diff options
| author | cy <cy@FreeBSD.org> | 2013-07-19 05:41:57 +0000 |
|---|---|---|
| committer | cy <cy@FreeBSD.org> | 2013-07-19 05:41:57 +0000 |
| commit | 672af8808c0e7c15f330b401482f9271c2eb3fa6 (patch) | |
| tree | 225b5acf68c01bc6a260b386c2b2dbf4fa2839e3 /contrib/ipfilter/rules/BASIC_1.FW | |
| parent | 71e82d94e82560b20789833f60056506de34de8b (diff) | |
| download | FreeBSD-src-672af8808c0e7c15f330b401482f9271c2eb3fa6.zip FreeBSD-src-672af8808c0e7c15f330b401482f9271c2eb3fa6.tar.gz | |
As per the developers handbook (5.3.1 step 1), prepare the vendor trees for
import of new ipfilter vendor sources by flattening them.
To keep the tags consistent with dist, the tags are also flattened.
Approved by: glebius (Mentor)
Diffstat (limited to 'contrib/ipfilter/rules/BASIC_1.FW')
| -rw-r--r-- | contrib/ipfilter/rules/BASIC_1.FW | 99 |
1 files changed, 0 insertions, 99 deletions
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW deleted file mode 100644 index d2bd60a..0000000 --- a/contrib/ipfilter/rules/BASIC_1.FW +++ /dev/null @@ -1,99 +0,0 @@ -#!/sbin/ipf -f - -# -# SAMPLE: RESTRICTIVE FILTER RULES -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# This file contains the basic rules needed to construct a firewall for the -# above situation. -# -#------------------------------------------------------- -# *Nasty* packets we don't want to allow near us at all! -# short packets which are packets fragmented too short to be real. -block in log quick all with short -#------------------------------------------------------- -# Group setup. -# ============ -# By default, block and log everything. This maybe too much logging -# (especially for ed0) and needs to be further refined. -# -block in log on ppp0 all head 100 -block in log proto tcp all flags S/SA head 101 group 100 -block out log on ppp0 all head 150 -block in log on ed0 from w.x.y.z/24 to any head 200 -block in log proto tcp all flags S/SA head 201 group 200 -block in log proto udp all head 202 group 200 -block out log on ed0 all head 250 -#------------------------------------------------------- -# Localhost packets. -# ================== -# packets going in/out of network interfaces that aren't on the loopback -# interface should *NOT* exist. -block in log quick from 127.0.0.0/8 to any group 100 -block in log quick from any to 127.0.0.0/8 group 100 -block in log quick from 127.0.0.0/8 to any group 200 -block in log quick from any to 127.0.0.0/8 group 200 -# And of course, make sure the loopback allows packets to traverse it. -pass in quick on lo0 all -pass out quick on lo0 all -#------------------------------------------------------- -# Invalid Internet packets. -# ========================= -# -# Deny reserved addresses. -# -block in log quick from 10.0.0.0/8 to any group 100 -block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/12 to any group 100 -# -# Prevent IP spoofing. -# -block in log quick from a.b.c.d/24 to any group 100 -# -#------------------------------------------------------- -# Allow outgoing DNS requests (no named on firewall) -# -pass in quick proto udp from any to any port = 53 keep state group 202 -# -# If we were running named on the firewall and all internal hosts talked to -# it, we'd use the following: -# -#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 -#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state -# -# Allow outgoing FTP from any internal host to any external FTP server. -# -pass in quick proto tcp from any to any port = ftp keep state group 201 -pass in quick proto tcp from any to any port = ftp-data keep state group 201 -pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 -# -# Allow NTP from any internal host to any external NTP server. -# -pass in quick proto udp from any to any port = ntp keep state group 202 -# -# Allow outgoing connections: SSH, TELNET, WWW -# -pass in quick proto tcp from any to any port = 22 keep state group 201 -pass in quick proto tcp from any to any port = telnet keep state group 201 -pass in quick proto tcp from any to any port = www keep state group 201 -# -#------------------------------------------------------- -block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 -# -# Allow incoming to the external firewall interface: mail, WWW, DNS -# -pass in log quick proto tcp from any to any port = smtp keep state group 110 -pass in log quick proto tcp from any to any port = www keep state group 110 -pass in log quick proto tcp from any to any port = 53 keep state group 110 -pass in log quick proto udp from any to any port = 53 keep state group 100 -#------------------------------------------------------- -# Log these: -# ========== -# * return RST packets for invalid SYN packets to help the other end close -block return-rst in log proto tcp from any to any flags S/SA group 100 -# * return ICMP error packets for invalid UDP packets -block return-icmp(net-unr) in proto udp all group 100 |
