131183Speter#!/sbin/ipf -f - 231183Speter# 331183Speter# SAMPLE: PERMISSIVE FILTER RULES 431183Speter# 553024Sguido# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 631183Speter# 731183Speter# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 831183Speter# 931183Speter# ed0 - (internal) network interface, address w.x.y.z/32 1031183Speter# 1131183Speter# This file contains the basic rules needed to construct a firewall for the 1231183Speter# above situation. 1331183Speter# 1431183Speter#------------------------------------------------------- 1531183Speter# *Nasty* packets we don't want to allow near us at all! 1631183Speter# short packets which are packets fragmented too short to be real. 1731183Speterblock in log quick all with short 1831183Speter#------------------------------------------------------- 1931183Speter# Group setup. 2031183Speter# ============ 2131183Speter# By default, block and log everything. This maybe too much logging 2231183Speter# (especially for ed0) and needs to be further refined. 2331183Speter# 2431183Speterblock in log on ppp0 all head 100 2531183Speterblock out log on ppp0 all head 150 2631183Speterblock in log on ed0 from w.x.y.z/24 to any head 200 2731183Speterblock out log on ed0 all head 250 2831183Speter#------------------------------------------------------- 2931183Speter# Invalid Internet packets. 3031183Speter# ========================= 3131183Speter# 3231183Speter# Deny reserved addresses. 3331183Speter# 3431183Speterblock in log quick from 10.0.0.0/8 to any group 100 3531183Speterblock in log quick from 192.168.0.0/16 to any group 100 3637074Speterblock in log quick from 172.16.0.0/12 to any group 100 3731183Speter# 3831183Speter# Prevent IP spoofing. 3931183Speter# 4031183Speterblock in log quick from a.b.c.d/24 to any group 100 4131183Speter# 4231183Speter#------------------------------------------------------- 4331183Speter# Localhost packets. 4431183Speter# ================== 4531183Speter# packets going in/out of network interfaces that aren't on the loopback 4631183Speter# interface should *NOT* exist. 4731183Speterblock in log quick from 127.0.0.0/8 to any group 100 4831183Speterblock in log quick from any to 127.0.0.0/8 group 100 4931183Speterblock in log quick from 127.0.0.0/8 to any group 200 5031183Speterblock in log quick from any to 127.0.0.0/8 group 200 5131183Speter# And of course, make sure the loopback allows packets to traverse it. 5231183Speterpass in quick on lo0 all 5331183Speterpass out quick on lo0 all 5431183Speter#------------------------------------------------------- 5531183Speter# Allow any communication between the inside network and the outside only. 5631183Speter# 5731183Speter# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) 5831183Speter# 59255332Scypass in log quick proto tcp all flags S/SA keep state group 200 6031183Speter# 6131183Speter# Support all UDP `connections' initiated from inside. 6231183Speter# 6331183Speter# Allow ping out 6431183Speter# 6531183Speterpass in log quick proto icmp all keep state group 200 6631183Speter#------------------------------------------------------- 6731183Speter# Log these: 6831183Speter# ========== 6931183Speter# * return RST packets for invalid SYN packets to help the other end close 7031183Speterblock return-rst in log proto tcp from any to any flags S/SA group 100 7131183Speter# * return ICMP error packets for invalid UDP packets 7231183Speterblock return-icmp(net-unr) in proto udp all group 100 73