Date: Wed, 18 Dec 2002 09:48:09 +1100 (EST) From: =?iso-8859-1?q?Keith=20Spencer?= <bsd2000au@yahoo.com.au> To: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> Cc: fbsd <freebsd-questions@freebsd.org> Subject: OOPS....Re: ipf -> IPFILTER_DEFAULT_BLOCK ...This is not working as predicted! Help? Message-ID: <20021217224809.62403.qmail@web12007.mail.yahoo.com> In-Reply-To: <20021217102839.C52840-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
sorry guys the copy paste mucked up on me... Here is the full rule set I am using... ################################################################# # Outside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # # If you wanted to do egress filtering...here's where you'd do it. # You'd change the lines below so that rather than allowing out any # arbitrary TCP connection, it would only allow out mail, pop3, and http # connections (for example). So, the first line, below, would be # replaced with: # pass out quick on ed0 proto tcp from any to any port = 25 keep state # pass out quick on ed0 proto tcp from any to any port = 110 keep state # pass out quick on ed0 proto tcp from any to any port = 80 keep state # ...and then do the same for the remaining lines so that you allow # only specified protocols/ports 'out' of your network #---------------------------------------------------------------- pass out quick on ed0 proto tcp from any to any keep state pass out quick on ed0 proto udp from any to any keep state pass out quick on ed0 proto icmp from any to any keep state block out quick on ed0 all #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- block in log quick on ed0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on ed0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on ed0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on ed0 from 127.0.0.0/8 to any #loopback block in log quick on ed0 from 0.0.0.0/8 to any #loopback block in log quick on ed0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on ed0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on ed0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on ed0 from 224.0.0.0/3 to any #Class D & E multicast #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. #---------------------------------------------------------------- pass in quick on ed0 proto udp from X.X.X.X/32 to any port = 68 keep state #---------------------------------------------------------------- # If you wanted to set up a web server or mail server on your box # (which is outside the scope of this howto), or allow another system # on the Internet to externally SSH into your firewall, you'd want to # uncomment the following lines and modify as appropriate. If you # have other services running that you need to allow external access # to, just add more lines using these as examples. # # If the services are on a box on your internal network (rather than # the firewall itself), you'll have to add both the filter listed below, # plus a redirect rule in your /etc/ipnat.rules file. #---------------------------------------------------------------- # pass in quick on ed0 proto tcp from any to any port = 80 flags S keep state keep frags # pass in quick on ed0 proto tcp from any to any port = 25 flags S keep state keep frags # pass in quick on ed0 proto tcp from X.X.X.X/32 to any port = 22 flags S keep state keep frags #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #---------------------------------------------------------------- block return-rst in log quick on ed0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on ed0 proto udp from any to any block in log quick on ed0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on ed1 proto tcp from any to any keep state pass out quick on ed1 proto udp from any to any keep state pass out quick on ed1 proto icmp from any to any keep state block out quick on ed1 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on ed1 proto tcp from any to any keep state pass in quick on ed1 proto udp from any to any keep state pass in quick on ed1 proto icmp from any to any keep state block in quick on ed1 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all http://greetings.yahoo.com.au - Yahoo! Greetings - Send your seasons greetings online this year! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021217224809.62403.qmail>