Kevin D. Kinsey, DaleCo, S.P. ([EMAIL PROTECTED]) wrote: > So, you're using ipf or ipfilter, not > ipfw, as I take it from your syntax.
# ipfilter logging ipmon_enable="yes" ipmon_flags="-D /var/log/ipflog" > I imagine the ipfilter gurus on the > list would like to see your entire > ruleset. I had to set my tw=80 in order to prevent wrapping. Hope this doesn't tick anybody off. Please, if anybody sees any huge, gaping holes, point them out, preferrably in private email. #--------------------------------------------------------- # # ipfilter rules # # interfaces: # xl0 - external # xl1 - internal # ################################################################# # Outside Interface ################################################################# #---------------------------------------------------------------- # Allow traffic for services we provide #---------------------------------------------------------------- pass in quick on xl0 proto tcp/udp from any to any port = 53 # DNS pass in quick on xl0 proto tcp from any to any port = 22 # SSH pass in quick on xl0 proto tcp from any to any port = 25 # SMTP pass in quick on xl0 proto tcp from any to any port = 80 # WWW #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. #---------------------------------------------------------------- pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on xl0 from 127.0.0.0/8 to any #loopback block in log quick on xl0 from 0.0.0.0/8 to any #loopback block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. #---------------------------------------------------------------- pass in quick on xl0 proto udp from 10.0.0.0/8 to any port = 68 keep state #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #---------------------------------------------------------------- block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in log quick on xl0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on xl1 proto tcp from any to any keep state pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all ## EOF -- mike _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
