From owner-freebsd-stable Sun Mar 25 10: 9:29 2001 Delivered-To: freebsd-stable@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 3166637B719 for ; Sun, 25 Mar 2001 10:09:26 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by rip.psg.com with local (Exim 3.16 #1) id 14hExB-0003q8-00 for freebsd-stable@freebsd.org; Sun, 25 Mar 2001 10:09:25 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: FreeBSD Stable Subject: ipf idiot wants to roam Message-Id: Date: Sun, 25 Mar 2001 10:09:25 -0800 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [ i can find no list for ipf questions. if folk know of one, please tell me. ] installing ipf on a machine which roams and therefore changes both interfaces (wi0, ep0, and tun0) and ip addresses. trying to come up with a ipf.rules as a first time ipf user. help appreciated randy --- #!/sbin/ipf -f - # #------------------------------------------------------- # # short packets which are packets fragmented too short to be real # block in log first quick all with short # # loose source routed packsts # block in log first quick all with opt lsrr block in log first quick all with opt ssrr # # reserved addresses # block in log first quick from 10.0.0.0/8 to any block in log first quick from 192.168.0.0/16 to any block in log first quick from 172.16.0.0/12 to any # #------------------------------------------------------- # # loopback allows all packets # pass in quick on lo0 all pass out quick on lo0 all # # # Support all icmp connections initiated from inside # pass in log first quick proto icmp all keep state # pass in quick proto icmp from any to any icmp-type 0 pass in quick proto icmp from any to any icmp-type 11 block in log first quick proto icmp from any to any # #------------------------------------------------------- # pass in quick proto udp from any to any port = 67 # dhcps pass in quick proto udp from any to any port = 68 # dhcpc pass in quick proto udp from any to any port = 123 # ntp # pass in quick proto tcp from any to any port = 13 # daytime pass in quick proto tcp from any to any port = 22 # ssh pass in quick proto tcp from any to any port = 25 # smtp pass in quick proto tcp from any to any port = 53 # dns pass in quick proto tcp from any to any port = 113 # ident # #------------------------------------------------------- # # Allow any communication between the inside network and the outside only # # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) # pass in log first quick proto tcp all flags S/SA keep state #------------------------------------------------------- # # log these # # return RST packets for invalid SYN packets to help the other end close block return-rst in log first proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message