# /etc/ipfw.conf #
# pipe di dummynet per il traffico del server web, del server mail e della lan #
pipe 1 config bw 1024Kbit/s
pipe 2 config bw 512Kbit/s
pipe 3 config bw 2048Kbit/s
add 100 set 1 pipe 1 tcp from 1.1.1.3 to any
add 110 set 1 pipe 1 tcp from any to 1.1.1.3
add 120 set 1 pipe 2 tcp from 1.1.1.4 to any
add 130 set 1 pipe 2 tcp from any to 1.1.1.4
add 140 set 1 pipe 3 all from 192.168.0.0/24 to any
add 150 set 1 pipe 3 all from any to 192.168.0.0/24
# regola di divert per natd
add 200 set 2 divert 8668 ip from 192.168.0.0/24 to not 192.168.0.0/24 via xl0
# regola per accettare i pacchetti arp (richiesta da bridge)
add 210 set 2 allow udp from 0.0.0.0 2054 to 0.0.0.0
#consenti il traffico sull'interfaccia loopback
add 300 set 3 allow ip from any to any via lo0
#blocca datagrammi in ingresso con indirizzi IP delle nostre reti
add 400 set 4 deny ip from 1.1.1.1/28 to any in via xl0
add 410 set 4 deny ip from 192.168.0.0/24 to any in via xl0
add 420 set 4 deny ip from 127.0.0.0/8 to any in via xl0
add 430 set 4 deny ip from any to 127.0.0.0/8 in via xl0
add 440 set 4 deny ip from not 1.1.1.0/28 to any out
#blocca alcune opzioni IP potenzialmente pericolose
add 500 set 5 deny ip from any to any ipoptions rr
add 510 set 5 deny ip from any to any ipoptions ts
add 520 set 5 deny ip from any to any ipoptions lsrr
add 530 set 5 deny ip from any to any ipoptions ssrr
add 540 set 5 deny ip from any to any ipoptions syn/fin
add 550 set 5 deny ip from any to any ipoptions syn/rst
#blocca i frammenti TCP
add 600 set 6 deny tcp from any to any frag
#consenti richieste e risposte icmp 
add 610 set 6 allow icmp from any to any icmptypes 0,3,8,11
#consenti il traffico HTTP e HTTPS per il server web
add 700 set 7 allow tcp from any to 1.1.1.3 80
add 710 set 7 allow tcp from any to 1.1.1.3 443
#consenti il traffico mail da e per il server mail
add 800 set 8 allow tcp from any to 1.1.1.4 25
add 810 set 8 allow tcp from 1.1.1.4 to any 25
#consenti il traffico dns per il server dns
add 900 set 9 allow tcp from any to 1.1.1.5 53
add 910 set 9 allow udp from any to 1.1.1.5 53
#consenti il traffico ssh per l'amministrazione remota dei server
add add 1000 set 10 allow tcp from any to me 22
add add 1010 set 7 allow tcp from any to 1.1.1.3 22
add add 1020 set 8 allow tcp from any to 1.1.1.4 22
add add 1030 set 9 allow tcp from any to 1.1.1.5 22
#blocca tutto il rimanente traffico
add deny all from any to any