow UDP datagrams in on the allowed ports.

$IPCHAINS -A input -p udp -i $ANYDEV -d $OURNET $UDPIN -j accept

# UDP - OUTGOING

# We will allow UDP datagrams out on the allowed ports.

$IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $UDPOUT -j accept

# ICMP - INCOMING

# We will allow ICMP datagrams in of the allowed types.

$IPCHAINS -A input -p icmp -w $ANYDEV -d $OURNET $UDPIN -j accept

# ICMP - OUTGOING

# We will allow ICMP datagrams out of the allowed types.

$IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $UDPOUT -j accept

# DEFAULT and LOGGING

# All remaining datagrams fall through to the default

# rule and are dropped. They will be logged if you've

# configured the LOGGING variable above.

#

if [ "$LOGGING" ]