6de4d5d5a4
so that users gets ipfilter examples without a source install. PR: 26763 Submitted by: Cyrille Lefevre <clefevre@poboxes.com>
78 lines
4.0 KiB
Plaintext
78 lines
4.0 KiB
Plaintext
# $FreeBSD$
|
|
#--------------------------------------------------------------------------
|
|
# ed1 - external interface
|
|
# fxp0 - internal interface
|
|
#--------------------------------------------------------------------------
|
|
# First, nasty packets which we don't want near us at all
|
|
# packets which are too short to be real except echo replies on lo0
|
|
pass in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with short
|
|
block in log quick all with short
|
|
block in log quick all with opt lsrr
|
|
block in log quick all with opt ssrr
|
|
#--------------------------------------------------------------------------
|
|
# loopback packets left unmolested
|
|
pass in log quick on lo0 all
|
|
pass out log quick on lo0 all
|
|
#--------------------------------------------------------------------------
|
|
# Group setup:
|
|
# 100 incoming ed1
|
|
# 150 outgoing ed1
|
|
# 200 incoming fxp0
|
|
# 250 outgoing fxp0
|
|
#--------------------------------------------------------------------------
|
|
block in log body on ed1 all head 100
|
|
block out log body on ed1 all head 150
|
|
#--------------------------------------------------------------------------
|
|
block in log on fxp0 all head 200
|
|
block out log on fxp0 all head 250
|
|
#--------------------------------------------------------------------------
|
|
# incoming ed1 traffic - group 100
|
|
# 1) prevent localhost spoofing
|
|
block in log quick from 127.0.0.1/32 to 192.168.0.0/24 group 100
|
|
block in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100
|
|
block in log quick from any to 127.0.0.1/8 group 100
|
|
#--------------------------------------------------------------------------
|
|
# 2) deny pakets which should not be seen on th internet (paranoid)
|
|
block in log quick from 10.0.0.0/8 to any group 100
|
|
block in log quick from any to 10.0.0.0/8 group 100
|
|
block in log quick from 172.16.0.0/16 to any group 100
|
|
block in log quick from any to 172.16.0.0/16 group 100
|
|
block in log quick from 192.168.0.0/16 to any group 100
|
|
block in log from any to 192.168.0.0/16 group 100
|
|
# 3) implement policy
|
|
# allow incoming ftp-data
|
|
pass in log quick proto tcp/udp from any to 192.168.1.1/24 keep state group 100
|
|
# if nothing applies, block and return icmp-replies (unreachable and rst)
|
|
block return-icmp(net-unr) in proto udp from any to any group 100
|
|
block return-rst in log proto tcp from any to any group 100
|
|
#--------------------------------------------------------------------------
|
|
# outgoing ed1 traffic - group 150
|
|
# Setup outgoing DNS
|
|
pass out log quick proto tcp/udp from any to 212.40.0.10 port = 53 keep state group 150
|
|
pass out log quick proto tcp/udp from any to 212.40.5.50 port = 53 keep state group 150
|
|
# allow outgoing http-service
|
|
pass out log quick proto tcp from any to any port = 80 flags S/SA keep state keep frags group 150
|
|
# allow outgoing smtp traffic
|
|
pass out log quick proto tcp from 192.168.1.1/24 to any port = 25 flags S/SA keep state group 150
|
|
# allow outgoing pop3 traffic
|
|
pass out log quick proto tcp from 192.168.1.1/24 to any port = 110 flags S/SA keep state group 150
|
|
# allow outgoing ftp traffic
|
|
pass out log quick proto tcp/udp from 192.168.1.1/24 to any port = ftp keep state group 150
|
|
pass out log quick proto icmp from any to any keep state keep frags group 150
|
|
#--------------------------------------------------------------------------
|
|
# incoming traffic on fxp0 - group 200
|
|
#--------------------------------------------------------------------------
|
|
# 1) prevent localhost spoofing
|
|
block in log quick from 127.0.0.0/8 to any group 200
|
|
block in log quick from 192.168.0.1/32 to any group 200
|
|
block in log quick from 192.168.1.110/24 to any group 200
|
|
pass in log quick from any to any group 200
|
|
#--------------------------------------------------------------------------
|
|
# outgoing traffic on fxp0 - group 250
|
|
#--------------------------------------------------------------------------
|
|
block out log quick from 127.0.0.0/8 to any group 250
|
|
block out quick from any to 127.0.0.0/8 group 250
|
|
block out log quick from any to 192.168.0.1/32 group 250
|
|
pass out log quick from any to nay group 250
|
|
#--------------------------------------------------------------------------
|