185213Sdarrenr# $FreeBSD: releng/10.2/share/examples/ipfilter/firewall.1 108317 2002-12-27 12:15:40Z schweikh $ 285213Sdarrenr# 385213Sdarrenr# This is an example of a very light firewall used to guard against 485213Sdarrenr# some of the most easily exploited common security holes. 585213Sdarrenr# 685213Sdarrenr# The example assumes it is running on a gateway with interface ppp0 785213Sdarrenr# attached to the outside world, and interface ed0 attached to 885213Sdarrenr# network 192.168.4.0 which needs to be protected. 985213Sdarrenr# 1085213Sdarrenr# 1185213Sdarrenr# Pass any packets not explicitly mentioned by subsequent rules 1285213Sdarrenr# 1385213Sdarrenrpass out from any to any 1485213Sdarrenrpass in from any to any 1585213Sdarrenr# 1685213Sdarrenr# Block any inherently bad packets coming in from the outside world. 1785213Sdarrenr# These include ICMP redirect packets and IP fragments so short the 1885213Sdarrenr# filtering rules won't be able to examine the whole UDP/TCP header. 1985213Sdarrenr# 2085213Sdarrenrblock in log quick on ppp0 proto icmp from any to any icmp-type redir 2185213Sdarrenrblock in log quick on ppp0 proto tcp/udp all with short 2285213Sdarrenr# 23108317Sschweikh# Block any IP spoofing attempts. (Packets "from" our network 2485213Sdarrenr# shouldn't be coming in from outside). 2585213Sdarrenr# 2685213Sdarrenrblock in log quick on ppp0 from 192.168.4.0/24 to any 2785213Sdarrenrblock in log quick on ppp0 from localhost to any 2885213Sdarrenrblock in log quick on ppp0 from 0.0.0.0/32 to any 2985213Sdarrenrblock in log quick on ppp0 from 255.255.255.255/32 to any 3085213Sdarrenr# 3185213Sdarrenr# Block any incoming traffic to NFS ports, to the RPC portmapper, and 3285213Sdarrenr# to X servers. 3385213Sdarrenr# 3485213Sdarrenrblock in log on ppp0 proto tcp/udp from any to any port = sunrpc 3585213Sdarrenrblock in log on ppp0 proto tcp/udp from any to any port = 2049 3685213Sdarrenrblock in log on ppp0 proto tcp from any to any port = 6000 37