#!/bin/sh
fwcmd=/sbin/ipfw

tif="tun0"
oif="de1"
iif="de0"

${fwcmd} -f flush

${fwcmd} add pass all from any to any via lo0
${fwcmd} add pass all from 127.0.0.1 to 127.0.0.1
${fwcmd} add deny log all from any to 127.0.0.1 via ${tif}

${fwcmd} add deny log all from 10.0.0.0/8 to any in recv ${tif}
${fwcmd} add deny log all from 172.16.0.0/12 to any in recv ${tif}
${fwcmd} add deny log all from 192.168.0.0/16 to any in recv ${tif}
${fwcmd} add deny log all from any to 10.0.0.0/8 out xmit ${tif}
${fwcmd} add deny log all from any to 172.16.0.0/12 out xmit ${tif}
${fwcmd} add deny log all from any to 192.168.0.0/16 out xmit ${tif}

${fwcmd} add deny log all from any to any ipoptions ssrr,lsrr

${fwcmd} add deny tcp from any to any 137-139,445,111,548 via ${tif}
${fwcmd} add deny udp from any to any 137-139,445,111,548 via ${tif}

${fwcmd} add 65000 pass all from any to any