From owner-freebsd-isp@FreeBSD.ORG Fri Dec 19 16:16:44 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D3CE16A4CE for ; Fri, 19 Dec 2003 16:16:44 -0800 (PST) Received: from gordo.presidencia.gob.mx (gordo.presidencia.gob.mx [200.57.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC41D43D36 for ; Fri, 19 Dec 2003 16:16:41 -0800 (PST) (envelope-from nbari@unixmexico.com) Received: (qmail 72855 invoked by uid 85); 20 Dec 2003 00:15:32 -0000 Received: from nbari@unixmexico.com by gordo.presidencia.gob.mx by uid 82 with qmail-scanner-1.16 (hbedv: 6.21.0.1/6.21.0.62. Clear:. Processed in 0.611281 secs); 20 Dec 2003 00:15:32 -0000 Received: from p4.unixmexico.net (HELO [200.23.123.104]) (authenticated:nbari@sip.gob.mx@[200.23.123.104]) (envelope-sender ) by gordo.presidencia.gob.mx (qmail-ldap-1.03) with SMTP for ; 20 Dec 2003 00:15:31 -0000 From: "Nicolas de Bari Embriz G. R." To: "Arie J. Gerszt" In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-yDkHO14DvP7sLnyTNRRc" Organization: UNIXMEXICO Message-Id: <1071879395.2357.10.camel@p4.unixmexico.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 19 Dec 2003 18:16:35 -0600 cc: freebsd-isp@freebsd.org Subject: Re: /etc/ipf.conf - ipfilter X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2003 00:16:44 -0000 --=-yDkHO14DvP7sLnyTNRRc Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, this is what i use hope this can give you an idea. --- #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- # block in log quick on fxp0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on fxp0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on fxp0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on fxp0 from 127.0.0.0/8 to any #loopback block in log quick on fxp0 from 0.0.0.0/8 to any #loopback block in log quick on fxp0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on fxp0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on fxp0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp0 from 224.0.0.0/3 to any #Class D & E multicast #--------------------------------------------- # pass ping from secure hosts to my host. #--------------------------------------------- pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 23.122.12.243/32 icmp-type 0 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 200.57.40.53/32 icmp-type 0 pass in quick on fxp0 proto icmp from 23.122.12.243/32 to 32.11.234.123/32 icmp-type 8 pass in quick on fxp0 proto icmp from 200.57.40.53/32 to 32.11.234.123/32 icmp-type 8 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 23.122.12.243/32 icmp-type 3 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 200.57.40.53/32 icmp-type 3 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 23.122.12.243/32 icmp-type 1 pass out quick on fxp0 proto icmp from 32.11.234.123/32 to 200.57.40.53/32 icmp-type 1 #------------ # block pings #------------ block out quick on fxp0 proto icmp all icmp-type 0 block in quick on fxp0 proto icmp all icmp-type 8 block out quick on fxp0 proto icmp all icmp-type 3 block out quick on fxp0 proto icmp all icmp-type 16 #------------------- # bloquear Null cans #------------------- block in log quick on fxp0 proto tcp all flags / block in log quick on fxp0 proto tcp all flags FUP block in log quick on fxp0 all with ipopts #------------ # Pass all =20 #------------ pass in from any to any pass out from any to any --- and on the sysctl.conf file i have this: net.inet.tcp.blackhole=3D1 net.inet.udp.blackhole=3D1 On Fri, 2003-12-19 at 15:17, Arie J. Gerszt wrote: > hi, >=20 > i was just about to configure and fine tune mit /etc/ipf.conf and wondere= d, > what kind of settings you use on your servers.=20 >=20 > is anybody interested in exchanging about this topic? >=20 >=20 > thanks, > arie >=20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >=20 --=-yDkHO14DvP7sLnyTNRRc Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/45Tj74CD4h71b9wRApj1AKDeWcA7Y6fgWqy8Aje41mw8r696vwCaAhs2 W/REqXej8Ne42uqYY4UR/mg= =vM1U -----END PGP SIGNATURE----- --=-yDkHO14DvP7sLnyTNRRc--