Date: Sun, 25 Mar 2001 10:09:25 -0800 From: Randy Bush <randy@psg.com> To: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: ipf idiot wants to roam Message-ID: <E14hExB-0003q8-00@rip.psg.com>
next in thread | raw e-mail | index | archive | help
[ i can find no list for ipf questions. if folk know of one, please tell me. ] installing ipf on a machine which roams and therefore changes both interfaces (wi0, ep0, and tun0) and ip addresses. trying to come up with a ipf.rules as a first time ipf user. help appreciated randy --- #!/sbin/ipf -f - # #------------------------------------------------------- # # short packets which are packets fragmented too short to be real # block in log first quick all with short # # loose source routed packsts # block in log first quick all with opt lsrr block in log first quick all with opt ssrr # # reserved addresses # block in log first quick from 10.0.0.0/8 to any block in log first quick from 192.168.0.0/16 to any block in log first quick from 172.16.0.0/12 to any # #------------------------------------------------------- # # loopback allows all packets # pass in quick on lo0 all pass out quick on lo0 all # # # Support all icmp connections initiated from inside # pass in log first quick proto icmp all keep state # pass in quick proto icmp from any to any icmp-type 0 pass in quick proto icmp from any to any icmp-type 11 block in log first quick proto icmp from any to any # #------------------------------------------------------- # pass in quick proto udp from any to any port = 67 # dhcps pass in quick proto udp from any to any port = 68 # dhcpc pass in quick proto udp from any to any port = 123 # ntp # pass in quick proto tcp from any to any port = 13 # daytime pass in quick proto tcp from any to any port = 22 # ssh pass in quick proto tcp from any to any port = 25 # smtp pass in quick proto tcp from any to any port = 53 # dns pass in quick proto tcp from any to any port = 113 # ident # #------------------------------------------------------- # # Allow any communication between the inside network and the outside only # # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) # pass in log first quick proto tcp all flags S/SA keep state #------------------------------------------------------- # # log these # # return RST packets for invalid SYN packets to help the other end close block return-rst in log first proto tcp from any to any flags S/SA # return ICMP error packets for invalid UDP packets block return-icmp(net-unr) in proto udp all To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E14hExB-0003q8-00>