0
|
1 #!/sbin/ipf -f -
|
|
2 #
|
|
3 # SAMPLE: PERMISSIVE FILTER RULES
|
|
4 #
|
|
5 # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
|
|
6 #
|
|
7 # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
|
|
8 #
|
|
9 # ed0 - (internal) network interface, address w.x.y.z/32
|
|
10 #
|
|
11 # This file contains the basic rules needed to construct a firewall for the
|
|
12 # above situation.
|
|
13 #
|
|
14 #-------------------------------------------------------
|
|
15 # *Nasty* packets we don't want to allow near us at all!
|
|
16 # short packets which are packets fragmented too short to be real.
|
|
17 block in log quick all with short
|
|
18 #-------------------------------------------------------
|
|
19 # Group setup.
|
|
20 # ============
|
|
21 # By default, block and log everything. This maybe too much logging
|
|
22 # (especially for ed0) and needs to be further refined.
|
|
23 #
|
|
24 block in log on ppp0 all head 100
|
|
25 block out log on ppp0 all head 150
|
|
26 block in log on ed0 from w.x.y.z/24 to any head 200
|
|
27 block out log on ed0 all head 250
|
|
28 #-------------------------------------------------------
|
|
29 # Invalid Internet packets.
|
|
30 # =========================
|
|
31 #
|
|
32 # Deny reserved addresses.
|
|
33 #
|
|
34 block in log quick from 10.0.0.0/8 to any group 100
|
|
35 block in log quick from 192.168.0.0/16 to any group 100
|
|
36 block in log quick from 172.16.0.0/12 to any group 100
|
|
37 #
|
|
38 # Prevent IP spoofing.
|
|
39 #
|
|
40 block in log quick from a.b.c.d/24 to any group 100
|
|
41 #
|
|
42 #-------------------------------------------------------
|
|
43 # Localhost packets.
|
|
44 # ==================
|
|
45 # packets going in/out of network interfaces that aren't on the loopback
|
|
46 # interface should *NOT* exist.
|
|
47 block in log quick from 127.0.0.0/8 to any group 100
|
|
48 block in log quick from any to 127.0.0.0/8 group 100
|
|
49 block in log quick from 127.0.0.0/8 to any group 200
|
|
50 block in log quick from any to 127.0.0.0/8 group 200
|
|
51 # And of course, make sure the loopback allows packets to traverse it.
|
|
52 pass in quick on lo0 all
|
|
53 pass out quick on lo0 all
|
|
54 #-------------------------------------------------------
|
|
55 # Allow any communication between the inside network and the outside only.
|
|
56 #
|
|
57 # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
|
|
58 #
|
|
59 pass in log quick proto tcp all flags S/SA keep state group 200
|
|
60 #
|
|
61 # Support all UDP `connections' initiated from inside.
|
|
62 #
|
|
63 # Allow ping out
|
|
64 #
|
|
65 pass in log quick proto icmp all keep state group 200
|
|
66 #-------------------------------------------------------
|
|
67 # Log these:
|
|
68 # ==========
|
|
69 # * return RST packets for invalid SYN packets to help the other end close
|
|
70 block return-rst in log proto tcp from any to any flags S/SA group 100
|
|
71 # * return ICMP error packets for invalid UDP packets
|
|
72 block return-icmp(net-unr) in proto udp all group 100
|