cat > /etc/ipfw.rules <<EOF
#!/bin/sh

ipfw -q -f flush

# No restrictions on Loopback Interface
ipfw -q add 00001 allow all from any to any via lo0

ipfw -q add 00009 check-state

# Deny all inbound traffic from non-routable reserved address spaces
ipfw -q add 000011 deny all from 192.168.0.0/16 to any in via vtnet0    # RFC 1918 private IP
ipfw -q add 000012 deny all from 172.16.0.0/12 to any in via vtnet0     # RFC 1918 private IP
ipfw -q add 000013 deny all from 10.0.0.0/8 to any in via vtnet0        # RFC 1918 private IP
ipfw -q add 000014 deny all from 127.0.0.0/8 to any in via vtnet0       # loopback
ipfw -q add 000015 deny all from 0.0.0.0/8 to any in via vtnet0         # loopback
ipfw -q add 000016 deny all from 169.254.0.0/16 to any in via vtnet0    # DHCP auto-config
ipfw -q add 000017 deny all from 192.0.2.0/24 to any in via vtnet0      # reserved for docs
ipfw -q add 000018 deny all from 204.152.64.0/23 to any in via vtnet0   # Sun cluster interconnect
ipfw -q add 000019 deny all from 224.0.0.0/3 to any in via vtnet0       # Class D & E multicast

# Deny fragments
ipfw -q add 000021 deny all from any to any frag in via vtnet0

# Deny ACK packets that did not match the dynamic rule table
ipfw -q add 000031 deny tcp from any to any established in via vtnet0

# Allow outbound ping
ipfw -q add 000041 allow icmp from any to any out via vtnet0 keep-state

# Allow access to public DNS
ipfw -q add 000111 allow tcp from any to 100.100.2.136 53 out via vtnet0 setup keep-state
ipfw -q add 000112 allow udp from any to 100.100.2.136 53 out via vtnet0 keep-state
ipfw -q add 000113 allow tcp from any to 100.100.2.138 53 out via vtnet0 setup keep-state
ipfw -q add 000114 allow udp from any to 100.100.2.138 53 out via vtnet0 keep-state

# Allow outbound HTTP and HTTPS connections
ipfw -q add 000121 allow tcp from any to any 80 out via vtnet0 setup keep-state
ipfw -q add 000122 allow tcp from any to any 443 out via vtnet0 setup keep-state

# Allow outbound NTP connections
ipfw -q add 000131 allow udp from any to any 123 out via vtnet0 keep-state

# Allow inbound SSH connections
ipfw -q add 000211 allow tcp from any to me 22 in via vtnet0 setup limit src-addr 6

# Allow inbound HTTP and HTTPS connections
ipfw -q add 000221 allow tcp from any to me 80 in via vtnet0 setup limit src-addr 3
ipfw -q add 000222 allow tcp from any to me 443 in via vtnet0 setup limit src-addr 3

# Reject other incoming connections
ipfw -q add 000999 deny all from any to any in via vtnet0
EOF

sysrc firewall_enable="YES"
sysrc firewall_script="/etc/ipfw.rules"

service ipfw start

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

sysrc ntpd_enable="YES"
sysrc ntpd_sync_on_start="YES"

service ntpd start

portsnap fetch extract
portsnap fetch update

cd /usr/ports/sysutils/screen
make config-recursive
make fetch-recursive
make install clean

cd /usr/ports/shells/bash
make config-recursive
make fetch-recursive
make install clean

chsh -s /usr/local/bin/bash

cd /usr/ports/devel/readline
make deinstall
make reinstall
make clean

cd /usr/ports/www/nginx
make config-recursive
make fetch-recursive
make install clean

sysrc nginx_enable="YES"

service nginx start

python -m ensurepip --upgrade
python -m pip install --upgrade pip

freebsd-update fetch
freebsd-update install

freebsd-update -r 12.4-RELEASE upgrade
freebsd-update install
nextboot -k GENERIC
shutdown -r now
freebsd-update install