| blob | ba00504a37c8069d49362f6c788a7d87ca0eaf40 |
1 # $FreeBSD$
2 #
3 # This is an example of a fairly heavy firewall used to keep everyone
4 # out of a particular network while still allowing people within that
5 # network to get outside.
6 #
7 # The example assumes it is running on a gateway with interface ppp0
8 # attached to the outside world, and interface ed0 attached to
9 # network 192.168.4.0 which needs to be protected.
10 #
11 #
12 # Pass any packets not explicitly mentioned by subsequent rules
13 #
14 pass out from any to any
15 pass in from any to any
16 #
17 # Block any inherently bad packets coming in from the outside world.
18 # These include ICMP redirect packets, IP fragments so short the
19 # filtering rules won't be able to examine the whole UDP/TCP header,
20 # and anything with IP options.
21 #
22 block in log quick on ppp0 proto icmp from any to any icmp-type redir
23 block in log quick on ppp0 proto tcp/udp all with short
24 block in log quick on ppp0 from any to any with ipopts
25 #
26 # Block any IP spoofing attempts. (Packets "from" our network
27 # shouldn't be coming in from outside).
28 #
29 block in log quick on ppp0 from 192.168.4.0/24 to any
30 block in log quick on ppp0 from localhost to any
31 block in log quick on ppp0 from 0.0.0.0/32 to any
32 block in log quick on ppp0 from 255.255.255.255/32 to any
33 #
34 # Block all incoming UDP traffic except talk and DNS traffic. NFS
35 # and portmap are special-cased and logged.
36 #
37 block in on ppp0 proto udp from any to any
38 block in log on ppp0 proto udp from any to any port = sunrpc
39 block in log on ppp0 proto udp from any to any port = 2049
40 pass in on ppp0 proto udp from any to any port = domain
41 pass in on ppp0 proto udp from any to any port = talk
42 pass in on ppp0 proto udp from any to any port = ntalk
43 #
44 # Block all incoming TCP traffic connections to known services,
45 # returning a connection reset so things like ident don't take
46 # forever timing out. Don't log ident (auth port) as it's so common.
47 #
48 block return-rst in log on ppp0 proto tcp from any to any flags S/SA
49 block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA
50 #
51 # Allow incoming TCP connections to ports between 1024 and 5000, as
52 # these don't have daemons listening but are used by outgoing
53 # services like ftp and talk. For slightly more obscurity (though
54 # not much more security), the second commented out rule can chosen
55 # instead.
56 #
57 pass in on ppp0 proto tcp from any to any port 1024 >< 5000
58 #pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
59 #
60 # Now allow various incoming TCP connections to particular hosts, TCP
61 # to the main nameserver so secondaries can do zone transfers, SMTP
62 # to the mail host, www to the web server (which really should be
63 # outside the firewall if you care about security), and ssh to a
64 # hypothetical machine caled 'gatekeeper' that can be used to gain
65 # access to the protected network from the outside world.
66 #
67 pass in on ppp0 proto tcp from any to ns1 port = domain
68 pass in on ppp0 proto tcp from any to mail port = smtp
69 pass in on ppp0 proto tcp from any to www port = www
70 pass in on ppp0 proto tcp from any to gatekeeper port = ssh