#!/bin/sh

# packet filter + NAT configuration script (Linux & FreeBSD) v 3.1
# by Magda Cien <magdac@k9.team.com.pl>  
# (based on rc.firewall by Gary Stanley (ancient@bofh.cet.net))
# Thanks to the rest of BugzPL for support (alphabetical order) - arkth,
# Crashkiller, jerry, MIV, razor


# 1) Linux - ipfwadm is used with kernels 2.0.x, and ipchains with 2.2.x
#	     (you don't need to delete the rest of the script -
#            detection will be automatic =] ). You have to 
#	     recompile kernel with apprioprate options (I think it's well
#	     documented in the kernel config program) before setting up
#	     a packet filter. You may use this script INSTEAD of rc.firewall
#	     Tested on Linux 2.0.36 and 2.2.9-17pre6 (Debian/RH)

# 2) FreeBSD - You'll need IPFIREWALL, IPFIREWALL_VERBOSE (if you want to log
#	       the packets via syslog) and (for NAT) IPDIVERT options in kernel
#	       conf. After recompile you may run this script FROM rc.firewall
#	       (setting firewall_enable="YES" in /etc/rc.conf) - e. g making
#	       there a special type "ipfirewall" (firewall_type="ipfirewall"
#	       in /etc/rc.conf is also required)
#	       The last thing - remember, if you're setting NAT on an interface
#	       it has to be ALREADY CONFIGURED. So if you're using ppp (tun0)
#	       run the script after establishing a conection or better comment
#	       this thing out and use '-nat' option in ppp program (ppp(8)) 
#	       Tested on FreeBSD 4.0-RELEASE & 4.1.1-RELEASE

SYSTEM=`uname`
VERSION=`uname -r`
IP="192.168.1.1"
IPFWADM="/sbin/ipfwadm"
IPCHAINS="/sbin/ipchains"
IFACE="eth0"
MASK="255.255.255.0"
NET="192.168.1.0"
# FreeBSD specific
#IPFW="/sbin/ipfw"
IPFW="/sbin/ipfw -q"
NATD="/sbin/natd"
IFACEA="ed0"
IFACEB="tun0"

Ipchains ()
{
echo -n "Setting filtering policy (ipchains): "
# flush
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward
# full access for localhost
$IPCHAINS -A input -i lo -j ACCEPT 
# full access for our LAN
$IPCHAINS -A input -i $IFACE -j ACCEPT
# -----------------------------------
# masquerading
#$IPCHAINS -A forward -s $NET/$MASK -d 0/0 -j MASQ
# selective forwarding (should be combined with static arp table)
$IPCHAINS -A forward -s 192.168.1.2 -d 0.0.0.0/0 -j MASQ
$IPCHAINS -A forward -s 192.168.1.5 -d 0.0.0.0/0 -j MASQ
$IPCHAINS -A forward -s 192.168.1.6 -d 0.0.0.0/0 -j MASQ
$IPCHAINS -A forward -s 192.168.1.8 -d 0.0.0.0/0 -j MASQ
$IPCHAINS -A forward -s 192.168.1.9 -d 0.0.0.0/0 -j MASQ
# -----------------------------------
# Place for trusted sites
# -----------------------------------
# Place for banned sites
# -----------------------------------
# rejecting and logging packets to some specific services - tcp/udp
# NetBEUI / NetBIOS (samba) 
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 139 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 139 -j REJECT -l
# MS-SQL 
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1433 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 1433 -j REJECT -l
# NFS  
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 2049 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT -l
# postgresSQL
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 5432 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 5432 -j REJECT -l
# sunrpc
#$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 111 -j REJECT -l
#$IPCHAINS -A input -p udp -s 0/0 -d 0/0 111 -j REJECT -l
# SOCKS/Wingate
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1080 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 1080 -j REJECT -l
# trojans (NetBUS | BO | Prosiak | Bowl | Girflriend | Remoteadmin etc)
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 555 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 666 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 999 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1234 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 1349 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1981 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 1981 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1999 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 2000 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 4590 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 5000 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 5001 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 5556 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 5557 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 6776 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 6969 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 7300 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 7301 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 7306 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 7307 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 7308 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 11000 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 12345 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 12346 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20034 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21554 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 22222 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 23456 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 31337 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 31337 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 31338 -j REJECT -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 31338 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 33333 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 40421 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 44444 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 53001 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 54321 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 60000 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 61466 -j REJECT -l
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 65000 -j REJECT -l
# X11disp
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 5999:6003 -j DENY -l
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 5999:6003 -j DENY -l
# -----------------------------------
# default is to accept everything above 1020 (tcp,udp) 
# (if it be 1024 ssh isn't working right for me)
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 1020:65535 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 1020:65535 -j ACCEPT
# accept connection for ports:
# ftp-data
#$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 20 -j ACCEPT
# ftp
#$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 21 -j ACCEPT
# smtp
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 25 -j ACCEPT
# dns (tcp/udp)
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 53 -j ACCEPT
$IPCHAINS -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
# www
#$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 80 -j ACCEPT
# pop3
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 110 -j ACCEPT
# auth
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 113 -j ACCEPT
# https
$IPCHAINS -A input -p tcp -s 0/0 -d 0/0 443 -j ACCEPT
# accept all icmp packets
$IPCHAINS -A input -p icmp -s 0/0 -d 0/0 -j ACCEPT -l
# -----------------------------------
# default settings
$IPCHAINS -A input -j DENY
$IPCHAINS -A output -j ACCEPT 
$IPCHAINS -A forward -j DENY
echo -n "set"
echo "."
exit 0
}

Ipfwadm ()
{
echo -n "Setting filtering policy (ipfwadm): "
# flush
$IPFWADM -I -f
$IPFWADM -O -f
$IPFWADM -F -f 
# full access for localhost
$IPFWADM -I -W lo -a accept
# full access for our LAN
$IPFWADM -I -W $IFACE -a accept 
# -----------------------------------
# masquerading
#$IPFWADM -F -b -S $NET/$MASK -D 0.0.0.0/0 -a masquerade
# selective forwarding (should be combined with static arp table)
$IPFWADM -F -b -S 192.168.1.2 -D 0.0.0.0/0 -a masquerade
$IPFWADM -F -b -S 192.168.1.5 -D 0.0.0.0/0 -a masquerade
$IPFWADM -F -b -S 192.168.1.6 -D 0.0.0.0/0 -a masquerade
$IPFWADM -F -b -S 192.168.1.8 -D 0.0.0.0/0 -a masquerade
$IPFWADM -F -b -S 192.168.1.9 -D 0.0.0.0/0 -a masquerade
# -----------------------------------
# Place for trusted sites
# -----------------------------------
# Place for banned sites
# -----------------------------------
# rejecting and logging packets to some specific services - tcp/udp
# NetBEUI / NetBIOS (samba)
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 139 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 139 -a reject -o
# MS-SQL 
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1433 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1433 -a reject -o
# NFS  
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 2049 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 2049 -a reject -o
# postgresSQL
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5432 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5432 -a reject -o
# sunrpc
#$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 111 -a reject -o
#$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 111 -a reject -o
# SOCKS/Wingate
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1080 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1080 -a reject -o
# trojans (NetBUS | BO | Prosiak | Bowl | Girflriend | Remoteadmin itp)
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 555 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 666 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 999 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1234 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1349 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1981 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1981 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 1999 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 2000 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 4590 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5000 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5001 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5556 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5557 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 6776 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 6969 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 7300 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 7301 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 7306 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 7307 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 7308 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 11000 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 12345 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 12346 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 20034 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 21554 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 22222 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 23456 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 31337 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 31337 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 31338 -a reject -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 31338 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 33333 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 40421 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 44444 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 53001 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 54321 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 60000 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 61466 -a reject -o
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 65000 -a reject -o
# X11disp
$IPFWADM -I -P tcp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5999:6003 -a deny -o
$IPFWADM -I -P udp -b -S 0.0.0.0/0 -D 0.0.0.0/0 5999:6003 -a deny -o
# -----------------------------------
# default is to accept everything above 1020 (tcp,udp)
# (if it be 1024 ssh isn't working right for me)
$IPFWADM -I -P tcp -D 0.0.0.0/0 1020:65535 -a accept
$IPFWADM -I -P udp -D 0.0.0.0/0 1020:65535 -a accept
# accept connections for some ports:
# ftp-data
#$IPFWADM -I -P tcp -D 0.0.0.0/0 20 -a accept
# ftp
#$IPFWADM -I -P tcp -D 0.0.0.0/0 21 -a accept
# smtp
$IPFWADM -I -P tcp -D 0.0.0.0/0 25 -a accept
# dns (tcp/udp)
$IPFWADM -I -P tcp -D 0.0.0.0/0 53 -a accept
$IPFWADM -I -P udp -D 0.0.0.0/0 53 -a accept
# www 
#$IPFWADM -I -P tcp -D 0.0.0.0/0 80 -a accept
# pop3
$IPFWADM -I -P tcp -D 0.0.0.0/0 110 -a accept 
# auth
$IPFWADM -I -P tcp -D 0.0.0.0/0 113 -a accept
# https
$IPFWADM -I -P tcp -D 0.0.0.0/0 443 -a accept
# accept all icmp packets
$IPFWADM -I -P icmp -b -S 0.0.0.0/0 -D 0.0.0.0/0 -a accept -o
# -----------------------------------
# default settings
$IPFWADM -I -p deny
$IPFWADM -O -p accept 
$IPFWADM -F -p deny

echo -n "set"
echo "."
exit 0
}

Bezdech()
{
echo -n "Setting filtering policy (ipfw): "
# flush
$IPFW -f flush
# full access for localhost
$IPFW add 100 pass all from any to any via lo0
$IPFW add 200 deny all from any to 127.0.0.0/8
# full access for our LAN
#$IPFW add 300 pass all from $NET:$MASK to $IP 
$IPFW add 300 pass all from any to any via $IFACEA
# -----------------------------------
# NAT (masquerading)
/sbin/sysctl -n -w net.inet.ip.forwarding=1
$NATD -l -d -log_denied -log_facility auth -m -u -n $IFACEB -dynamic
#$IPFW add divert natd all from $NET:$MASK to any out
$IPFW add divert natd all from any to $IP in
# selective forwarding (should be combined with static arp table)
$IPFW add divert natd all from 192.168.1.2 to any out
$IPFW add divert natd all from 192.168.1.5 to any out
$IPFW add divert natd all from 192.168.1.6 to any out
$IPFW add divert natd all from 192.168.1.8 to any out
$IPFW add divert natd all from 192.168.1.9 to any out
# -----------------------------------
# Place for trusted sites
# -----------------------------------
# Place for banned sites
# -----------------------------------
# rejecting and logging packets to some specific services - tcp/udp
# NetBEUI / NetBIOS (samba)
$IPFW add reject log tcp from any to any 139 via $IFACEB in
$IPFW add reject log udp from any to any 139 via $IFACEB in
# MS-SQL
$IPFW add reject log tcp from any to any 1433 via $IFACEB in
$IPFW add reject log udp from any to any 1433 via $IFACEB in
# NFS
$IPFW add reject log tcp from any to any 2049 via $IFACEB in
$IPFW add reject log udp from any to any 2049 via $IFACEB in
# postgresSQL
$IPFW add reject log tcp from any to any 5432 via $IFACEB in
$IPFW add reject log udp from any to any 5432 via $IFACEB in
# sunrpc
#$IPFW add reject log tcp from any to any 111 via $IFACEB in
#$IPFW add reject log udp from any to any 111 via $IFACEB in
# SOCKS/Wingate
$IPFW add reject log tcp from any to any 1080 via $IFACEB in
$IPFW add reject log udp from any to any 1080 via $IFACEB in
# trojans (NetBUS | BO | Prosiak | Bowl | Girflriend | Remoteadmin itp)
$IPFW add reject log tcp from any to any 555 via $IFACEB in
$IPFW add reject log tcp from any to any 666 via $IFACEB in
$IPFW add reject log tcp from any to any 999 via $IFACEB in
$IPFW add reject log tcp from any to any 1234 via $IFACEB in
$IPFW add reject log udp from any to any 1349 via $IFACEB in
$IPFW add reject log tcp from any to any 1981 via $IFACEB in
$IPFW add reject log udp from any to any 1981 via $IFACEB in
$IPFW add reject log tcp from any to any 1999 via $IFACEB in
$IPFW add reject log tcp from any to any 2000 via $IFACEB in
$IPFW add reject log tcp from any to any 4590 via $IFACEB in
$IPFW add reject log tcp from any to any 5000 via $IFACEB in
$IPFW add reject log tcp from any to any 5001 via $IFACEB in
$IPFW add reject log tcp from any to any 5556 via $IFACEB in
$IPFW add reject log tcp from any to any 5557 via $IFACEB in
$IPFW add reject log tcp from any to any 6776 via $IFACEB in
$IPFW add reject log tcp from any to any 6969 via $IFACEB in
$IPFW add reject log tcp from any to any 7300 via $IFACEB in
$IPFW add reject log tcp from any to any 7301 via $IFACEB in
$IPFW add reject log tcp from any to any 7306 via $IFACEB in
$IPFW add reject log tcp from any to any 7307 via $IFACEB in
$IPFW add reject log tcp from any to any 7308 via $IFACEB in
$IPFW add reject log tcp from any to any 11000 via $IFACEB in
$IPFW add reject log tcp from any to any 12345 via $IFACEB in
$IPFW add reject log tcp from any to any 12346 via $IFACEB in
$IPFW add reject log tcp from any to any 20034 via $IFACEB in
$IPFW add reject log tcp from any to any 21554 via $IFACEB in
$IPFW add reject log tcp from any to any 22222 via $IFACEB in
$IPFW add reject log tcp from any to any 23456 via $IFACEB in
$IPFW add reject log tcp from any to any 31337 via $IFACEB in
$IPFW add reject log udp from any to any 31337 via $IFACEB in
$IPFW add reject log tcp from any to any 31338 via $IFACEB in
$IPFW add reject log udp from any to any 31338 via $IFACEB in
$IPFW add reject log tcp from any to any 33333 via $IFACEB in
$IPFW add reject log tcp from any to any 40421 via $IFACEB in
$IPFW add reject log tcp from any to any 44444 via $IFACEB in
$IPFW add reject log tcp from any to any 53001 via $IFACEB in
$IPFW add reject log tcp from any to any 54321 via $IFACEB in
$IPFW add reject log tcp from any to any 60000 via $IFACEB in
$IPFW add reject log tcp from any to any 61466 via $IFACEB in
$IPFW add reject log tcp from any to any 65000 via $IFACEB in
# X11disp
$IPFW add deny log tcp from any to any 5999-6003 via $IFACEB in
$IPFW add deny log udp from any to any 5999-6003 via $IFACEB in
# -----------------------------------
# default is to accept everything above 1200 (tcp,udp) 
# (if it be 1024 ssh isn't working right for me)
$IPFW add pass tcp from any to any 1020-65535 via $IFACEB in
$IPFW add pass udp from any to any 1020-65535 via $IFACEB in
# accept connection for some ports:
# ftp-data
#$IPFW add pass tcp from any to any 20 via $IFACEB in
# ftp 
#$IPFW add pass tcp from any to any 21 via $IFACEB in
# smtp
$IPFW add pass tcp from any to any 25 via $IFACEB in
# dns (tcp/udp)
$IPFW add pass tcp from any to any 53 via $IFACEB in
$IPFW add pass udp from any to any 53 via $IFACEB in
# www
$IPFW add pass tcp from any to any 80 via $IFACEB in
# pop3
$IPFW add pass tcp from any to any 110 via $IFACEB in
# auth
$IPFW add pass tcp from any to any 113 via $IFACEB in
# https
$IPFW add pass tcp from any to any 443 via $IFACEB in
# accept all icmp packets
$IPFW add pass icmp from any to any via $IFACEB in
# -----------------------------------
# default settings
$IPFW add pass all from any to any out
#$IPFW add 65000 reject all from any to any 
echo -n "set"
echo "."
exit 0
}

Linuch()
{
# IP forward
for file in /proc/sys/net/ipv4/ip_forward
do
    echo "1" > $file
done

# IP spoofing protection. Adding 2 provides the best means to drop spoofing.
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do 
  echo "2" > $file
done
# Ignore ICMP broadcasts
#for file in /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#do
#  echo "1" > $file
#done

case $VERSION in
  2.2.*) Ipchains ;;
  2.0.*) Ipfwadm ;;
  *) exit 0 ;;
esac

}

case $SYSTEM in
    Linux) Linuch ;;
    FreeBSD) Bezdech ;;
esac