diff options
author | darrenr <darrenr@FreeBSD.org> | 2001-10-20 04:17:07 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2001-10-20 04:17:07 +0000 |
commit | 7460780f26ddb1a56ce9edcfda0fc5bdf0654760 (patch) | |
tree | a215edcaca466164008dd39dec8b0d08291f40cb /share/examples/ipfilter/firewall.2 | |
parent | 11dcd7407753aacaf46341311b4da0e4693142e8 (diff) | |
download | FreeBSD-src-7460780f26ddb1a56ce9edcfda0fc5bdf0654760.zip FreeBSD-src-7460780f26ddb1a56ce9edcfda0fc5bdf0654760.tar.gz |
Add the IPFilter how-to and other related documents to the base install
so that users gets ipfilter examples without a source install.
PR: 26763
Submitted by: Cyrille Lefevre <clefevre@poboxes.com>
Diffstat (limited to 'share/examples/ipfilter/firewall.2')
-rw-r--r-- | share/examples/ipfilter/firewall.2 | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/share/examples/ipfilter/firewall.2 b/share/examples/ipfilter/firewall.2 new file mode 100644 index 0000000..23d610d --- /dev/null +++ b/share/examples/ipfilter/firewall.2 @@ -0,0 +1,70 @@ +# $FreeBSD$ +# +# This is an example of a fairly heavy firewall used to keep everyone +# out of a particular network while still allowing people within that +# network to get outside. +# +# The example assumes it is running on a gateway with interface ppp0 +# attached to the outside world, and interface ed0 attached to +# network 192.168.4.0 which needs to be protected. +# +# +# Pass any packets not explicitly mentioned by subsequent rules +# +pass out from any to any +pass in from any to any +# +# Block any inherently bad packets coming in from the outside world. +# These include ICMP redirect packets, IP fragments so short the +# filtering rules won't be able to examine the whole UDP/TCP header, +# and anything with IP options. +# +block in log quick on ppp0 proto icmp from any to any icmp-type redir +block in log quick on ppp0 proto tcp/udp all with short +block in log quick on ppp0 from any to any with ipopts +# +# Block any IP spoofing atempts. (Packets "from" our network +# shouldn't be coming in from outside). +# +block in log quick on ppp0 from 192.168.4.0/24 to any +block in log quick on ppp0 from localhost to any +block in log quick on ppp0 from 0.0.0.0/32 to any +block in log quick on ppp0 from 255.255.255.255/32 to any +# +# Block all incoming UDP traffic except talk and DNS traffic. NFS +# and portmap are special-cased and logged. +# +block in on ppp0 proto udp from any to any +block in log on ppp0 proto udp from any to any port = sunrpc +block in log on ppp0 proto udp from any to any port = 2049 +pass in on ppp0 proto udp from any to any port = domain +pass in on ppp0 proto udp from any to any port = talk +pass in on ppp0 proto udp from any to any port = ntalk +# +# Block all incoming TCP traffic connections to known services, +# returning a connection reset so things like ident don't take +# forever timing out. Don't log ident (auth port) as it's so common. +# +block return-rst in log on ppp0 proto tcp from any to any flags S/SA +block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA +# +# Allow incoming TCP connections to ports between 1024 and 5000, as +# these don't have daemons listening but are used by outgoing +# services like ftp and talk. For slightly more obscurity (though +# not much more security), the second commented out rule can chosen +# instead. +# +pass in on ppp0 proto tcp from any to any port 1024 >< 5000 +#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000 +# +# Now allow various incoming TCP connections to particular hosts, TCP +# to the main nameserver so secondaries can do zone transfers, SMTP +# to the mail host, www to the web server (which really should be +# outside the firewall if you care about security), and ssh to a +# hypothetical machine caled 'gatekeeper' that can be used to gain +# access to the protected network from the outside world. +# +pass in on ppp0 proto tcp from any to ns1 port = domain +pass in on ppp0 proto tcp from any to mail port = smtp +pass in on ppp0 proto tcp from any to www port = www +pass in on ppp0 proto tcp from any to gatekeeper port = ssh |