Date: Fri, 19 Dec 2003 18:16:35 -0600 From: "Nicolas de Bari Embriz G. R." <nbari@unixmexico.com> To: "Arie J. Gerszt" <arie@gerszt.ch> Cc: freebsd-isp@freebsd.org Subject: Re: /etc/ipf.conf - ipfilter Message-ID: <1071879395.2357.10.camel@p4.unixmexico.net> In-Reply-To: <FEEHKMHBPPGLAPHJCDIIGECIDNAA.arie@gerszt.ch> References: <FEEHKMHBPPGLAPHJCDIIGECIDNAA.arie@gerszt.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-yDkHO14DvP7sLnyTNRRc Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, this is what i use hope this can give you an idea. --- #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- # block in log quick on fxp0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on fxp0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on fxp0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on fxp0 from 127.0.0.0/8 to any #loopback block in log quick on fxp0 from 0.0.0.0/8 to any #loopback block in log quick on fxp0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on fxp0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on fxp0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp0 from 224.0.0.0/3 to any #Class D & E multicast #--------------------------------------------- # pass ping from secure hosts to my host. #--------------------------------------------- pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 23.122.12.243/32 icmp-type 0 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 200.57.40.53/32 icmp-type 0 pass in quick on fxp0 proto icmp from 23.122.12.243/32 to 32.11.234.123/32 icmp-type 8 pass in quick on fxp0 proto icmp from 200.57.40.53/32 to 32.11.234.123/32 icmp-type 8 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 23.122.12.243/32 icmp-type 3 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 200.57.40.53/32 icmp-type 3 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 23.122.12.243/32 icmp-type 1 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 200.57.40.53/32 icmp-type 1 #------------ # block pings #------------ block out quick on fxp0 proto icmp all icmp-type 0 block in quick on fxp0 proto icmp all icmp-type 8 block out quick on fxp0 proto icmp all icmp-type 3 block out quick on fxp0 proto icmp all icmp-type 16 #------------------- # bloquear Null cans #------------------- block in log quick on fxp0 proto tcp all flags / block in log quick on fxp0 proto tcp all flags FUP block in log quick on fxp0 all with ipopts #------------ # Pass all =20 #------------ pass in from any to any pass out from any to any --- and on the sysctl.conf file i have this: net.inet.tcp.blackhole=3D1 net.inet.udp.blackhole=3D1 On Fri, 2003-12-19 at 15:17, Arie J. Gerszt wrote: > hi, >=20 > i was just about to configure and fine tune mit /etc/ipf.conf and wondere= d, > what kind of settings you use on your servers.=20 >=20 > is anybody interested in exchanging about this topic? >=20 >=20 > thanks, > arie >=20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >=20 --=-yDkHO14DvP7sLnyTNRRc Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/45Tj74CD4h71b9wRApj1AKDeWcA7Y6fgWqy8Aje41mw8r696vwCaAhs2 W/REqXej8Ne42uqYY4UR/mg= =vM1U -----END PGP SIGNATURE----- --=-yDkHO14DvP7sLnyTNRRc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1071879395.2357.10.camel>