#!/sbin/ipf -f - # # SAMPLE: RESTRICTIVE FILTER RULES # # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # # ed0 - (internal) network interface, address w.x.y.z/32 # # This file contains the basic rules needed to construct a firewall for the # above situation. # #------------------------------------------------------- # *Nasty* packets we don't want to allow near us at all! # short packets which are packets fragmented too short to be real. block in log quick all with short #------------------------------------------------------- # Group setup. # ============ # By default, block and log everything. This maybe too much logging # (especially for ed0) and needs to be further refined. # block in log on ppp0 all head 100 block in log proto tcp all flags S/SA head 101 group 100 block out log on ppp0 all head 150 block in log on ed0 from w.x.y.z/24 to any head 200 block in log proto tcp all flags S/SA head 201 group 200 block in log proto udp all head 202 group 200 block out log on ed0 all head 250 #------------------------------------------------------- # Localhost packets. # ================== # packets going in/out of network interfaces that aren't on the loopback # interface should *NOT* exist. block in log quick from 127.0.0.0/8 to any group 100 block in log quick from any to 127.0.0.0/8 group 100 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from any to 127.0.0.0/8 group 200 # And of course, make sure the loopback allows packets to traverse it. pass in quick on lo0 all pass out quick on lo0 all #------------------------------------------------------- # Invalid Internet packets. # ========================= # # Deny reserved addresses. # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from 172.16.0.0/12 to any group 100 # # Prevent IP spoofing. # block in log quick from a.b.c.d/24 to any group 100 # #------------------------------------------------------- # Allow outgoing DNS requests (no named on firewall) # pass in quick proto udp from any to any port = 53 keep state group 202 # # If we were running named on the firewall and all internal hosts talked to # it, we'd use the following: # #pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 #pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state # # Allow outgoing FTP from any internal host to any external FTP server. # pass in quick proto tcp from any to any port = ftp keep state group 201 pass in quick proto tcp from any to any port = ftp-data keep state group 201 pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 # # Allow NTP from any internal host to any external NTP server. # pass in quick proto udp from any to any port = ntp keep state group 202 # # Allow outgoing connections: SSH, TELNET, WWW # pass in quick proto tcp from any to any port = 8250 keep state group 201 pass in quick proto tcp from any to any port = 22 keep state group 201 pass in quick proto tcp from any to any port = telnet keep state group 201 pass in quick proto tcp from any to any port = www keep state group 201 # #------------------------------------------------------- block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 # # Allow incoming to the external firewall interface: mail, WWW, DNS # pass in log quick proto tcp from any to any port = smtp keep state group 110 pass in log quick proto tcp from any to any port = www keep state group 110 pass in log quick proto tcp from any to any port = 53 keep state group 110 pass in log quick proto udp from any to any port = 53 keep state group 100 #------------------------------------------------------- # Log these: # ========== # * return RST packets for invalid SYN packets to help the other end close block return-rst in log proto tcp from any to any flags S/SA group 100 # * return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all group 100 # # Deny Any ping/scan/packet block in all with frag block in quick on xl0 proto igmp all block in log quick all with ipopt block in log quick on xl0 proto udp all block in log quick on xl0 proto icmp all block in quick on xl0 proto icmp from any to any icmp-type 0 block in quick on xl0 proto icmp from any to any icmp-type 8 # # Deny any scan/header grab block in quick on xl0 proto tcp from any to any flags FUP block in log quick on xl0 proto tcp from any to any flags FUP/FUP block in log quick on xl0 proto tcp from any to any flags SF/SFRA block in log quick on xl0 proto tcp from any to any flags /SFRA block in log on xl0 proto tcp/udp from any to any port = 111 block return-rst in log proto tcp from any to any block in log quick all with short block in log quick all with ipopt block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in log quick all with opt lsrr block in log quick all with opt ssrr block in log on xl0 proto tcp/udp from any to any port = 161 block in log on xl0 proto tcp from any to any port = 1022 block in log on xl0 proto tcp/udp from any to any port = 1023 block in log on xl0 proto tcp/udp from any to any port = 2049 block in quick on xl0 proto tcp from any to any port 5999 >< 6010 block in quick on xl0 proto tcp/udp from any to any port 511 >< 516 block in quick on xl0 proto tcp/udp from any to any port 65 >< 70 block in quick on xl0 proto tcp/udp from any to any port 136 >< 142 block in quick on xl0 from any to any port = 3306 block in quick on xl0 from any to any port = 902 block in quick on xl0 from any to any port = 10000 # # i.e: 0.0.0.0/24 = whole subnet class | 0.0.0.0/32 = certain subnet IP # Deny access from this host block in quick on xl0 from 211.157.101.52/32 to any block in quick on xl0 from 64.143.34.0/24 to any block in quick on xl0 from 202.186.0.0/16 to any block in quick on xl0 from 192.228.0.0/16 to any block in quick on xl0 from 202.187.0.0/16 to any block in quick on xl0 from 202.184.0.0/16 to any block in quick on xl0 from 192.0.0.0/8 to any block in quick on xl0 from 202.189.111.0/24 to any block in quick on xl0 from 202.196.112.0/24 to any # # Allow outgoing from localhost pass out quick on xl0 proto udp from 202.190.32.2 to any port = 53 keep state pass out quick on xl0 proto udp from 202.188.0.133 to any port = 53 keep state pass out quick on xl0 proto udp from 202.188.1.5 to any port = 53 keep state pass out quick on xl0 proto udp from 192.228.180.2 to any port = 53 keep state pass out quick on xl0 proto icmp from any to any keep state pass out quick on xl0 proto tcp from any to any port = 4343 keep state pass out quick on xl0 proto tcp from any to any port = 21 keep state pass out quick on xl0 proto tcp from any to any port = 22 keep state pass out quick on xl0 proto tcp from any to any port = 8250 keep state pass out quick on xl0 proto tcp from any to any port = 25 keep state pass out quick on xl0 proto tcp from any to any port = 67 keep state pass out quick on xl0 proto tcp from any to any port = 68 keep state pass out quick on xl0 proto tcp from any to any port = 80 keep state pass out quick on xl0 proto tcp from any to any port = 113 keep state pass out quick on xl0 proto tcp from any to any port = 6667 keep state pass out quick on xl0 proto tcp from any to any port = 7000 keep state #pass out quick on tl0 proto tcp/udp to any port = 540 keep state #pass out quick on tl0 proto tcp/udp to any port = 65123 keep state #pass out quick on tl0 proto icmp from any to any icmp-type 0 #pass out quick on tl0 proto icmp from any to any icmp-type 11 # # Allow incoming to server pass in quick on xl0 proto udp from 202.188.0.133 to any port = 53 keep state pass in quick on xl0 proto udp from 202.188.1.5 to any port = 53 keep state pass in quick on xl0 proto udp from 192.228.180.2 to any port = 53 keep state pass in quick on xl0 proto tcp from any to any keep state