BASIC_2.FW revision 255332
1132718Skan#!/sbin/ipf -f - 2169689Skan# 3132718Skan# SAMPLE: PERMISSIVE FILTER RULES 4132718Skan# 5132718Skan# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 6132718Skan# 7132718Skan# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 8132718Skan# 9132718Skan# ed0 - (internal) network interface, address w.x.y.z/32 10132718Skan# 11132718Skan# This file contains the basic rules needed to construct a firewall for the 12132718Skan# above situation. 13132718Skan# 14132718Skan#------------------------------------------------------- 15132718Skan# *Nasty* packets we don't want to allow near us at all! 16132718Skan# short packets which are packets fragmented too short to be real. 17132718Skanblock in log quick all with short 18169689Skan#------------------------------------------------------- 19169689Skan# Group setup. 20132718Skan# ============ 21132718Skan# By default, block and log everything. This maybe too much logging 22132718Skan# (especially for ed0) and needs to be further refined. 23132718Skan# 24169689Skanblock in log on ppp0 all head 100 25169689Skanblock out log on ppp0 all head 150 26169689Skanblock in log on ed0 from w.x.y.z/24 to any head 200 27169689Skanblock out log on ed0 all head 250 28132718Skan#------------------------------------------------------- 29169689Skan# Invalid Internet packets. 30169689Skan# ========================= 31169689Skan# 32169689Skan# Deny reserved addresses. 33169689Skan# 34169689Skanblock in log quick from 10.0.0.0/8 to any group 100 35169689Skanblock in log quick from 192.168.0.0/16 to any group 100 36169689Skanblock in log quick from 172.16.0.0/12 to any group 100 37169689Skan# 38169689Skan# Prevent IP spoofing. 39169689Skan# 40169689Skanblock in log quick from a.b.c.d/24 to any group 100 41169689Skan# 42169689Skan#------------------------------------------------------- 43132718Skan# Localhost packets. 44132718Skan# ================== 45132718Skan# packets going in/out of network interfaces that aren't on the loopback 46132718Skan# interface should *NOT* exist. 47132718Skanblock in log quick from 127.0.0.0/8 to any group 100 48132718Skanblock in log quick from any to 127.0.0.0/8 group 100 49169689Skanblock in log quick from 127.0.0.0/8 to any group 200 50132718Skanblock in log quick from any to 127.0.0.0/8 group 200 51169689Skan# And of course, make sure the loopback allows packets to traverse it. 52169689Skanpass in quick on lo0 all 53169689Skanpass out quick on lo0 all 54132718Skan#------------------------------------------------------- 55132718Skan# Allow any communication between the inside network and the outside only. 56169689Skan# 57169689Skan# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) 58169689Skan# 59169689Skanpass in log quick proto tcp all flags S/SA keep state group 200 60169689Skan# 61169689Skan# Support all UDP `connections' initiated from inside. 62169689Skan# 63169689Skan# Allow ping out 64132718Skan# 65132718Skanpass in log quick proto icmp all keep state group 200 66132718Skan#------------------------------------------------------- 67169689Skan# Log these: 68132718Skan# ========== 69169689Skan# * return RST packets for invalid SYN packets to help the other end close 70169689Skanblock return-rst in log proto tcp from any to any flags S/SA group 100 71169689Skan# * return ICMP error packets for invalid UDP packets 72132718Skanblock return-icmp(net-unr) in proto udp all group 100 73132718Skan