#!/sbin/ipf -f - # # SAMPLE: RESTRICTIVE FILTER RULES # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # ed0 - (internal) network interface, address w.x.y.z/32 # # This file contains the basic rules needed to construct a firewall for the # above situation. # #------------------------------------------------------- # *Nasty* packets we don't want to allow near us at all! # short packets which are packets fragmented too short to be real. block in log quick all with short #------------------------------------------------------- # Group setup. # ============ # By default, block and log everything. This maybe too much logging # (especially for ed0) and needs to be further refined. # block in log on ppp0 all head 100 block in log proto tcp all flags S/SA head 101 group 100 block out log on ppp0 all head 150 block in log on ed0 from w.x.y.z/24 to any head 200 block in log proto tcp all flags S/SA head 201 group 200 block in log proto udp all head 202 group 200 block out log on ed0 all head 250 #------------------------------------------------------- # Localhost packets. # ================== # packets going in/out of network interfaces that aren't on the loopback # interface should *NOT* exist. block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from any to 127.0.0.0/8 group 200 # And of course, make sure the loopback allows packets to traverse it. pass in quick on lo0 all pass out quick on lo0 all #------------------------------------------------------- # Invalid Internet packets. # ========================= # # Deny reserved addresses. # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from 172.16.0.0/12 to any group 100 # # Prevent IP spoofing. # block in log quick from a.b.c.d/24 to any group 100 # #------------------------------------------------------- # Allow outgoing DNS requests (no named on firewall) # pass in quick proto udp from any to any port = 53 keep state group 202 # # If we were running named on the firewall and all internal hosts talked to # it, we'd use the following: # #pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 #pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state # # Allow outgoing FTP from any internal host to any external FTP server. # pass in quick proto tcp from any to any port = ftp keep state group 201 pass in quick proto tcp from any to any port = ftp-data keep state group 201 pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 # # Allow NTP from any internal host to any external NTP server. # pass in quick proto udp from any to any port = ntp keep state group 202 # # Allow outgoing connections: SSH, TELNET, WWW # pass in quick proto tcp from any to any port = 22 keep state group 201 pass in quick proto tcp from any to any port = telnet keep state group 201 pass in quick proto tcp from any to any port = www keep state group 201 # #------------------------------------------------------- block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 # # Allow incoming to the external firewall interface: mail, WWW, DNS # pass in log quick proto tcp from any to any port = smtp keep state group 110 pass in log quick proto tcp from any to any port = www keep state group 110 pass in log quick proto tcp from any to any port = 53 keep state group 110 pass in log quick proto udp from any to any port = 53 keep state group 100 #------------------------------------------------------- # Log these: # ========== # * return RST packets for invalid SYN packets to help the other end close block return-rst in log proto tcp from any to any flags S/SA group 100 # * return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all group 100