Date: Thu, 9 Oct 2003 09:39:30 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: <bsd@perimeter.co.za>, "FreeBSD Question List" <freebsd-questions@freebsd.org> Subject: RE: ipf - sample rulesets Message-ID: <MIEPLLIBMLEEABPDBIEGIEPNEIAA.fbsd_user@a1poweruser.com> In-Reply-To: <courier.3F855B93.0000BC7F@perimeter.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
I stopped using IPFW because my keep-state rules would not work on cable internet connection. I have found that IPFILTER is much easier to use. Here is my rules file for you to use as sample. ################################################################# # Outside Interface to Public internet (Outbound Section) # Interrogate packets originating from behind the firewall, private net. # destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. @100 pass out quick on rl0 proto tcp from any to 24.50.201.66 port = 53 flags S keep state @101 pass out quick on rl0 proto udp from any to 24.50.201.66 port = 53 keep state @102 pass out quick on rl0 proto tcp from any to 24.50.201.67 port = 53 flags S keep state @103 pass out quick on rl0 proto udp from any to 24.50.201.67 port = 53 keep state @104 pass out quick on rl0 proto tcp from any to 24.50.201.69 port = 53 flags S keep state @105 pass out quick on rl0 proto udp from any to 24.50.201.69 port = 53 keep state # Allow out access to my ISP's DHCP server. @106 pass out quick on rl0 proto udp from any to 24.50.201.66 port = 67 keep state # Allow out non-secure standard www function @110 pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL @115 pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function @130 pass out quick on rl0 proto tcp from any to any port = 110 flags S keep state @131 pass out quick on rl0 proto tcp from any to any port = 25 flags S keep state # Allow out Time @140 pass out quick on rl0 proto tcp from any to any port = 37 keep state # Allow out nntp news #@150 pass out quick on rl0 proto tcp from any to any port = 119 @150 pass out quick on rl0 proto tcp from any to any port = 119 flags S keep state # Allow out passive FTP for LAN PC FTP to public Internet @160 pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state @161 pass out quick on rl0 proto tcp from any to any port > 1023 flags S keep state # Allow out ping to public Internet @170 pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state # Allow out whois for LAN PC to public Internet @172 pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state # Allow out traceroute to public Internet #pass out quick on rl0 proto udp from any to any port 33434 > < 33690 keep state # Deny Everything else trying to get out. @199 block out log quick on rl0 all ################################################################# # Outside Interface to Public internet (Inbound Section) # Interrogate packets originating from public internet # destine for my private net. ################################################################# # Allow traffic in from ISP's DHCP server. @300 pass in quick on rl0 proto udp from 24.50.201.66 to any port = 68 keep state .201.66 to any port = 68 keep state # Deny all Adelphia broadcast junk stuff so it does not show in log @310 block in quick on rl0 proto udp from any to 255.255.255.255 @311 block in quick on rl0 proto tcp/udp from 0.0.0.0 to any @312 block in quick on rl0 proto igmp from any to any # Allow in non-secure standard www function @320 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port = 80 flags S keep state # Allow in Telnet @330 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port = 23 flags S keep state # Allow in ping from public Internet @340 pass in quick on rl0 proto icmp from 63.70.155.0/24 to any icmp-type 8 keep state # Deny ping so it does not show in log @350 block in quick on rl0 proto icmp all # Deny ident so it does not show in log @351 block in quick on rl0 proto tcp from any to any port = 113 # Block and log all remaining traffic coming into the firewall @399 block in log quick on rl0 all #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #---------------------------------------------------------------- #block return-rst in log quick on rl0 proto tcp from any to any #block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any to any #block in log quick on rl0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- @500 pass out quick on xl0 proto tcp from any to any @501 pass out quick on xl0 proto udp from any to any @502 pass out quick on xl0 proto icmp from any to any @503 block out quick on xl0 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- @520 pass in quick on xl0 proto tcp from any to any @501 pass in quick on xl0 proto udp from any to any @502 pass in quick on xl0 proto icmp from any to any @503 block in quick on xl0 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- @700 pass in quick on lo0 all @701 pass out quick on lo0 all -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of bsd@perimeter.co.za Sent: Thursday, October 09, 2003 8:59 AM To: FreeBSD Question List Subject: ipf - sample rulesets Hi all. Are there any good references and/or sample ipf rulesets that I could use to look-and-learn from. I am quite familiar with ipfw, but I'm struggling with converting my thinking on issues like the "setup" and "established" keywords of ipfw. Thanks in advance for any pointers. Regards, Patrick. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGIEPNEIAA.fbsd_user>