Date: Thu, 3 May 2001 02:09:01 -0400 From: parv <parv_@yahoo.com> To: f-q <freebsd-questions@freebsd.org> Subject: Re: review ipf rules Message-ID: <20010503020901.A17561@moo.holy.cow> In-Reply-To: <20010420185347.A26268@moo.holy.cow> References: <20010420185347.A26268@moo.holy.cow>
next in thread | previous in thread | raw e-mail | index | archive | help
so, me shared this... > what do people think of following ipf rules? they're for a > standalone machines connected to internet via ppp via > modem only sometimes. i want to run sshd as the only server > connected to internet, but at some point in future. > > i am on the side of paranoid as you may see below. of course, > people will let me know if something is really redundant ... > X is the only part that remains consistent whenever i get > a dynamic ip. (i am using 4.3 rc as of apr 9 2001 ~9p est.) > > thanks in advance, and below are the rules... [ rules removed ] after waiting for almost a week w/o getting any response, i shall try again. may be in hopes to get a response this time. also, please let me know what it is that i wrote, or not wrote, that caused no response. in addition to above quoted message, is there any problem in the head/group numbering as shown below (by ipfstat -ion w/ human injected line breaks): @1 block out from any to any @2 block out log body quick from any to 192.168.0.0/16 head 125 @1 block out log body quick from any to 172.16.0.0/16 group 125 @2 block out log body quick from 192.168.0.0/16 to any group 125 @3 block out log body quick from 172.16.0.0/16 to any group 125 @3 block out on lo0 from any to any head 500 @1 pass out quick on lo0 proto tcp/udp from 127.0.0.0/24 to 127.0.0.0/24 keep state group 500 @2 pass out quick on lo0 proto icmp from 127.0.0.0/24 to 127.0.0.0/24 keep state group 500 @4 block out on tun0 from any to any head 400 @1 block out log body quick on tun0 from any to 127.0.0.0/8 group 400 @2 block out log body quick on tun0 from 127.0.0.0/8 to any group 400 @3 pass out quick on tun0 proto udp from 10.0.0.0/24 to 204.127.129.1/32 port = 53 keep state group 400 @4 pass out quick on tun0 proto udp from 10.0.0.0/24 to 204.127.160.1/32 port = 53 keep state group 400 @5 pass out log quick on tun0 proto udp from 32.0.0.0/8 to any port 33433 >< 33465 keep state group 400 @6 pass out log quick on tun0 proto icmp from 32.0.0.0/8 to any icmp-type echo keep state group 400 @7 pass out on tun0 proto tcp/udp from 32.0.0.0/8 to any keep state group 400 @1 block in from any to any @2 block return-icmp in log body quick proto udp from 211.114.0.0/16 to any @3 block return-rst in log body quick proto tcp from any to 211.114.0.0/16 @4 block in log body quick from any to any with short @5 block in log body quick from any to any with ipopt @6 block in log quick from any to any with opt lsrr @7 block in log quick from any to any with opt ssrr @8 block in log quick from any to any with frag @9 block in log quick proto tcp from any to any flags FPU/FSRPAUC @10 block in log quick proto tcp from any to any flags FS/FSRA @11 block in log quick proto tcp from any to any flags /FSRA @12 block in log body quick from 192.168.0.0/16 to any head 105 @1 block in log body quick from 172.16.0.0/16 to any group 105 @2 block in log body quick from 127.0.0.0/8 to any group 105 @3 block in log body quick from 10.0.0.0/8 to any group 105 @4 block in log body quick from any to 192.168.0.0/16 group 105 @5 block in log body quick from any to 172.16.0.0/16 group 105 @6 block in log body quick from any to 127.0.0.0/8 group 105 @7 block in log body quick from any to 10.0.0.0/8 group 105 @13 block in on lo0 from any to any head 300 @1 pass in quick on lo0 proto tcp/udp from 127.0.0.0/24 to 127.0.0.0/24 keep state group 300 @2 pass in quick on lo0 proto icmp from 127.0.0.0/24 to 127.0.0.0/24 keep state group 300 @14 block in on tun0 from any to any head 200 @1 block in log body quick on tun0 proto tcp/udp from any to any port = printer group 200 @2 block in log body quick on tun0 proto tcp/udp from any to any port = ftp group 200 @3 block in log body quick on tun0 proto tcp/udp from any to any port = finger group 200 @4 block in log body quick on tun0 proto tcp/udp from any to any port = telnet group 200 @5 block in log body quick on tun0 proto tcp/udp from any to any port = http group 200 @6 block in log body quick on tun0 proto tcp/udp from any to any port = pop3 group 200 @7 block in log body quick on tun0 proto tcp/udp from any to any port = smtp group 200 @8 block in log body quick on tun0 proto tcp/udp from any to any port = domain group 200 @9 block in log body quick on tun0 proto tcp/udp from any to any port = ssh group 200 @10 block in log body quick on tun0 proto tcp/udp from any to any port 5999 >< 6064 group 200 @11 block in log body quick on tun0 proto tcp/udp from any to any port = xns-mail group 200 @12 block in log body quick on tun0 proto tcp/udp from any to any port = 5432 group 200 @13 pass in log on tun0 proto icmp from any to any icmp-type echorep keep state group 200 @14 pass in log on tun0 proto icmp from any to 32.0.0.0/8 icmp-type unreach keep state group 200 @15 pass in log on tun0 proto icmp from any to 32.0.0.0/8 icmp-type timex keep state group 200 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010503020901.A17561>