1# $FreeBSD: releng/11.0/share/examples/ipfilter/ipf.conf.restrictive 85213 2001-10-20 04:17:07Z darrenr $ 2#-------------------------------------------------------------------------- 3# ed1 - external interface 4# fxp0 - internal interface 5#-------------------------------------------------------------------------- 6# First, nasty packets which we don't want near us at all 7# packets which are too short to be real except echo replies on lo0 8pass in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with short 9block in log quick all with short 10block in log quick all with opt lsrr 11block in log quick all with opt ssrr 12#-------------------------------------------------------------------------- 13# loopback packets left unmolested 14pass in log quick on lo0 all 15pass out log quick on lo0 all 16#-------------------------------------------------------------------------- 17# Group setup: 18# 100 incoming ed1 19# 150 outgoing ed1 20# 200 incoming fxp0 21# 250 outgoing fxp0 22#-------------------------------------------------------------------------- 23block in log body on ed1 all head 100 24block out log body on ed1 all head 150 25#-------------------------------------------------------------------------- 26block in log on fxp0 all head 200 27block out log on fxp0 all head 250 28#-------------------------------------------------------------------------- 29# incoming ed1 traffic - group 100 30# 1) prevent localhost spoofing 31block in log quick from 127.0.0.1/32 to 192.168.0.0/24 group 100 32block in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100 33block in log quick from any to 127.0.0.1/8 group 100 34#-------------------------------------------------------------------------- 35# 2) deny pakets which should not be seen on th internet (paranoid) 36block in log quick from 10.0.0.0/8 to any group 100 37block in log quick from any to 10.0.0.0/8 group 100 38block in log quick from 172.16.0.0/16 to any group 100 39block in log quick from any to 172.16.0.0/16 group 100 40block in log quick from 192.168.0.0/16 to any group 100 41block in log from any to 192.168.0.0/16 group 100 42# 3) implement policy 43# allow incoming ftp-data 44pass in log quick proto tcp/udp from any to 192.168.1.1/24 keep state group 100 45# if nothing applies, block and return icmp-replies (unreachable and rst) 46block return-icmp(net-unr) in proto udp from any to any group 100 47block return-rst in log proto tcp from any to any group 100 48#-------------------------------------------------------------------------- 49# outgoing ed1 traffic - group 150 50# Setup outgoing DNS 51pass out log quick proto tcp/udp from any to 212.40.0.10 port = 53 keep state group 150 52pass out log quick proto tcp/udp from any to 212.40.5.50 port = 53 keep state group 150 53# allow outgoing http-service 54pass out log quick proto tcp from any to any port = 80 flags S/SA keep state keep frags group 150 55# allow outgoing smtp traffic 56pass out log quick proto tcp from 192.168.1.1/24 to any port = 25 flags S/SA keep state group 150 57# allow outgoing pop3 traffic 58pass out log quick proto tcp from 192.168.1.1/24 to any port = 110 flags S/SA keep state group 150 59# allow outgoing ftp traffic 60pass out log quick proto tcp/udp from 192.168.1.1/24 to any port = ftp keep state group 150 61pass out log quick proto icmp from any to any keep state keep frags group 150 62#-------------------------------------------------------------------------- 63# incoming traffic on fxp0 - group 200 64#-------------------------------------------------------------------------- 65# 1) prevent localhost spoofing 66block in log quick from 127.0.0.0/8 to any group 200 67block in log quick from 192.168.0.1/32 to any group 200 68block in log quick from 192.168.1.110/24 to any group 200 69pass in log quick from any to any group 200 70#-------------------------------------------------------------------------- 71# outgoing traffic on fxp0 - group 250 72#-------------------------------------------------------------------------- 73block out log quick from 127.0.0.0/8 to any group 250 74block out quick from any to 127.0.0.0/8 group 250 75block out log quick from any to 192.168.0.1/32 group 250 76pass out log quick from any to nay group 250 77#-------------------------------------------------------------------------- 78