185213Sdarrenr# $FreeBSD: releng/10.2/share/examples/ipfilter/ipf.conf.restrictive 85213 2001-10-20 04:17:07Z darrenr $ 285213Sdarrenr#-------------------------------------------------------------------------- 385213Sdarrenr# ed1 - external interface 485213Sdarrenr# fxp0 - internal interface 585213Sdarrenr#-------------------------------------------------------------------------- 685213Sdarrenr# First, nasty packets which we don't want near us at all 785213Sdarrenr# packets which are too short to be real except echo replies on lo0 885213Sdarrenrpass in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with short 985213Sdarrenrblock in log quick all with short 1085213Sdarrenrblock in log quick all with opt lsrr 1185213Sdarrenrblock in log quick all with opt ssrr 1285213Sdarrenr#-------------------------------------------------------------------------- 1385213Sdarrenr# loopback packets left unmolested 1485213Sdarrenrpass in log quick on lo0 all 1585213Sdarrenrpass out log quick on lo0 all 1685213Sdarrenr#-------------------------------------------------------------------------- 1785213Sdarrenr# Group setup: 1885213Sdarrenr# 100 incoming ed1 1985213Sdarrenr# 150 outgoing ed1 2085213Sdarrenr# 200 incoming fxp0 2185213Sdarrenr# 250 outgoing fxp0 2285213Sdarrenr#-------------------------------------------------------------------------- 2385213Sdarrenrblock in log body on ed1 all head 100 2485213Sdarrenrblock out log body on ed1 all head 150 2585213Sdarrenr#-------------------------------------------------------------------------- 2685213Sdarrenrblock in log on fxp0 all head 200 2785213Sdarrenrblock out log on fxp0 all head 250 2885213Sdarrenr#-------------------------------------------------------------------------- 2985213Sdarrenr# incoming ed1 traffic - group 100 3085213Sdarrenr# 1) prevent localhost spoofing 3185213Sdarrenrblock in log quick from 127.0.0.1/32 to 192.168.0.0/24 group 100 3285213Sdarrenrblock in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100 3385213Sdarrenrblock in log quick from any to 127.0.0.1/8 group 100 3485213Sdarrenr#-------------------------------------------------------------------------- 3585213Sdarrenr# 2) deny pakets which should not be seen on th internet (paranoid) 3685213Sdarrenrblock in log quick from 10.0.0.0/8 to any group 100 3785213Sdarrenrblock in log quick from any to 10.0.0.0/8 group 100 3885213Sdarrenrblock in log quick from 172.16.0.0/16 to any group 100 3985213Sdarrenrblock in log quick from any to 172.16.0.0/16 group 100 4085213Sdarrenrblock in log quick from 192.168.0.0/16 to any group 100 4185213Sdarrenrblock in log from any to 192.168.0.0/16 group 100 4285213Sdarrenr# 3) implement policy 4385213Sdarrenr# allow incoming ftp-data 4485213Sdarrenrpass in log quick proto tcp/udp from any to 192.168.1.1/24 keep state group 100 4585213Sdarrenr# if nothing applies, block and return icmp-replies (unreachable and rst) 4685213Sdarrenrblock return-icmp(net-unr) in proto udp from any to any group 100 4785213Sdarrenrblock return-rst in log proto tcp from any to any group 100 4885213Sdarrenr#-------------------------------------------------------------------------- 4985213Sdarrenr# outgoing ed1 traffic - group 150 5085213Sdarrenr# Setup outgoing DNS 5185213Sdarrenrpass out log quick proto tcp/udp from any to 212.40.0.10 port = 53 keep state group 150 5285213Sdarrenrpass out log quick proto tcp/udp from any to 212.40.5.50 port = 53 keep state group 150 5385213Sdarrenr# allow outgoing http-service 5485213Sdarrenrpass out log quick proto tcp from any to any port = 80 flags S/SA keep state keep frags group 150 5585213Sdarrenr# allow outgoing smtp traffic 5685213Sdarrenrpass out log quick proto tcp from 192.168.1.1/24 to any port = 25 flags S/SA keep state group 150 5785213Sdarrenr# allow outgoing pop3 traffic 5885213Sdarrenrpass out log quick proto tcp from 192.168.1.1/24 to any port = 110 flags S/SA keep state group 150 5985213Sdarrenr# allow outgoing ftp traffic 6085213Sdarrenrpass out log quick proto tcp/udp from 192.168.1.1/24 to any port = ftp keep state group 150 6185213Sdarrenrpass out log quick proto icmp from any to any keep state keep frags group 150 6285213Sdarrenr#-------------------------------------------------------------------------- 6385213Sdarrenr# incoming traffic on fxp0 - group 200 6485213Sdarrenr#-------------------------------------------------------------------------- 6585213Sdarrenr# 1) prevent localhost spoofing 6685213Sdarrenrblock in log quick from 127.0.0.0/8 to any group 200 6785213Sdarrenrblock in log quick from 192.168.0.1/32 to any group 200 6885213Sdarrenrblock in log quick from 192.168.1.110/24 to any group 200 6985213Sdarrenrpass in log quick from any to any group 200 7085213Sdarrenr#-------------------------------------------------------------------------- 7185213Sdarrenr# outgoing traffic on fxp0 - group 250 7285213Sdarrenr#-------------------------------------------------------------------------- 7385213Sdarrenrblock out log quick from 127.0.0.0/8 to any group 250 7485213Sdarrenrblock out quick from any to 127.0.0.0/8 group 250 7585213Sdarrenrblock out log quick from any to 192.168.0.1/32 group 250 7685213Sdarrenrpass out log quick from any to nay group 250 7785213Sdarrenr#-------------------------------------------------------------------------- 78