######
## starting off, delete all exiting rules
######
ipfw -q -f flush


#########
# free interfaces
##########

#loopback device
ipfw -q add 00020 allow all from any to any via lo0

#check if any dynamic rules are applicable
ipfw -q add 00030 check-state

#block all packet fragments (this has ben changed to ip before)
ipfw -q add 00040 deny all from any to any frag

#allow all tcp connections to the machine and show we are ready to move tcp packets
ipfw -q add 00050 allow tcp from any to any established

#allow bipolar to connect to the DNS to convert names to ip addresses
ipfw -q add 00070 allow udp from me to any dst-port 53 via xl0 keep-state

#########
##public interface outbound
##
##to limit portscanning all out going connections must be listed here
##########
#allow http, https access out
ipfw -q add 00210 allow tcp from me to any dst-port 80,8080,8010,443,8443 via xl0 keep-state
#allow ssh out of the machine
ipfw -q add 00220 allow tcp from me to any dst-port 22 via xl0 keep-state
#allow it to ftp out
ipfw -q add 00230 allow tcp from me to any dst-port 20,21 via xl0 keep-state
#allow out email 
ipfw -q add 00240 allow tcp from me to any dst-port 25 via xl0 keep-state
#allow out nntp (news)
ipfw -q add 00250 allow tcp from me to any dst-port 119 via xl0 keep-state
#allow out mysql (bart wants to access outside dbs)
ipfw -q add 00260 allow tcp from me to any dst-port 3306 via xl0 keep-state


#########
##
##incomming connections
##
#########

###########
#ldap, mysql let ego+psyche in but nobody else
###########
ipfw -q add 00310 allow tcp from 149.157.248.50 to me 389,3306 in via xl0 keep-state
ipfw -q add 00320 allow tcp from 149.157.248.51 to me 389,3306 in via xl0 keep-state
#this rule is ok as the dynamic keep-states will superseed this
ipfw -q add 00330 deny tcp from me 389,3306 to any out via xl0

###########
#machines we know and love
###########
#allow ego to connect
ipfw -q add 00410 allow ip from 149.157.248.50 to me in via xl0 keep-state
# allow misha to connect to scan us using nachios.
ipfw -q add 00420 allow ip from 149.157.245.43 to me 5666 in via xl0 keep-state


#any one can ping us
ipfw -q add 00510 allow icmp from any to me keep-state


###############
#services
###############
# psyche is allowed to send bipolar email (SMTP) (like its daily reports)
ipfw -q add 00610 allow tcp from 149.157.248.51 to me 25 in via xl0 keep-state

# allow ego and psyce to connect via nfs
ipfw -q add 00620 allow tcp from 149.157.248.50 to me 2049,1110 in via xl0 keep-state
ipfw -q add 00630 allow udp from 149.157.248.51 to me 2049,1110 in via xl0 keep-state

#let people connect to bipolar via ssh, http, https 
ipfw -q add 00640 allow tcp from any to me 22,80,443 in via xl0 keep-state
#let emails come in
ipfw -q add 00650 allow tcp from any to me in dst-port 25 via xl0 keep-state

# allow netsoc.tcd.ie in for ircd
ipfw -q add 00660 allow tcp from 134.226.83.50 to me dst-port 6667 in via xl0 keep-state

# allow ego, psyche in for upsmon
ipfw -q add 00670 allow tcp from 149.157.248.50 to me 3493 in via xl0 keep-state
ipfw -q add 00680 allow tcp from 149.157.248.51 to me 3493 in via xl0 keep-state

############
##
##lock down
##
###########
#deny from all to bipolar if its not in the above
ipfw -q add 01000 deny all from me to any out via xl0
#deny all to bipolar unless its mentioned above
ipfw -q add 02000 deny all from any to me in via xl0
#default rule
#ipfw -q add 65535 deny ip from any to any