#!/bin/sh

# This is an attempt at an ipfw config for a cluster with a master node and many
# compute nodes.  The master node is acting as a gateway for the compute nodes
# in the LAN (192.168.0.0/24).
#
# A jail running on one of the compute nodes with address 192.168.0.118 is to be
# accessible from the outside (using redirect_addr 192.168.0.118
# 129.173.118.118).  The address 129.173.118.118 is an alias for the WAN
# interface that will only be used to direct traffic to this jail.
#
# Incoming traffic on port 44622 should be redirected to port 22 on the compute
# node with address 192.168.0.101.
#
# No outgoing traffic is to be blocked from either the master node or the
# compute nodes.

# Ensure net.inet.ip.fw.one_pass is set to 0

cmd="/sbin/ipfw -q"
lanif="bge0"
wanif="bge1"

# flush existing rules
$cmd -f flush

# incoming nat
$cmd nat 1 config if $wanif \
     reset \
     same_ports \
     unreg_only \
     redirect_port tcp 192.168.0.101:22 44622 \
     redirect_addr 192.168.0.118 129.173.118.118

# set up loopback
$cmd add allow all from any to any via lo0
$cmd add deny all from any to 127.0.0.0/8
$cmd add deny ip from 127.0.0.0/8 to any

# no restrictions on bridge0 or tun0
$cmd add allow all from any to any via bridge0
$cmd add allow all from any to any via tun0

# no restrictions on lanif
$cmd add allow all from any to any via $lanif

# catch spoofing from outside
$cmd add deny ip from any to any in not antispoof

# incoming traffic that needs nat
$cmd add nat 1 ip4 from any to me in recv $wanif

# this rule must be directly after incoming nat
$cmd add check-state

# outgoing traffic to block here

# allow all other outgoing connections by skipping processing to the outbound nat rule, 10000
$cmd add skipto 10000 tcp from any to any out xmit $wanif setup keep-state
$cmd add skipto 10000 udp from any to any out xmit $wanif keep-state

# incoming
$cmd add allow tcp from any to me 80,443,44422 in recv $wanif setup keep-state

# Rules for allowing packets to services which are listening on a LAN interface behind the NAT
$cmd add skipto 10000 tcp from any to any 44622 in recv $wanif setup keep-state

# nat for outgoing packets
$cmd add 10000 nat 1 ip4 from any to any out xmit $wanif
#$cmd add 10000 nat 1 ip4 from 192.168.0.0/24 to any out

# allow anything else
$cmd add allow ip from any to any via $wanif