1# $FreeBSD: releng/10.2/share/examples/ipfilter/firewall.2 108317 2002-12-27 12:15:40Z schweikh $ 2# 3# This is an example of a fairly heavy firewall used to keep everyone 4# out of a particular network while still allowing people within that 5# network to get outside. 6# 7# The example assumes it is running on a gateway with interface ppp0 8# attached to the outside world, and interface ed0 attached to 9# network 192.168.4.0 which needs to be protected. 10# 11# 12# Pass any packets not explicitly mentioned by subsequent rules 13# 14pass out from any to any 15pass in from any to any 16# 17# Block any inherently bad packets coming in from the outside world. 18# These include ICMP redirect packets, IP fragments so short the 19# filtering rules won't be able to examine the whole UDP/TCP header, 20# and anything with IP options. 21# 22block in log quick on ppp0 proto icmp from any to any icmp-type redir 23block in log quick on ppp0 proto tcp/udp all with short 24block in log quick on ppp0 from any to any with ipopts 25# 26# Block any IP spoofing attempts. (Packets "from" our network 27# shouldn't be coming in from outside). 28# 29block in log quick on ppp0 from 192.168.4.0/24 to any 30block in log quick on ppp0 from localhost to any 31block in log quick on ppp0 from 0.0.0.0/32 to any 32block in log quick on ppp0 from 255.255.255.255/32 to any 33# 34# Block all incoming UDP traffic except talk and DNS traffic. NFS 35# and portmap are special-cased and logged. 36# 37block in on ppp0 proto udp from any to any 38block in log on ppp0 proto udp from any to any port = sunrpc 39block in log on ppp0 proto udp from any to any port = 2049 40pass in on ppp0 proto udp from any to any port = domain 41pass in on ppp0 proto udp from any to any port = talk 42pass in on ppp0 proto udp from any to any port = ntalk 43# 44# Block all incoming TCP traffic connections to known services, 45# returning a connection reset so things like ident don't take 46# forever timing out. Don't log ident (auth port) as it's so common. 47# 48block return-rst in log on ppp0 proto tcp from any to any flags S/SA 49block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA 50# 51# Allow incoming TCP connections to ports between 1024 and 5000, as 52# these don't have daemons listening but are used by outgoing 53# services like ftp and talk. For slightly more obscurity (though 54# not much more security), the second commented out rule can chosen 55# instead. 56# 57pass in on ppp0 proto tcp from any to any port 1024 >< 5000 58#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000 59# 60# Now allow various incoming TCP connections to particular hosts, TCP 61# to the main nameserver so secondaries can do zone transfers, SMTP 62# to the mail host, www to the web server (which really should be 63# outside the firewall if you care about security), and ssh to a 64# hypothetical machine caled 'gatekeeper' that can be used to gain 65# access to the protected network from the outside world. 66# 67pass in on ppp0 proto tcp from any to ns1 port = domain 68pass in on ppp0 proto tcp from any to mail port = smtp 69pass in on ppp0 proto tcp from any to www port = www 70pass in on ppp0 proto tcp from any to gatekeeper port = ssh 71