-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathipfw.rules
More file actions
571 lines (502 loc) · 20.7 KB
/
ipfw.rules
File metadata and controls
571 lines (502 loc) · 20.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
#!/bin/sh
# Exit on errors and undefined variables
set -eu
# Define the firewall command
fwcmd="/sbin/ipfw"
populate_addr_table() {
table_name=$1
addr_list=$2
is_configured "${addr_list:-}" || return 0
clean_list=$(printf "%s" "$addr_list" |
sed 's/[[:space:]]//g; s/[^0-9A-Fa-f:./,]//g; s/,,*/,/g; s/^,//; s/,$//; s/,/\
/g; s/$/\
0/')
[ -n "$clean_list" ] || return 0
printf "%s" "$clean_list" | xargs ${fwcmd} table "$table_name" add
}
set_kv_defaults() {
kv_list=$1
old_ifs=$IFS
IFS='
'
for entry in $kv_list; do
[ -n "$entry" ] || continue
var=${entry%%=*}
value=${entry#*=}
eval "$var=\${$var-$value}"
done
IFS=$old_ifs
}
set_kv_defaults_if_empty() {
kv_list=$1
old_ifs=$IFS
IFS='
'
for entry in $kv_list; do
[ -n "$entry" ] || continue
set_default_if_empty "${entry%%=*}" "${entry#*=}"
done
IFS=$old_ifs
}
apply_upper_overrides() {
var_list=$1
for var in $var_list; do
upper=$(printf "%s" "$var" | tr '[:lower:]' '[:upper:]')
eval "override=\${$upper-}"
if [ -n "$override" ]; then
eval "$var=\$$upper"
fi
done
}
set_default_if_empty() {
var_name=$1
current_value=$(eval "printf '%s' \"\${$var_name-}\"")
[ -n "$current_value" ] || eval "$var_name=\$2"
}
effective_scalar_default_values="
pipe_tcp_ports=${wan_tcp_ports-}
pipe_udp_ports=${wan_udp_ports-}
allow_multicast=no
allow_multicast_legacy=no
log_ssh_hits=no
log_wan_tcp_hits=no
log_default_deny=no
"
resolve_effective_scalar_defaults() {
set_kv_defaults_if_empty "$effective_scalar_default_values"
}
is_yes() {
[ "${1:-no}" = "yes" ]
}
is_not_yes() {
! is_yes "${1:-no}"
}
is_none() {
[ "${1:-}" = "none" ]
}
is_configured() {
[ -n "${1:-}" ] && ! is_none "$1"
}
interface_is_available() {
iface_name=$1
is_configured "${iface_name:-}" && ifconfig "$iface_name" >/dev/null 2>&1
}
# Rule number map
# 100–160: loopback, fail2ban, fragments, shaping, NAT, Suricata, check-state
# 170–189: ICMP flood + loopback/IPv6 hygiene
# 200–207: VPN leak prevention + VPN endpoints/DNS
# 220–234: IP options + DHCP
# 244: outbound allow
# 250–263: anti-spoof + ICMP allow/deny
# 270: multicast/martians
# 300–316: inbound services (v4/v6)
# 320–323: inbound to me + internal pass
# 390: final deny
# Scalar config knobs. Empty means unset/disabled unless noted otherwise.
scalar_config_defaults="
nat_if=
tun_if=
internal_if=
vpn_endpoints_ip4=
vpn_tcp_port=
vpn_udp_port=
suricata_port=
ssh_ipv4=
ssh_ipv6=
ssh_port=
port_transition_old_port=
log_ssh_hits=no
log_wan_tcp_hits=no
allow_multicast=no
allow_multicast_legacy=no
dhcp_ip4=
lan_tcp_ports=
lan_udp_ports=
wan_tcp_ports=
wan_udp_ports=
pipe_tcp_ports=
pipe_udp_ports=
nat_if_in_bw=
nat_if_out_bw=
log_default_deny=no
"
public_scalar_config_vars="
nat_if tun_if internal_if vpn_endpoints_ip4 vpn_tcp_port vpn_udp_port vpn_dns_ip4
suricata_port ssh_ipv4 ssh_ipv6 ssh_port log_ssh_hits log_wan_tcp_hits allow_multicast allow_multicast_legacy dhcp_ip4
lan_tcp_ports lan_udp_ports wan_tcp_ports wan_udp_ports
pipe_tcp_ports pipe_udp_ports nat_if_in_bw nat_if_out_bw log_default_deny
"
set_kv_defaults "$scalar_config_defaults"
# List of allowed VPN setup DNS servers
vpn_dns_ip4="\
9.9.9.9,\
149.112.112.112,\
1.1.1.2,\
1.0.0.2"
# Explicit blocked source ranges for the shared martian table
blocked_addrs_ip4="0.0.0.0/8,\
127.0.0.0/8,\
192.0.2.0/24,\
192.88.99.0/24,\
198.18.0.0/15,\
198.51.100.0/24,\
203.0.113.0/24,\
204.152.64.0/23,\
233.252.0.0/24,\
240.0.0.0/4,\
255.255.255.255/32"
blocked_addrs_ip6="::/128,\
::1/128,\
100::/64,\
2001::/32,\
2001:20::/28,\
2001:db8::/32,\
2002::/16,\
3fff::/20,\
5f00::/16"
# Allow environment variable overrides (upper-case only).
apply_upper_overrides "$public_scalar_config_vars blocked_addrs_ip4 blocked_addrs_ip6"
resolve_effective_scalar_defaults
allow_multicast="${allow_multicast-no}"
allow_multicast_legacy="${allow_multicast_legacy-no}"
log_ssh_hits="${log_ssh_hits-no}"
log_wan_tcp_hits="${log_wan_tcp_hits-no}"
log_default_deny="${log_default_deny-no}"
if is_not_yes "$allow_multicast"; then
blocked_addrs_ip4="224.0.0.0/4,${blocked_addrs_ip4}"
blocked_addrs_ip6="ff00::/8,${blocked_addrs_ip6}"
fi
ssh_ports="${ssh_port-}"
if is_configured "${port_transition_old_port:-}" &&
[ "$port_transition_old_port" != "${ssh_port-}" ]; then
ssh_ports="$port_transition_old_port,${ssh_port-}"
fi
# Check if IPv6 is available by detecting any IPv6 addresses
ipv6_available=$(ifconfig | grep -qwF "inet6" && printf '1' || printf '0')
# Check if each interface is available
nat_if_available=$(interface_is_available "${nat_if-}" && printf '1' || printf '0')
tun_if_available=$(interface_is_available "${tun_if-}" && printf '1' || printf '0')
if [ "$nat_if_available" -eq 1 ] && [ "$tun_if_available" -ne 1 ]; then
tun_if="$nat_if"
tun_if_available="$nat_if_available"
fi
internal_if_available=$(interface_is_available "${internal_if-}" && printf '1' || printf '0')
# Flush existing rules
${fwcmd} -q flush
${fwcmd} -q pipe flush
${fwcmd} -q queue flush
${fwcmd} -q sched flush
#################################
# Table Setup
#################################
${fwcmd} table fail2ban create or-flush type addr
${fwcmd} table blocked create or-flush type addr
populate_addr_table blocked "$blocked_addrs_ip4"
if [ "$ipv6_available" -eq 1 ]; then
populate_addr_table blocked "$blocked_addrs_ip6"
fi
#################################
# Traffic Object Setup
#################################
# Define NAT instance
if [ "$internal_if_available" -eq 1 ] && [ "$nat_if_available" -eq 1 ]; then
${fwcmd} nat 1 config if "$nat_if" same_ports unreg_only reset
fi
# Provision dummynet objects used by later rules
if is_configured "${pipe_tcp_ports:-}" || is_configured "${pipe_udp_ports:-}"; then
${fwcmd} pipe 1 config bw 1Mbit/s buckets 2048 mask src-ip 0xffffffff dst-ip 0xffffffff type fq_codel target 5ms quantum 6000 flows 2048 interval 400
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} pipe 2 config bw 1Mbit/s buckets 2048 mask src-ip6 60 dst-ip6 60 type fq_codel target 5ms quantum 6000 flows 2048 interval 400
fi
fi
if [ "$nat_if_available" -eq 1 ]; then
if is_configured "${nat_if_in_bw:-}"; then
${fwcmd} pipe 3 config bw "$nat_if_in_bw" type fq_codel target 5ms quantum 6000 flows 2048 interval 400
${fwcmd} queue 3 config pipe 3
fi
if is_configured "${nat_if_out_bw:-}"; then
${fwcmd} pipe 4 config bw "$nat_if_out_bw" type fq_codel target 5ms quantum 6000 flows 2048 interval 400
${fwcmd} queue 4 config pipe 4
fi
fi
${fwcmd} pipe 5 config bw 100Kbit/s type qfq
#################################
# Loopback Traffic Handling
#################################
# Allow all traffic on the loopback interface (lo0)
${fwcmd} add 100 allow ip from any to any via lo0
#################################
# IPFW Table Handling
#################################
# Deny traffic from Fail2Ban table
${fwcmd} add 110 deny ip from 'table(fail2ban)' to any
#################################
# Fragmented Packet Handling
#################################
# Deny fragmented IPv4 packets
${fwcmd} add 120 deny ip4 from any to any frag mf
#################################
# Network Traffic Shaping
#################################
# Limit user connection bandwidth
if is_configured "${pipe_tcp_ports:-}" || is_configured "${pipe_udp_ports:-}"; then
pipe_ports=$(printf '%s\n' "$pipe_tcp_ports,$pipe_udp_ports" | sed -E 's/^,+//;s/,+$//')
${fwcmd} add 130 pipe 1 ip4 from any to me "$pipe_ports" in
${fwcmd} add 131 pipe 1 ip4 from me "$pipe_ports" to any out
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 132 pipe 2 ip6 from any to me6 "$pipe_ports" in
${fwcmd} add 133 pipe 2 ip6 from me6 "$pipe_ports" to any out
fi
fi
# Shape all traffic on the IPv4 VPN/bootstrap egress interface (in/out) using fq_codel
if [ "$nat_if_available" -eq 1 ]; then
if is_configured "${nat_if_in_bw:-}"; then
${fwcmd} add 134 queue 3 ip from any to any in recv "$nat_if"
fi
if is_configured "${nat_if_out_bw:-}"; then
${fwcmd} add 135 queue 4 ip from any to any out xmit "$nat_if"
fi
fi
#################################
# IPv4 NAT Traffic Handling
#################################
# NAT traffic between the trusted internal interface and the IPv4 VPN/bootstrap egress interface
if [ "$internal_if_available" -eq 1 ] && [ "$nat_if_available" -eq 1 ]; then
${fwcmd} add 140 nat 1 ip4 from any to any via "$nat_if"
fi
#################################
# Suricata Traffic Diversion
#################################
# Divert inbound traffic on the IPv4 VPN/bootstrap egress interface to Suricata for inline IPS processing
if [ "$nat_if_available" -eq 1 ] && is_configured "${suricata_port:-}"; then
${fwcmd} add 150 divert "$suricata_port" ip from any to any not proto icmp not proto ipv6-icmp in recv "$nat_if"
fi
#################################
# Stateful Traffic Handling
#################################
# Check the state of all connections to allow established connections
${fwcmd} add 160 check-state
#################################
# ICMP Flood Protection
#################################
# Don't throttle the internal bridge interface (if available)
if [ "$internal_if_available" -eq 1 ]; then
# Limit ICMPv4 echo requests and replies (ping flood protection)
${fwcmd} add 170 pipe 5 icmp from any to me icmptypes 8,0 in not recv "$internal_if"
# IPv6 ICMPv6 echo requests and replies (ping flood protection)
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 171 pipe 5 ipv6-icmp from any to me6 icmp6types 128,129 in not recv "$internal_if"
fi
else
# Limit ICMPv4 echo requests and replies (ping flood protection)
${fwcmd} add 170 pipe 5 icmp from any to me icmptypes 8,0 in
# IPv6 ICMPv6 echo requests and replies (ping flood protection)
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 171 pipe 5 ipv6-icmp from any to me6 icmp6types 128,129 in
fi
fi
#################################
# Loopback Protection and IPv6 Network Functionality
#################################
# Deny traffic to and from the IPv4 loopback network (127.0.0.0/8)
${fwcmd} add 180 deny ip from any to 127.0.0.0/8
${fwcmd} add 181 deny ip from 127.0.0.0/8 to any
# IPv6 loopback and network functionality rules (if IPv6 is available)
if [ "$ipv6_available" -eq 1 ]; then
# Deny traffic to and from the IPv6 loopback address (::1/128)
${fwcmd} add 182 deny ip from any to ::1/128
${fwcmd} add 183 deny ip from ::1/128 to any
# Deny routing header type 0 (RH0) to prevent amplification and redirection attacks (RFC5095)
${fwcmd} add 184 deny ip6 from any to any ext6hdr rthdr0
# Deny fragmented IPv6 control-plane ICMPv6 packets used by ND/MLD to prevent evasion and DoS attacks (RFC6980)
${fwcmd} add 185 deny ipv6-icmp from any to any ext6hdr frag icmp6types 130,131,132,133,134,135,136,137,138,141,142,143
# Deny all fragmented packets going to link-local or multicast scope — protects against ND and MLD evasion
${fwcmd} add 186 deny ipv6-icmp from any to "fe80::/10,ff00::/8" ext6hdr frag
# Allow multicast listener control traffic on the trusted internal interface only for the all-nodes and MLDv2-router multicast groups
if is_yes "$allow_multicast" && [ "$internal_if_available" -eq 1 ]; then
if is_yes "$allow_multicast_legacy"; then
${fwcmd} add 187 allow ipv6-icmp from any to "ff02::1,ff02::16" icmp6types 130,131,132,143 in recv "$internal_if"
else
${fwcmd} add 187 allow ipv6-icmp from any to "ff02::1,ff02::16" icmp6types 130,143 in recv "$internal_if"
fi
fi
# Allow ICMPv6 Neighbor Solicitation (NS) and Neighbor Advertisement (NA), including Duplicate Address Detection (DAD)
${fwcmd} add 188 allow ipv6-icmp from any to any icmp6types 135,136
# Allow ICMPv6 Router Solicitation (RS) and Router Advertisement (RA) for link-local traffic and the all-nodes/all-routers multicast groups
${fwcmd} add 189 allow ipv6-icmp from fe80::/10 to "fe80::/10,ff02::1,ff02::2" icmp6types 133,134
fi
#################################
# VPN LAN Leak Prevention
#################################
# Deny traffic between the trusted internal interface and any egress path other than the protected tunnel/bootstrap interfaces
if [ "$internal_if_available" -eq 1 ] && [ "$tun_if_available" -eq 1 ]; then
if [ "$nat_if_available" -eq 1 ]; then
${fwcmd} add 200 deny ip from any to any out recv "$internal_if" not xmit "$tun_if" not xmit "$nat_if"
${fwcmd} add 201 deny ip from any to any out recv not recv "$tun_if" not recv "$nat_if" xmit "$internal_if"
else
${fwcmd} add 200 deny ip from any to any out recv "$internal_if" not xmit "$tun_if"
${fwcmd} add 201 deny ip from any to any out recv not recv "$tun_if" xmit "$internal_if"
fi
# Allow bootstrap traffic to the IPv4 VPN endpoints/proxies
if is_configured "${vpn_endpoints_ip4:-}"; then
${fwcmd} add 203 allow icmp from me to "$vpn_endpoints_ip4" icmptypes 8 out record-state
${fwcmd} add 204 allow icmp from me to "$vpn_endpoints_ip4" out
if is_configured "${vpn_tcp_port:-}"; then
${fwcmd} add 205 allow ip4 from me to "$vpn_endpoints_ip4" "$vpn_tcp_port" tcpflags syn,!ack,!fin,!rst out record-state
fi
if is_configured "${vpn_udp_port:-}"; then
${fwcmd} add 206 allow ip4 from me to "$vpn_endpoints_ip4" "$vpn_udp_port" proto udp out record-state
fi
fi
# Allow bootstrap DNS traffic to the VPN setup DNS servers
if is_configured "${vpn_dns_ip4:-}"; then
${fwcmd} add 207 allow ip4 from me to "$vpn_dns_ip4" 53 out record-state
fi
fi
#################################
# Anti-DoS and Recon Prevention
#################################
# Block packets with IP options
${fwcmd} add 220 deny ip from any to any ipoptions ssrr in
${fwcmd} add 221 deny ip from any to any ipoptions lsrr in
${fwcmd} add 222 deny ip from any to any ipoptions rr in
${fwcmd} add 223 deny ip from any to any ipoptions ts in
#################################
# DHCP and Broadcast Traffic
#################################
# Allow DHCPv4 traffic (outbound/inbound)
if [ "${dhcp_ip4:-}" = "any" ]; then
${fwcmd} add 230 allow ip4 from any 68 to any 67 proto udp
${fwcmd} add 231 allow ip4 from any 67 to any 68 proto udp
elif is_configured "${dhcp_ip4:-}"; then
${fwcmd} add 230 allow ip4 from any 68 to \{ "$dhcp_ip4" or 255.255.255.255 \} 67 proto udp
${fwcmd} add 231 allow ip4 from "$dhcp_ip4" 67 to any 68 proto udp
else
${fwcmd} add 230 allow ip4 from me 68 to any 67 proto udp out
${fwcmd} add 231 allow ip4 from any 67 to any 68 proto udp in
fi
${fwcmd} add 232 deny ip4 from any to any 67,68 proto udp
# Allow DHCPv6 traffic (if IPv6 is available)
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 233 allow ip6 from fe80::/10 546 to ff02::1:2 547 proto udp
${fwcmd} add 234 allow ip6 from fe80::/10 547 to fe80::/10 546 proto udp
fi
#################################
# Outbound Traffic
#################################
# Allow outbound traffic with stateful handling
if [ "$internal_if_available" -eq 1 ] && [ "$tun_if_available" -eq 1 ] && [ "$nat_if_available" -eq 1 ]; then
${fwcmd} add 244 allow ip from any to any out \{ xmit "$internal_if" or xmit "$tun_if" or xmit "$nat_if" \} record-state
elif [ "$internal_if_available" -eq 1 ] && [ "$tun_if_available" -eq 1 ]; then
${fwcmd} add 244 allow ip from any to any out \{ xmit "$internal_if" or xmit "$tun_if" \} record-state
else
${fwcmd} add 244 allow ip from any to any out record-state
fi
#################################
# Block Banned and Spoofed IPs
#################################
# Anti-spoofing: Deny traffic with invalid source addresses
${fwcmd} add 250 deny ip from any to any not verrevpath in
#################################
# ICMP Rules for Network Functionality
#################################
# Allow ICMPv4 Echo Reply, Destination Unreachable, Echo Request, and Time Exceeded
${fwcmd} add 260 allow icmp from any to any icmptypes 0,3,8,11 in
# Allow ICMPv6 Destination Unreachable, Packet Too Big, Time Exceeded, and Echo Request/Reply
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 261 allow ipv6-icmp from any to any icmp6types 1,2,3,128,129 in
fi
# Deny all other ICMPv4 and ICMPv6 traffic
${fwcmd} add 262 deny icmp from any to any in
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 263 deny ipv6-icmp from any to any in
fi
#################################
# Block Martians and Multicast Traffic
#################################
# Block inbound multicast and martian source ranges via a reusable mixed-family table
${fwcmd} add 270 deny ip from 'table(blocked)' to any in
#################################
# Inbound Traffic (User-Defined Services)
#################################
# Allow new SSH connections from allowed source IPs to the firewall
if is_configured "${ssh_ipv4:-}" && is_configured "${ssh_ports:-}"; then
if is_yes "$log_ssh_hits"; then
${fwcmd} add 300 count log ip4 from "$ssh_ipv4" to me "$ssh_ports" tcpflags syn,!ack,!fin,!rst in
fi
${fwcmd} add 301 allow ip4 from "$ssh_ipv4" to me "$ssh_ports" tcpflags syn,!ack,!fin,!rst in limit dst-addr 2
fi
# Allow trusted internal user connections to the firewall, keeping LAN traffic on the fast path
if is_configured "${lan_tcp_ports:-}" && [ "$internal_if_available" -eq 1 ]; then
${fwcmd} add 302 allow ip4 from any to me "$lan_tcp_ports" tcpflags syn,!ack,!fin,!rst in recv "$internal_if" record-state
fi
if is_configured "${lan_udp_ports:-}" && [ "$internal_if_available" -eq 1 ]; then
${fwcmd} add 303 allow ip4 from any to me "$lan_udp_ports" proto udp in recv "$internal_if" record-state
fi
# Allow WAN-facing services with stricter dynamic controls
if is_configured "${wan_tcp_ports:-}"; then
if is_yes "$log_wan_tcp_hits"; then
${fwcmd} add 304 count log ip4 from any to me "$wan_tcp_ports" tcpflags syn,!ack,!fin,!rst in
fi
${fwcmd} add 305 allow ip4 from any to me "$wan_tcp_ports" tcpflags syn,!ack,!fin,!rst in limit src-addr 10
fi
if is_configured "${wan_udp_ports:-}"; then
${fwcmd} add 306 allow ip4 from any to me "$wan_udp_ports" proto udp in
fi
# IPv6 SSH and user rules (if IPv6 is available)
if [ "$ipv6_available" -eq 1 ]; then
if is_configured "${ssh_ipv6:-}" && is_configured "${ssh_ports:-}"; then
if is_yes "$log_ssh_hits"; then
${fwcmd} add 310 count log ip6 from "$ssh_ipv6" to me6 "$ssh_ports" tcpflags syn,!ack,!fin,!rst in
fi
${fwcmd} add 311 allow ip6 from "$ssh_ipv6" to me6 "$ssh_ports" tcpflags syn,!ack,!fin,!rst in limit dst-addr 2
fi
if is_configured "${lan_tcp_ports:-}" && [ "$internal_if_available" -eq 1 ]; then
${fwcmd} add 312 allow ip6 from any to me6 "$lan_tcp_ports" tcpflags syn,!ack,!fin,!rst in recv "$internal_if" record-state
fi
if is_configured "${lan_udp_ports:-}" && [ "$internal_if_available" -eq 1 ]; then
${fwcmd} add 313 allow ip6 from any to me6 "$lan_udp_ports" proto udp in recv "$internal_if" record-state
fi
if is_configured "${wan_tcp_ports:-}"; then
if is_yes "$log_wan_tcp_hits"; then
${fwcmd} add 314 count log ip6 from any to me6 "$wan_tcp_ports" tcpflags syn,!ack,!fin,!rst in
fi
${fwcmd} add 315 allow ip6 from any to me6 "$wan_tcp_ports" tcpflags syn,!ack,!fin,!rst in limit src-addr 10
fi
if is_configured "${wan_udp_ports:-}"; then
${fwcmd} add 316 allow ip6 from any to me6 "$wan_udp_ports" proto udp in
fi
fi
#################################
# Inbound Internal Traffic
#################################
# Deny any inbound traffic to me that hasn't been explicitly allowed
if is_yes "$log_default_deny"; then
${fwcmd} add 320 deny log ip from any to me in
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 321 deny log ip from any to me6 in
fi
else
${fwcmd} add 320 deny ip from any to me in
if [ "$ipv6_available" -eq 1 ]; then
${fwcmd} add 321 deny ip from any to me6 in
fi
fi
# Allow trusted bridge/transit traffic on the internal interface, keeping multicast control traffic gated by policy
if [ "$internal_if_available" -eq 1 ]; then
${fwcmd} add 322 allow ip from any to any tcpflags syn,!ack,!fin,!rst in recv "$internal_if" record-state
if is_yes "$allow_multicast"; then
${fwcmd} add 323 allow \{ udp or igmp \} from any to any in recv "$internal_if" record-state
else
${fwcmd} add 323 allow udp from any to any in recv "$internal_if" record-state
fi
fi
#################################
# Final Rule: Deny all other traffic
#################################
# Deny any traffic that hasn't been explicitly allowed
if is_yes "$log_default_deny"; then
${fwcmd} add 390 deny log ip from any to any
else
${fwcmd} add 390 deny ip from any to any
fi