Mercurial > illumos > onarm
comparison usr/src/cmd/ipf/examples/BASIC_2.FW @ 0:c9caec207d52 b86
Initial porting based on b86
author | Koji Uno <koji.uno@sun.com> |
---|---|
date | Tue, 02 Jun 2009 18:56:50 +0900 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
-1:000000000000 | 0:c9caec207d52 |
---|---|
1 #!/sbin/ipf -f - | |
2 # | |
3 # SAMPLE: PERMISSIVE FILTER RULES | |
4 # | |
5 # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 | |
6 # | |
7 # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 | |
8 # | |
9 # ed0 - (internal) network interface, address w.x.y.z/32 | |
10 # | |
11 # This file contains the basic rules needed to construct a firewall for the | |
12 # above situation. | |
13 # | |
14 #------------------------------------------------------- | |
15 # *Nasty* packets we don't want to allow near us at all! | |
16 # short packets which are packets fragmented too short to be real. | |
17 block in log quick all with short | |
18 #------------------------------------------------------- | |
19 # Group setup. | |
20 # ============ | |
21 # By default, block and log everything. This maybe too much logging | |
22 # (especially for ed0) and needs to be further refined. | |
23 # | |
24 block in log on ppp0 all head 100 | |
25 block out log on ppp0 all head 150 | |
26 block in log on ed0 from w.x.y.z/24 to any head 200 | |
27 block out log on ed0 all head 250 | |
28 #------------------------------------------------------- | |
29 # Invalid Internet packets. | |
30 # ========================= | |
31 # | |
32 # Deny reserved addresses. | |
33 # | |
34 block in log quick from 10.0.0.0/8 to any group 100 | |
35 block in log quick from 192.168.0.0/16 to any group 100 | |
36 block in log quick from 172.16.0.0/12 to any group 100 | |
37 # | |
38 # Prevent IP spoofing. | |
39 # | |
40 block in log quick from a.b.c.d/24 to any group 100 | |
41 # | |
42 #------------------------------------------------------- | |
43 # Localhost packets. | |
44 # ================== | |
45 # packets going in/out of network interfaces that aren't on the loopback | |
46 # interface should *NOT* exist. | |
47 block in log quick from 127.0.0.0/8 to any group 100 | |
48 block in log quick from any to 127.0.0.0/8 group 100 | |
49 block in log quick from 127.0.0.0/8 to any group 200 | |
50 block in log quick from any to 127.0.0.0/8 group 200 | |
51 # And of course, make sure the loopback allows packets to traverse it. | |
52 pass in quick on lo0 all | |
53 pass out quick on lo0 all | |
54 #------------------------------------------------------- | |
55 # Allow any communication between the inside network and the outside only. | |
56 # | |
57 # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) | |
58 # | |
59 pass in log quick proto tcp all flags S/SA keep state group 200 | |
60 # | |
61 # Support all UDP `connections' initiated from inside. | |
62 # | |
63 # Allow ping out | |
64 # | |
65 pass in log quick proto icmp all keep state group 200 | |
66 #------------------------------------------------------- | |
67 # Log these: | |
68 # ========== | |
69 # * return RST packets for invalid SYN packets to help the other end close | |
70 block return-rst in log proto tcp from any to any flags S/SA group 100 | |
71 # * return ICMP error packets for invalid UDP packets | |
72 block return-icmp(net-unr) in proto udp all group 100 |