From owner-freebsd-isp Tue Nov 26 11:58:12 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F20C37B401 for ; Tue, 26 Nov 2002 11:58:10 -0800 (PST) Received: from loops.nilpotent.org (loops.nilpotent.org [12.17.163.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 2128E43EA9 for ; Tue, 26 Nov 2002 11:58:09 -0800 (PST) (envelope-from fn@hungry.org) Received: (qmail 13761 invoked from network); 26 Nov 2002 19:57:54 -0000 Received: from unknown (202.125.140.146) by loops.nilpotent.org with QMTP; 26 Nov 2002 19:57:54 -0000 Received: (qmail 503 invoked by uid 500); 26 Nov 2002 19:58:05 -0000 To: freebsd-isp@freebsd.org Subject: Re: ipfilter References: X-nil: X-Useless-info: System load is 1.25 with 75 processes active. X-Neuromancer: At 12:05:00, the mirror-sheathed nexus of the Sense/Net consortium held just over three thousand employees. From: Faried Nawaz Organization: Integral Domains Date: Wed, 27 Nov 2002 00:58:05 +0500 Message-ID: Lines: 82 User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.4 (Artificial Intelligence, i386-unknown-freebsd4.6) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here's a simple ruleset for your /etc/ipf.rules. Assumptions: - eth0 is your ethernet interface with the ip address aaa.bbb.ccc.ddd - your broadcast address is aaa.bbb.ccc.255 - your network address is aaa.bbb.ccc.0 - you want to log some traffic. if you don't, strip the "log" keyword from the lines below - sysctl -a says net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 these values are used by ftpd. man ftpd and search for the "-U" parameter - icmp isn't filtered out. - you've read http://www.obfuscation.org/ipf/ (or one of its mirrors). ### allow loopback traffic pass in quick on lo0 pass out quick on lo0 ### block certain incoming netblocks # you may need to adjust this for your own network # if you use private addressing block in log quick on eth0 from 172.16.0.0/12 to any block in log quick on eth0 from 10.0.0.0/8 to any block in log quick on eth0 from 127.0.0.0/8 to any block in log quick on eth0 from 192.168.0.0/16 to any block in log quick on eth0 from 0.0.0.0/8 to any block in log quick on eth0 from 169.254.0.0/16 to any block in log quick on eth0 from 192.0.2.0/24 to any block in log quick on eth0 from any to aaa.bbb.ccc.255/32 block in log quick on eth0 from any to aaa.bbb.ccc.0/32 ### default in policy block in on eth0 all ### default out policy pass out quick on eth0 proto udp from aaa.bbb.ccc.ddd/32 to any keep state pass out quick on eth0 proto tcp from aaa.bbb.ccc.ddd/32 to any flags S keep state pass out quick on eth0 proto icmp from aaa.bbb.ccc.ddd/32 to any keep state ### now for the stuff we let in. # web pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 80 flags S keep state # ssh pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 22 flags S keep state # ftp pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 20 flags S keep state pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 21 flags S keep state # passive ftp pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port 49151 >< 65535 flags S keep state # smtp pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 25 flags S keep state # pop3 pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 110 flags S keep state # imap4 pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 143 flags S keep state # misc web pass in quick on eth0 proto tcp from any to aaa.bbb.ccc.ddd/32 port = 8080 flags S keep state # icmp pass in quick on eth0 proto icmp from any to aaa.bbb.ccc.ddd/32 keep state ### finally block return-rst in log on eth0 proto tcp all block return-icmp-as-dest(port-unr) in log on eth0 proto udp all ### eof If you're going to perform outbound ftp from the machine, place this in /etc/ipnat.rules: map eth0 0/0 -> 0/32 proxy port 21 ftp/tcp Faried. -- The Great GNU has arrived, infidels, behold his wrath ! "If a MOO runs on a port no one accesses, does it run?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message