Date: Wed, 27 Nov 2002 00:58:05 +0500 From: Faried Nawaz <fn@hungry.org> To: freebsd-isp@freebsd.org Subject: Re: ipfilter Message-ID: <m3u1i4t86q.fsf@homeworld.nilpotent.org> References: <OFA0F13875.D3DE2DCA-ONC1256C7C.0069779F@unisg.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
Here's a simple ruleset for your /etc/ipf.rules. Assumptions: - eth0 is your ethernet interface with the ip address aaa.bbb.ccc.ddd - your broadcast address is aaa.bbb.ccc.255 - your network address is aaa.bbb.ccc.0 - you want to log some traffic. if you don't, strip the "log" keyword from the lines below - sysctl -a says net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 these values are used by ftpd. man ftpd and search for the "-U" parameter - icmp isn't filtered out. - you've read http://www.obfuscation.org/ipf/ (or one of its mirrors). ### allow loopback traffic pass in quick on lo0 pass out quick on lo0 ### block certain incoming netblocks # you may need to adjust this for your own network # if you use private addressing block in log quick on eth0 from 172.16.0.0/12 to any block in log quick on eth0 from 10.0.0.0/8 to any block in log quick on eth0 from 127.0.0.0/8 to any block in log quick on eth0 from 192.168.0.0/16 to any block in log quick on eth0 from 0.0.0.0/8 to any block in log quick on eth0 from 169.254.0.0/16 to any block in log quick on eth0 from 192.0.2.0/24 to any block in log quick on eth0 from any to aaa.bbb.ccc.255/32 block in log quick on eth0 from any to aaa.bbb.ccc.0/32 ### default in policy block in on eth0 all ### default out policy pass out quick on eth0 proto udp from aaa.bbb.ccc.ddd/32 to any keep state pass out quick on eth0 proto tcp from aaa.bbb.ccc.ddd/32 to any flags S keep state pass out quick on eth0 proto icmp from aaa.bbb.ccc.ddd/32 to any keep state ### now for the stuff we let in. # web pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 80 flags S keep state # ssh pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 22 flags S keep state # ftp pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 20 flags S keep state pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 21 flags S keep state # passive ftp pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port 49151 >< 65535 flags S keep state # smtp pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 25 flags S keep state # pop3 pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 110 flags S keep state # imap4 pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 143 flags S keep state # misc web pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 8080 flags S keep state # icmp pass in quick on eth0 proto icmp from any to aaa.bbb.ccc.ddd/32 keep state ### finally block return-rst in log on eth0 proto tcp all block return-icmp-as-dest(port-unr) in log on eth0 proto udp all ### eof If you're going to perform outbound ftp from the machine, place this in /etc/ipnat.rules: map eth0 0/0 -> 0/32 proxy port 21 ftp/tcp Faried. -- The Great GNU has arrived, infidels, behold his wrath ! "If a MOO runs on a port no one accesses, does it run?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m3u1i4t86q.fsf>