Annotation of src/share/ipf/firewall.1, Revision 1.1
1.1 ! dm 1: #
! 2: # This is an example of a very light firewall used to guard against
! 3: # some of the most easily exploited common security holes.
! 4: #
! 5: # The example assumes it is running on a gateway with interface ppp0
! 6: # attached to the outside world, and interface ed0 attached to
! 7: # network 192.168.4.0 which needs to be protected.
! 8: #
! 9: #
! 10: # Pass any packets not explicitly mentioned by subsequent rules
! 11: #
! 12: pass out from any to any
! 13: pass in from any to any
! 14: #
! 15: # Block any inherently bad packets coming in from the outside world.
! 16: # These include ICMP redirect packets and IP fragments so short the
! 17: # filtering rules won't be able to examine the whole UDP/TCP header.
! 18: #
! 19: block in log quick on ppp0 proto icmp from any to any icmp-type redir
! 20: block in log quick on ppp0 proto tcp/udp all with short
! 21: #
! 22: # Block any IP spoofing atempts. (Packets "from" our network
! 23: # shouldn't be coming in from outside).
! 24: #
! 25: block in log quick on ppp0 from 198.168.4.0/24 to any
! 26: block in log quick on ppp0 from localhost to any
! 27: #
! 28: # Block any incoming traffic to NFS ports, to the RPC portmapper, and
! 29: # to X servers.
! 30: #
! 31: block in log on ppp0 proto tcp/udp from any to any port = sunrpc
! 32: block in log on ppp0 proto tcp/udp from any to any port = 2049
! 33: block in log on ppp0 proto tcp from any to any port = 6000