トップ 差分 一覧 ソース 検索 ヘルプ RSS ログイン

FB-ipfw

IPFW

##############################################################
##
firewall_enable="YES"
firewall_type="/etc/ipfw.conf"
#
##############################################################

IPFW sample

#!/bin/sh

IPFWC="/sbin/ipfw -q add"
ipfw -q -f flush

#loopback
$IPFWC 10 allow all from any to any via lo0
$IPFWC 20 deny all from any to 127.0.0.0/8
$IPFWC 30 deny all from 127.0.0.0/8 to any
$IPFWC 40 deny tcp from any to any frag
 
# statefull
$IPFWC 50 check-state
$IPFWC 60 allow tcp from any to any established
$IPFWC 70 allow all from any to any out keep-state
$IPFWC 80 allow icmp from any to any

## ftp (20,21) ports
$IPFWC 100 allow tcp from any to any 20 in
$IPFWC 110 allow tcp from any to any 20 out
$IPFWC 120 allow tcp from any to any 21 in
$IPFWC 130 allow tcp from any to any 21 out
## ssh (22) ports
$IPFWC 140 allow tcp from any to any 22 in
$IPFWC 150 allow tcp from any to any 22 out
## mail(25) ports
$IPFWC 160 allow tcp from any to any 25 in
$IPFWC 170 allow tcp from any to any 25 out
## domain(53) ports // DNS
$IPFWC 180 allow udp from any to any 53 in
$IPFWC 185 allow tcp from any to any 53 in
$IPFWC 190 allow udp from any to any 53 out
$IPFWC 195 allow tcp from any to any 53 out
## http(80) ports
$IPFWC 200 allow tcp from any to any 80 in
$IPFWC 210 allow tcp from any to any 80 out
# $IPFWC 240 allow tcp from any to any 443 in
# $IPFWC 250 allow tcp from any to any 443 out
## ntp(123) ports
$IPFWC 1010 allow tcp from any to any 123 in
$IPFWC 1020 allow tcp from any to any 123 out
## https(443)
$IPFWC 1030 allow tcp from any to any 443 in
$IPFWC 1040 allow tcp from any to any 443 out
## submission( 587 ) ports
$IPFWC 1050 allow tcp from any to any 587 in
$IPFWC 1060 allow tcp from any to any 587 out
## imaps(993)
# $IPFWC 1070 allow tcp from any to any 993 in
# $IPFWC 1080 allow tcp from any to any 993 out

$IPFWC 1050 allow tcp from any to any 587 in
$IPFWC 1060 allow tcp from any to any 587 out


# deny and log everything
$IPFWC 9000 deny log all from any to any

delay &

# 1Mbps, 80msec, パケットロス率 10% (それなりな LTE 程度)
ipfw pipe 1 config bw 1Mbit/s delay 80ms plr 0.1

# 180kbps, 300msec, パケットロス率 30% (MVNOの遅いやつ程度)
ipfw pipe 1 config bw 180Kbit/s delay 300ms plr 0.3

# 100kbps, 800msec, パケットロス率 50% (パケ詰まり)
ipfw pipe 1 config bw 100Kbit/s delay 800ms plr 0.5

Tipshttp://murasaki.cocolog-nifty.com/cloud/2009/08/ipfw-a0b2.html