2001-10-20 04:17:07 +00:00
|
|
|
# $FreeBSD$
|
|
|
|
#
|
|
|
|
# This is an example of a very light firewall used to guard against
|
|
|
|
# some of the most easily exploited common security holes.
|
|
|
|
#
|
|
|
|
# The example assumes it is running on a gateway with interface ppp0
|
|
|
|
# attached to the outside world, and interface ed0 attached to
|
|
|
|
# network 192.168.4.0 which needs to be protected.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Pass any packets not explicitly mentioned by subsequent rules
|
|
|
|
#
|
|
|
|
pass out from any to any
|
|
|
|
pass in from any to any
|
|
|
|
#
|
|
|
|
# Block any inherently bad packets coming in from the outside world.
|
|
|
|
# These include ICMP redirect packets and IP fragments so short the
|
|
|
|
# filtering rules won't be able to examine the whole UDP/TCP header.
|
|
|
|
#
|
|
|
|
block in log quick on ppp0 proto icmp from any to any icmp-type redir
|
|
|
|
block in log quick on ppp0 proto tcp/udp all with short
|
|
|
|
#
|
2002-12-27 12:15:40 +00:00
|
|
|
# Block any IP spoofing attempts. (Packets "from" our network
|
2001-10-20 04:17:07 +00:00
|
|
|
# shouldn't be coming in from outside).
|
|
|
|
#
|
|
|
|
block in log quick on ppp0 from 192.168.4.0/24 to any
|
|
|
|
block in log quick on ppp0 from localhost to any
|
|
|
|
block in log quick on ppp0 from 0.0.0.0/32 to any
|
|
|
|
block in log quick on ppp0 from 255.255.255.255/32 to any
|
|
|
|
#
|
|
|
|
# Block any incoming traffic to NFS ports, to the RPC portmapper, and
|
|
|
|
# to X servers.
|
|
|
|
#
|
|
|
|
block in log on ppp0 proto tcp/udp from any to any port = sunrpc
|
|
|
|
block in log on ppp0 proto tcp/udp from any to any port = 2049
|
|
|
|
block in log on ppp0 proto tcp from any to any port = 6000
|