Date: Wed, 6 Mar 2002 06:29:12 -0500 From: "Larry Cronin (Hotmail)" <lccronin@hotmail.com> To: <freebsd-questions@FreeBSD.ORG> Subject: IPF Rule set questions Message-ID: <OE12gRjpPIKQg9g4alp000044a5@hotmail.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello, I am having some issues with my Internet being very slow. I am currently , with the help of this list sorting it out. Could anyone tell me if this rule set looks ok. ################################# # Outside Interface # ################################# # This segment allows out all TCP, UDP, and ICMP traffic & keeps state # on it so it will allow it back in. pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all # This segment allows Mail traffic to the Exchange Server pass in quick on xl1 proto tcp from any to xxx.yyy.zzz.10/24 port = 25 keep state pass in quick on xl1 proto tcp from any to xxx.yyy.zzz.10/24 port = 110 keep state # This segment blocks and logs all remaining traffic coming into the firewall # It blocks TCP with a RST (to make it appear as if the service isn't listening) # It blocks UDP with an ICMP port inreachable (to make it appear as if the # service isn't listening) # It blocks all remaining traffic block return-rst in log quick on xl1 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl1 proto udp from any to any block in log quick on xl1 all ################################# # Inside Interface # ################################# # This segment allows out all TCP, UDP, and ICMP traffic and keeps state pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all # This segment allows in all TCP, UDP, and ICMP traffic and keeps state pass in quick on xl0 proto tcp from any to any keep state pass in quick on xl0 proto udp from any to any keep state pass in quick on xl0 proto icmp from any to any keep state block in quick on xl0 all ################################# # Loopback Interface # ################################# # This segement allows everything to/from your loopback interface so you can # ping yourself (e.g. ping localhost) pass in quick on lo0 all pass out quick on lo0 all # END OF FILE Thanks Larry [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> <META content="MSHTML 5.00.3315.2870" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>Hello, </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>I am having some issues with my Internet being very slow. I am currently , with the help of this list sorting it out. Could anyone tell me if this rule set looks ok.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>#################################<BR># Outside Interface #<BR>#################################<BR># This segment allows out all TCP, UDP, and ICMP traffic & keeps state<BR># on it so it will allow it back in.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>pass out quick on xl1 proto tcp from any to any keep state<BR>pass out quick on xl1 proto udp from any to any keep state<BR>pass out quick on xl1 proto icmp from any to any keep state<BR>block out quick on xl1 all</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2># This segment allows Mail traffic to the Exchange Server</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>pass in quick on xl1 proto tcp from any to xxx.yyy.zzz.10/24 port = 25 keep state<BR>pass in quick on xl1 proto tcp from any to xxx.yyy.zzz.10/24 port = 110 keep state</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><BR># This segment blocks and logs all remaining traffic coming into the firewall<BR># It blocks TCP with a RST (to make it appear as if the service isn't listening) <BR># It blocks UDP with an ICMP port inreachable (to make it appear as if the <BR># service isn't listening)<BR># It blocks all remaining traffic</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>block return-rst in log quick on xl1 proto tcp from any to any<BR>block return-icmp-as-dest(port-unr) in log quick on xl1 proto udp from any to any<BR>block in log quick on xl1 all</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><BR>#################################<BR># Inside Interface #<BR>#################################<BR># This segment allows out all TCP, UDP, and ICMP traffic and keeps state<BR>pass out quick on xl0 proto tcp from any to any keep state<BR>pass out quick on xl0 proto udp from any to any keep state<BR>pass out quick on xl0 proto icmp from any to any keep state<BR>block out quick on xl0 all</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2># This segment allows in all TCP, UDP, and ICMP traffic and keeps state</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>pass in quick on xl0 proto tcp from any to any keep state<BR>pass in quick on xl0 proto udp from any to any keep state<BR>pass in quick on xl0 proto icmp from any to any keep state<BR>block in quick on xl0 all</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>#################################<BR># Loopback Interface #<BR>#################################<BR># This segement allows everything to/from your loopback interface so you can<BR># ping yourself (e.g. ping localhost)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>pass in quick on lo0 all<BR>pass out quick on lo0 all</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2><BR># END OF FILE<BR></FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Thanks </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Larry</FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE12gRjpPIKQg9g4alp000044a5>