Lines Matching refs:to
46 # client - will try to protect just this machine
47 # simple - will try to protect a whole network
49 # workstation - will try to protect just this machine using statefull
60 # take time to read this book:
83 # Only in rare cases do you want to change these rules
85 ${fwcmd} add 100 pass all from any to any via lo0
86 ${fwcmd} add 200 deny all from any to 127.0.0.0/8
87 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
89 ${fwcmd} add 400 deny all from any to ::1
90 ${fwcmd} add 500 deny all from ::1 to any
98 # Only in rare cases do you want to change these rules
103 ${fwcmd} add pass ipv6-icmp from :: to ff02::/16
105 ${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
106 ${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
109 ${fwcmd} add pass ipv6-icmp from any to any icmp6types 1
112 ${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136
145 # Network Address Translation. All packets are passed to natd(8)
150 # For ``simple'' firewall type the divert rule should be put to a
151 # different place to not interfere with address-checking rules.
158 ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
172 ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
179 # If you just configured ipfw in the kernel as a tool to solve network
180 # problems or you just want to disallow some particular kinds of traffic
181 # then you will want to change the default policy to open. You can also
182 # do this as your only action by setting the firewall_type to ``open''.
184 # ${fwcmd} add 65000 pass all from any to any
191 ${fwcmd} add 65000 pass all from any to any
204 # set this to your local network
209 ${fwcmd} add pass all from ${net} to 255.255.255.255
211 # Allow any traffic to or from my own net.
212 ${fwcmd} add pass all from me to ${net}
213 ${fwcmd} add pass all from ${net} to me
215 ${fwcmd} add pass all from me to ${net6}
216 ${fwcmd} add pass all from ${net6} to me
221 ${fwcmd} add pass all from fe80::/10 to ff02::/16
222 ${fwcmd} add pass all from ${net6} to ff02::/16
224 ${fwcmd} add pass udp from fe80::/10 to me 546
228 ${fwcmd} add pass tcp from any to any established
230 # Allow IP fragments to pass through
231 ${fwcmd} add pass all from any to any frag
234 ${fwcmd} add pass tcp from any to me 25 setup
237 ${fwcmd} add pass tcp from me to any setup
240 ${fwcmd} add deny tcp from any to any setup
243 ${fwcmd} add pass udp from me to any 53 keep-state
246 ${fwcmd} add pass udp from me to any 123 keep-state
270 # set these to your outside interface network
276 # set these to your inside interface network
283 ${fwcmd} add deny all from ${inet} to any in via ${oif}
284 ${fwcmd} add deny all from ${onet} to any in via ${iif}
286 ${fwcmd} add deny all from ${inet6} to any in via ${oif6}
288 ${fwcmd} add deny all from ${onet6} to any in \
294 ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
295 ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
296 ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
301 ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
302 ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
303 ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
304 ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
305 ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
310 # address set to 192.0.2.1 then an incoming packet for it after being
317 ${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
323 ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
324 ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
325 ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
330 ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
331 ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
332 ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
333 ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
334 ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
338 ${fwcmd} add deny all from fc00::/7 to any via ${oif6}
339 ${fwcmd} add deny all from any to fc00::/7 via ${oif6}
342 ${fwcmd} add deny all from fec0::/10 to any via ${oif6}
343 ${fwcmd} add deny all from any to fec0::/10 via ${oif6}
345 # Disallow "internal" addresses to appear on the wire.
346 ${fwcmd} add deny all from ::ffff:0.0.0.0/96 to any \
348 ${fwcmd} add deny all from any to ::ffff:0.0.0.0/96 \
351 # Disallow packets to malicious IPv4 compatible prefix.
352 ${fwcmd} add deny all from ::224.0.0.0/100 to any via ${oif6}
353 ${fwcmd} add deny all from any to ::224.0.0.0/100 via ${oif6}
354 ${fwcmd} add deny all from ::127.0.0.0/104 to any via ${oif6}
355 ${fwcmd} add deny all from any to ::127.0.0.0/104 via ${oif6}
356 ${fwcmd} add deny all from ::0.0.0.0/104 to any via ${oif6}
357 ${fwcmd} add deny all from any to ::0.0.0.0/104 via ${oif6}
358 ${fwcmd} add deny all from ::255.0.0.0/104 to any via ${oif6}
359 ${fwcmd} add deny all from any to ::255.0.0.0/104 via ${oif6}
361 ${fwcmd} add deny all from ::0.0.0.0/96 to any via ${oif6}
362 ${fwcmd} add deny all from any to ::0.0.0.0/96 via ${oif6}
364 # Disallow packets to malicious 6to4 prefix.
365 ${fwcmd} add deny all from 2002:e000::/20 to any via ${oif6}
366 ${fwcmd} add deny all from any to 2002:e000::/20 via ${oif6}
367 ${fwcmd} add deny all from 2002:7f00::/24 to any via ${oif6}
368 ${fwcmd} add deny all from any to 2002:7f00::/24 via ${oif6}
369 ${fwcmd} add deny all from 2002:0000::/24 to any via ${oif6}
370 ${fwcmd} add deny all from any to 2002:0000::/24 via ${oif6}
371 ${fwcmd} add deny all from 2002:ff00::/24 to any via ${oif6}
372 ${fwcmd} add deny all from any to 2002:ff00::/24 via ${oif6}
374 ${fwcmd} add deny all from 2002:0a00::/24 to any via ${oif6}
375 ${fwcmd} add deny all from any to 2002:0a00::/24 via ${oif6}
376 ${fwcmd} add deny all from 2002:ac10::/28 to any via ${oif6}
377 ${fwcmd} add deny all from any to 2002:ac10::/28 via ${oif6}
378 ${fwcmd} add deny all from 2002:c0a8::/32 to any via ${oif6}
379 ${fwcmd} add deny all from any to 2002:c0a8::/32 via ${oif6}
381 ${fwcmd} add deny all from ff05::/16 to any via ${oif6}
382 ${fwcmd} add deny all from any to ff05::/16 via ${oif6}
386 ${fwcmd} add pass tcp from any to any established
388 # Allow IP fragments to pass through
389 ${fwcmd} add pass all from any to any frag
392 ${fwcmd} add pass tcp from any to me 25 setup
394 # Allow access to our DNS
395 ${fwcmd} add pass tcp from any to me 53 setup
396 ${fwcmd} add pass udp from any to me 53
397 ${fwcmd} add pass udp from me 53 to any
399 # Allow access to our WWW
400 ${fwcmd} add pass tcp from any to me 80 setup
403 ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
405 ${fwcmd} add deny log ip6 from any to any in via ${oif6} \
410 ${fwcmd} add pass tcp from any to any setup
413 ${fwcmd} add pass udp from me to any 53 keep-state
416 ${fwcmd} add pass udp from me to any 123 keep-state
428 # that have access to
431 # that have full access to this host.
447 ${fwcmd} add pass tcp from me to any established
450 ${fwcmd} add pass tcp from me to any setup keep-state
451 ${fwcmd} add pass udp from me to any keep-state
452 ${fwcmd} add pass icmp from me to any keep-state
454 ${fwcmd} add pass ipv6-icmp from me to any keep-state
458 ${fwcmd} add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out
459 ${fwcmd} add pass udp from any 67 to me 68 in
460 ${fwcmd} add pass udp from any 67 to 255.255.255.255 68 in
462 ${fwcmd} add pass udp from fe80::/10 to me 546 in
464 # Some servers will ping the IP while trying to decide if it's
466 ${fwcmd} add pass icmp from any to any icmptype 8
468 ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129
472 ${fwcmd} add pass icmp from any to any icmptype 3,4,11
474 ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3
479 # If you really wish to let anyone use services on your
484 # You can add 'keep-state' to the lines for slightly
490 ${fwcmd} add pass tcp from $i to me $j
498 ${fwcmd} add pass ip from $i to me
501 ${fwcmd} add 65000 count ip from any to any
503 # Drop packets to ports where we don't want logging
505 ${fwcmd} add deny { tcp or udp } from any to any $i in
509 ${fwcmd} add deny ip from any to 255.255.255.255
510 ${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX
513 ${fwcmd} add deny udp from any to any 520 in
517 # connection teardowns to be logged.
518 ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in
526 ${fwcmd} add deny $log ip from any to any
530 ${fwcmd} add 65000 deny ip from any to any