Annotation of src/share/ipf/firewall.1, Revision 1.3
1.1 dm 1: #
2: # This is an example of a very light firewall used to guard against
3: # some of the most easily exploited common security holes.
4: #
5: # The example assumes it is running on a gateway with interface ppp0
6: # attached to the outside world, and interface ed0 attached to
7: # network 192.168.4.0 which needs to be protected.
8: #
9: #
10: # Pass any packets not explicitly mentioned by subsequent rules
11: #
12: pass out from any to any
13: pass in from any to any
14: #
15: # Block any inherently bad packets coming in from the outside world.
16: # These include ICMP redirect packets and IP fragments so short the
17: # filtering rules won't be able to examine the whole UDP/TCP header.
18: #
19: block in log quick on ppp0 proto icmp from any to any icmp-type redir
20: block in log quick on ppp0 proto tcp/udp all with short
21: #
22: # Block any IP spoofing atempts. (Packets "from" our network
23: # shouldn't be coming in from outside).
24: #
1.3 ! kjell 25: block in log quick on ppp0 from 192.168.4.0/24 to any
1.1 dm 26: block in log quick on ppp0 from localhost to any
1.2 mickey 27: block in log quick on ppp0 from 0.0.0.0/32 to any
28: block in log quick on ppp0 from 255.255.255.255/32 to any
1.1 dm 29: #
30: # Block any incoming traffic to NFS ports, to the RPC portmapper, and
31: # to X servers.
32: #
33: block in log on ppp0 proto tcp/udp from any to any port = sunrpc
34: block in log on ppp0 proto tcp/udp from any to any port = 2049
35: block in log on ppp0 proto tcp from any to any port = 6000