# Firewall rules

fwcmd="/sbin/ipfw -q"
localnet="192.168.1.0/24"
wan="tun0"
lan="rl1"
ppp="ppp0"

# すべてのルールを初期化
${fwcmd} -f flush

# 断片化したパケットを拒否
${fwcmd} add 100 deny ip from any to any via ${wan} frag

# pingを拒否
${fwcmd} add 200 deny icmp from any to any recv ${wan}

# ループバックを許可
${fwcmd} add 300 allow ip from any to any via lo0

# ローカルネットワークとの通信はすべて許可
${fwcmd} add 400 allow ip from ${localnet} to any via ${lan}
${fwcmd} add 500 allow ip from any to ${localnet} via ${lan}

# ppp クライアントからの通信はすべて許可
${fwcmd} add 600 allow ip from any to any via ${ppp}

# 外のネットワークからローカルアドレスを詐称して来るものを拒否
${fwcmd} add 1000 deny all from 192.168.1.0/24 to any recv ${wan}
${fwcmd} add 1100 deny all from 172.16.0.0/12 to any recv ${wan}
${fwcmd} add 1200 deny all from 10.0.0.0/8 to any recv ${wan}
${fwcmd} add 1300 deny all from 127.0.0.0/8 to any recv ${wan}

# 外のネットワークからローカルアドレス宛に来るものを拒否
${fwcmd} add 2000 deny all from any to 192.168.1.0/24 via ${wan}
${fwcmd} add 2100 deny all from any to 172.16.0.0/12 via ${wan}
${fwcmd} add 2200 deny all from any to 10.0.0.0/8 via ${wan}
${fwcmd} add 2300 deny all from any to 127.0.0.0/8 via ${wan}

# NetBiosを拒否
${fwcmd} add 3000 deny udp from any 137-139,445 to any
${fwcmd} add 3100 deny tcp from any 137-139,445 to any
${fwcmd} add 3200 deny udp from any to any 137-139,445
${fwcmd} add 3300 deny tcp from any to any 137-139,445

# natの設定
${fwcmd} add 4000 divert natd all from any to any via ${wan}

# 通信が確立したパケットを許可
${fwcmd} add 5000 allow tcp from any to any established

# 外へ出ていくものは許可
${fwcmd} add 6000 allow ip from any to any out via ${wan}

# 外への名前問い合わせを許可
${fwcmd} add 7000 allow tcp from any to me 53 setup
${fwcmd} add 7100 allow udp from any to me 53
${fwcmd} add 7200 allow udp from any 53 to me
${fwcmd} add 7300 allow udp from me 53 to any
${fwcmd} add 7400 allow udp from me to any 53


# 外への時刻問い合わせを許可
${fwcmd} add 8000 allow udp from any to any 123 out
${fwcmd} add 8100 allow udp from any 123 to any in

# 外からのWWW接続を許可
${fwcmd} add 8200 allow tcp from any to any 80 setup via ${wan}

# 外からのSSH接続を許可
${fwcmd} add 8300 allow tcp from any to any 22 setup via ${wan}

# 外からのSMTP接続を許可
${fwcmd} add 8400 allow tcp from any to any 25 setup via ${wan}

# 外からのPOP接続を許可
${fwcmd} add 8500 allow tcp from any to any 110 setup via ${wan}

# 上記に該当しないものはログを取って拒否
${fwcmd} add 9100 deny log tcp from any to any
${fwcmd} add 9200 deny log udp from any to any
${fwcmd} add 9300 deny log icmp from any to any