Date: Wed, 13 Aug 2003 09:53:40 -0500 From: "Darryl Hoar" <darryl@osborne-ind.com> To: <freebsd-questions@freebsd.org> Subject: Blocking RIP requests on firewall Message-ID: <004201c361aa$afcd7c80$0701a8c0@darryl>
next in thread | raw e-mail | index | archive | help
Greetings, I have a FreeBSD 4.7S machine that is running IPFilter and is configured as a firewall. My external interface is xl0. I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 reloaded the rules (by rebooting. I have it locked down). it still generates log entries in my firewall_log file. here is my ipf.rules file. ################################################################ # Outside Interface ################################################################ #--------------------------------------------------------------- # Allow out all TCP, UDP and ICMP traffic & keep state on it # so that it's allowed back in. #--------------------------------------------------------------- pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #-------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only #-------------------------------------------------------------- pass in quick on xl0 proto udp from 10.0.0.1/32 to any port = 68 keep state #----------------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service isn't listening # - Block UDP with an ICMP Port Unreachable (make it appear as if it isn't # listening) # - Block all remaining traffic the good 'ol fashioned way #------------------------------------------------------------------------ block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in quick on xl0 proto udp from 10.0.0.1 to any port = 520 block in log quick on xl0 all ########################################################################## # Inside Interface ########################################################################## #------------------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #------------------------------------------------------------------------- pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all #------------------------------------------------------------------------ # Allow in all TCP, UDP and ICMP traffic and keep state #------------------------------------------------------------------------ pass in quick on xl1 proto tcp from any to any flags S pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all ######################################################################## # Loopback Interface ######################################################################## #---------------------------------------------------------------------- # Alow everything to/from your loopback interface so you # can ping yourself (e.g ping localhost) #--------------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all thanks in advance. -Darryl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004201c361aa$afcd7c80$0701a8c0>