#!/bin/sh

ipfw -q -f flush

cmd = "ipfw -q add "

vif = "xn0"

skip = "skipto 1000"

ssh_port = "22"

pub_dns = "1.1.1.1"

wg_port = "9201"

wg_subnet = "10.10.0.0/24"

wg_iface = "wg0"

ipfw disable one_pass

ipfw -q nat 1 config if $vif same_ports unreg_only reset

$cmd 00010 allow ip from any to any via lo0

$cmd 00011 allow ip from any to any via $wg_iface

$cmd 00099 reass all from any to any in

$cmd 00100 nat 1 ip from any to any in via $vif

$cmd 00101 check-state

$cmd 00110 $skip tcp from any to $pub_dns dst-port 53 out via $vif setup keep-state

$cmd 00111 $skip udp from any to $pub_dns dst-port 53 out via $vif keep-state

$cmd 00120 $skip udp from me 68 to any dst-port 67 out via $vif keep-state

$cmd 00200 $skip tcp from any to any dst-port 80 out via $vif setup keep-state

$cmd 00220 $skip tcp from any to any dst-port 443 out via $vif setup keep-state

$cmd 00230 $skip tcp from any to any dst-port 25 out via $vif setup keep-state

$cmd 00231 $skip tcp from any to any dst-port 465 out via $vif setup keep-state

$cmd 00232 $skip tcp from any to any dst-port 587 out via $vif setup keep-state

$cmd 00233 $skip udp from any to any src-port $wg_port out via $vif keep-state

$cmd 00234 $skip udp from $wg_subnet to any out via $vif keep-state

$cmd 00235 $skip tcp from $wg_subnet to any out via $vif setup keep-state

$cmd 00250 $skip icmp from any to any out via $vif keep-state

$cmd 00260 $skip tcp from any to any dst-port 37 out via $vif setup keep-state

$cmd 00270 $skip udp from any to any dst-port 123 out via $vif keep-state

$cmd 00280 $skip tcp from any to any dst-port 22 out via $vif setup keep-state

$cmd 00299 deny log ip from any to any out via $vif

$cmd 00300 deny ip from 192.168 .0.0/16 to any in via $vif

$cmd 00301 deny all from 172.16 .0.0/12 to any in via $vif

$cmd 00302 deny ip from 10.0 .0.0/8 to any in via $vif

$cmd 00303 deny ip from 127.0 .0.0/8 to any in via $vif

$cmd 00304 deny ip from 0.0 .0.0/8 to any in via $vif

$cmd 00305 deny ip from 169.254 .0.0/16 to any in via $vif

$cmd 00306 deny ip from 192.0 .2.0/24 to any in via $vif

$cmd 00307 deny ip from 204.152 .64.0/23 to any in via $vif

$cmd 00308 deny ip from 224.0 .0.0/3 to any in via $vif

$cmd 00315 deny tcp from any to any dst-port 113 in via $vif

$cmd 00320 deny tcp from any to any dst-port 137 in via $vif

$cmd 00321 deny tcp from any to any dst-port 138 in via $vif

$cmd 00322 deny tcp from any to any dst-port 139 in via $vif

$cmd 00323 deny tcp from any to any dst-port 81 in via $vif

$cmd 00330 deny ip from any to any frag in via $vif

$cmd 00332 deny tcp from any to any established in via $vif

$cmd 00310 allow icmp from any to any in via $vif

$cmd 00370 allow udp from any 67 to me dst-port 68 in via $vif keep-state

$cmd 700 allow tcp from any to me dst-port $ssh_port in via $vif setup limit src-addr 2

$cmd 702 allow udp from any to any dst-port $wg_port in via $vif keep-state

$cmd 999 deny log ip from any to any in via $vif

$cmd 1000 nat 1 ip from any to any out via $vif