#!/bin/sh

# Purpose: This firewall configuration works around numerous
#          issues with the default OS X firewall configuration.
#          For details on how to setup and use this configuration,
#          please see the following blog post:
#          http://prefetch.net/blog/index.php/2006/08/13/locking-down-the-os-x-firewall/

## Declare variables#
IPFW="/sbin/ipfw"
LOOPBACK=lo0

## Flush the rules so we start with an empty pallet#
$IPFW -f -q flush

# Allow through all genuinely local packets
$IPFW add 00001 allow ip from any to any via $LOOPBACK

# Deny all spoofed local packets
$IPFW add 00010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 00011 deny log ip from any to 127.0.0.0/8 in
$IPFW add 00012 deny log ip from 224.0.0.0/3 to any in
$IPFW add 00013 deny log tcp from any to 224.0.0.0/3 in

# Allow through established connections
$IPFW add 00020 allow ip from any to any established

# Filter ICMP packets to only allow through some types
#$IPFW add 00030 allow icmp from any to any icmptypes 0,3,4,8,11,12
#$IPFW add 00031 deny icmp from any to any

# Allow through DNS
$IPFW add 00040 allow udp from me to any 53 keep-state

# Allow myself to make outgoing connections
$IPFW add 00050 allow tcp from me to any keep-state
$IPFW add 00051 allow udp from me to any keep-state

# allow through all DHCP packets
#$IPFW add 00060 allow udp from any to any 67
#$IPFW add 00061 allow udp from any to any 68

# For remote support
$IPFW add 00100 allow tcp from any to me 22

# Deny everything by default
$IPFW add 65534 deny log ip from any to any