#!/bin/sh
#
#	/etc/firewall.sh

fwcmd=/sbin/ipfw

tif="tun0"
lif="fxp0"
wif="de0"

${fwcmd} -f flush

${fwcmd} add pass all from any to any via lo0
${fwcmd} add pass all from 127.0.0.1 to 127.0.0.1
${fwcmd} add deny all from any to 127.0.0.0/8 via ${wif}

${fwcmd} add deny all from 10.0.0.0/8 to any in recv ${wif}
${fwcmd} add deny all from 172.16.0.0/12 to any in recv ${wif}
${fwcmd} add deny all from 192.168.0.0/16 to any in recv ${wif}
${fwcmd} add deny all from any to 10.0.0.0/8 out xmit ${wif}
${fwcmd} add deny all from any to 172.16.0.0/12 out xmit ${wif}
${fwcmd} add deny all from any to 192.168.0.0/16 out xmit ${wif}

${fwcmd} add deny all from any to any ipoptions ssrr,lsrr

${fwcmd} add deny tcp from any to any 137-139,445,111,548 via ${wif}
${fwcmd} add deny udp from any to any 137-139,445,111,548 via ${wif}

${fwcmd} add divert natd ip from any to any via ${wif}
${fwcmd} add 65000 pass all from any to any