Annotation of src/share/ipf/firewall.2, Revision 1.1
1.1 ! dm 1: #
! 2: # This is an example of a fairly heavy firewall used to keep everyone
! 3: # out of a particular network while still allowing people within that
! 4: # network to get outside.
! 5: #
! 6: # The example assumes it is running on a gateway with interface ppp0
! 7: # attached to the outside world, and interface ed0 attached to
! 8: # network 192.168.4.0 which needs to be protected.
! 9: #
! 10: #
! 11: # Pass any packets not explicitly mentioned by subsequent rules
! 12: #
! 13: pass out from any to any
! 14: pass in from any to any
! 15: #
! 16: # Block any inherently bad packets coming in from the outside world.
! 17: # These include ICMP redirect packets, IP fragments so short the
! 18: # filtering rules won't be able to examine the whole UDP/TCP header,
! 19: # and anything with IP options.
! 20: #
! 21: block in log quick on ppp0 proto icmp from any to any icmp-type redir
! 22: block in log quick on ppp0 proto tcp/udp all with short
! 23: block in log quick on ppp0 from any to any with ipopts
! 24: #
! 25: # Block any IP spoofing atempts. (Packets "from" our network
! 26: # shouldn't be coming in from outside).
! 27: #
! 28: block in log quick on ppp0 from 198.168.4.0/24 to any
! 29: block in log quick on ppp0 from localhost to any
! 30: #
! 31: # Block all incoming UDP traffic except talk and DNS traffic. NFS
! 32: # and portmap are special-cased and logged.
! 33: #
! 34: block in on ppp0 proto udp from any to any
! 35: block in log on ppp0 proto udp from any to any port = sunrpc
! 36: block in log on ppp0 proto udp from any to any port = 2049
! 37: pass in on ppp0 proto udp from any to any port = domain
! 38: pass in on ppp0 proto udp from any to any port = talk
! 39: pass in on ppp0 proto udp from any to any port = ntalk
! 40: #
! 41: # Block all incoming TCP traffic connections to known services,
! 42: # returning a connection reset so things like ident don't take
! 43: # forever timing out. Don't log ident (auth port) as it's so common.
! 44: #
! 45: block return-rst in log on ppp0 proto tcp from any to any flags S/SA
! 46: block in on ppp0 proto tcp from any to any port = auth flags S/SA
! 47: #
! 48: # Allow incoming TCP connections to ports between 1024 and 5000, as
! 49: # these don't have daemons listening but are used by outgoing
! 50: # services like ftp and talk. For slightly more obscurity (though
! 51: # not much more security), the second commented out rule can chosen
! 52: # instead.
! 53: #
! 54: pass in on ppp0 proto tcp from any to any port 1024 >< 5000
! 55: #pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
! 56: #
! 57: # Now allow various incoming TCP connections to particular hosts, TCP
! 58: # to the main nameserver so secondaries can do zone transfers, SMTP
! 59: # to the mail host, www to the web server (which really should be
! 60: # outside the firewall if you care about security), and ssh to a
! 61: # hypothetical machine caled 'gatekeeper' that can be used to gain
! 62: # access to the protected network from the outside world.
! 63: #
! 64: pass in on ppp0 proto tcp from any to ns1 port = domain
! 65: pass in on ppp0 proto tcp from any to mail port = smtp
! 66: pass in on ppp0 proto tcp from any to www port = www
! 67: pass in on ppp0 proto tcp from any to gatekeeper port = ssh