#! /bin/sh

#
# The external interface
#
IPADDR0=xxx.xxx.xxx.xxx
NETMASK0=255.255.255.xxx
NETWORK0=xxx.xxx.xxx.xxx
BROADCAST0=xxx.xxx.xxx.xxx

#
# The internal interface
#
IPADDR1=172.20.100.3
NETMASK1=255.255.0.0
NETWORK1=172.20.0.0
BROADCAST1=172.20.255.255

GATEWAY=xxx.xxx.xxx.yyy

LOADDR=127.0.0.1
LOMASK=255.0.0.0
LONET=127.0.0.0
LOBROAD=127.255.255.255

ANY=0.0.0.0/0

#
# Default policies are all deny
#
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny

#
# Flush out any old rules (if we are reloading)
#
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f

#
# enable forwarding
#
echo 1 >/proc/sys/net/ipv4/ip_forward

#
# Configure the interfaces
#
ifconfig lo ${LOADDR}
route add -net ${LONET}

ifconfig eth0 ${IPADDR0} netmask ${NETMASK0} broadcast ${BROADCAST0}
route add -net ${NETWORK0}

ifconfig eth1 ${IPADDR1} netmask ${NETMASK1} broadcast ${BROADCAST1}
route add -net ${NETWORK1}

[ "${GATEWAY}" ] && route add default gw ${GATEWAY} metric 1

########################################################
# Input rules
########################################################
#
# We trust stuff on our loopback interface
#
ipfwadm -I -a accept -W lo

#
# Don't allow spoofing of my source addresses
# This works because Linux routes packets to all our addresses
# through the loopback interface.
#
ipfwadm -I -a deny -S $LONET/$LOMASK -o
ipfwadm -I -a deny -D $LONET/$LOMASK -o
ipfwadm -I -a deny -S $IPADDR0/32 -o
ipfwadm -I -a deny -S $IPADDR1/32 -o

#
# Allow anything from inside if it has the correct source address
#
ipfwadm -I -a accept -W eth1 -S $NETWORK1/$NETMASK1

#
# Deny and log everything else from inside
# (deny but ignore bootp/dhcp stuff)
#
ipfwadm -I -a deny -W eth1 -P udp -S 0.0.0.0/32 68 -D 255.255.255.255/32 67
ipfwadm -I -a deny -W eth1 -o

#
# Now we are only dealing with our external interface ...
#
# Don't allow spoofing of our internal network
#
ipfwadm -I -a deny -S $NETWORK1/$NETMASK1 -o

#
# Allow connections to the services we are going to provide
#
ipfwadm -I -a accept -P tcp -y -D $IPADDR0/32 smtp ssh www ftp domain auth
ipfwadm -I -a accept -P udp -D $IPADDR0/32 domain ntp
ipfwadm -I -a accept -P icmp -D $IPADDR0/32

#
# Allow packets to the "unreserved" ports
#
ipfwadm -I -a accept -P tcp -D $IPADDR0/32 1024:65535
ipfwadm -I -a accept -P udp -D $IPADDR0/32 1024:65535

#
# Deny and log everything else
#
ipfwadm -I -a deny -o

########################################################
# Output rules
########################################################
#
# We allow everything out
#
ipfwadm -O -a accept -W lo
ipfwadm -O -a accept -W eth1

#
# But on our external interface it must come from us
# (This is just protection against masquerade failure)
#
ipfwadm -O -a accept -W eth0 -S $IPADDR0/32

#
# Hopefully nothing else
#
ipfwadm -O -a deny -o

########################################################
# Forwarding rules
########################################################
#
# Force our users to use our web proxy by not forwarding
# packets destined for web servers and other proxies
#
ipfwadm -F -a reject -W eth0 -P tcp -D $ANY 80 443 3128 8080 -o

#
# Masquerade everything being forwarded out our external interface
#
ipfwadm -F -a accept -W eth0 -S $NETWORK1/$NETMASK1 -m

#
# Masquerading takes care of the reply packets, so
# deny and log everything else
#
ipfwadm -F -a deny -o