185213Sdarrenr# $FreeBSD: releng/10.2/share/examples/ipfilter/firewall.2 108317 2002-12-27 12:15:40Z schweikh $ 285213Sdarrenr# 385213Sdarrenr# This is an example of a fairly heavy firewall used to keep everyone 485213Sdarrenr# out of a particular network while still allowing people within that 585213Sdarrenr# network to get outside. 685213Sdarrenr# 785213Sdarrenr# The example assumes it is running on a gateway with interface ppp0 885213Sdarrenr# attached to the outside world, and interface ed0 attached to 985213Sdarrenr# network 192.168.4.0 which needs to be protected. 1085213Sdarrenr# 1185213Sdarrenr# 1285213Sdarrenr# Pass any packets not explicitly mentioned by subsequent rules 1385213Sdarrenr# 1485213Sdarrenrpass out from any to any 1585213Sdarrenrpass in from any to any 1685213Sdarrenr# 1785213Sdarrenr# Block any inherently bad packets coming in from the outside world. 1885213Sdarrenr# These include ICMP redirect packets, IP fragments so short the 1985213Sdarrenr# filtering rules won't be able to examine the whole UDP/TCP header, 2085213Sdarrenr# and anything with IP options. 2185213Sdarrenr# 2285213Sdarrenrblock in log quick on ppp0 proto icmp from any to any icmp-type redir 2385213Sdarrenrblock in log quick on ppp0 proto tcp/udp all with short 2485213Sdarrenrblock in log quick on ppp0 from any to any with ipopts 2585213Sdarrenr# 26108317Sschweikh# Block any IP spoofing attempts. (Packets "from" our network 2785213Sdarrenr# shouldn't be coming in from outside). 2885213Sdarrenr# 2985213Sdarrenrblock in log quick on ppp0 from 192.168.4.0/24 to any 3085213Sdarrenrblock in log quick on ppp0 from localhost to any 3185213Sdarrenrblock in log quick on ppp0 from 0.0.0.0/32 to any 3285213Sdarrenrblock in log quick on ppp0 from 255.255.255.255/32 to any 3385213Sdarrenr# 3485213Sdarrenr# Block all incoming UDP traffic except talk and DNS traffic. NFS 3585213Sdarrenr# and portmap are special-cased and logged. 3685213Sdarrenr# 3785213Sdarrenrblock in on ppp0 proto udp from any to any 3885213Sdarrenrblock in log on ppp0 proto udp from any to any port = sunrpc 3985213Sdarrenrblock in log on ppp0 proto udp from any to any port = 2049 4085213Sdarrenrpass in on ppp0 proto udp from any to any port = domain 4185213Sdarrenrpass in on ppp0 proto udp from any to any port = talk 4285213Sdarrenrpass in on ppp0 proto udp from any to any port = ntalk 4385213Sdarrenr# 4485213Sdarrenr# Block all incoming TCP traffic connections to known services, 4585213Sdarrenr# returning a connection reset so things like ident don't take 4685213Sdarrenr# forever timing out. Don't log ident (auth port) as it's so common. 4785213Sdarrenr# 4885213Sdarrenrblock return-rst in log on ppp0 proto tcp from any to any flags S/SA 4985213Sdarrenrblock return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA 5085213Sdarrenr# 5185213Sdarrenr# Allow incoming TCP connections to ports between 1024 and 5000, as 5285213Sdarrenr# these don't have daemons listening but are used by outgoing 5385213Sdarrenr# services like ftp and talk. For slightly more obscurity (though 5485213Sdarrenr# not much more security), the second commented out rule can chosen 5585213Sdarrenr# instead. 5685213Sdarrenr# 5785213Sdarrenrpass in on ppp0 proto tcp from any to any port 1024 >< 5000 5885213Sdarrenr#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000 5985213Sdarrenr# 6085213Sdarrenr# Now allow various incoming TCP connections to particular hosts, TCP 6185213Sdarrenr# to the main nameserver so secondaries can do zone transfers, SMTP 6285213Sdarrenr# to the mail host, www to the web server (which really should be 6385213Sdarrenr# outside the firewall if you care about security), and ssh to a 6485213Sdarrenr# hypothetical machine caled 'gatekeeper' that can be used to gain 6585213Sdarrenr# access to the protected network from the outside world. 6685213Sdarrenr# 6785213Sdarrenrpass in on ppp0 proto tcp from any to ns1 port = domain 6885213Sdarrenrpass in on ppp0 proto tcp from any to mail port = smtp 6985213Sdarrenrpass in on ppp0 proto tcp from any to www port = www 7085213Sdarrenrpass in on ppp0 proto tcp from any to gatekeeper port = ssh 71