Annotation of src/share/ipf/firewall.2, Revision 1.3
1.1 dm 1: #
2: # This is an example of a fairly heavy firewall used to keep everyone
3: # out of a particular network while still allowing people within that
4: # network to get outside.
5: #
6: # The example assumes it is running on a gateway with interface ppp0
7: # attached to the outside world, and interface ed0 attached to
8: # network 192.168.4.0 which needs to be protected.
9: #
10: #
11: # Pass any packets not explicitly mentioned by subsequent rules
12: #
13: pass out from any to any
14: pass in from any to any
15: #
16: # Block any inherently bad packets coming in from the outside world.
17: # These include ICMP redirect packets, IP fragments so short the
18: # filtering rules won't be able to examine the whole UDP/TCP header,
19: # and anything with IP options.
20: #
21: block in log quick on ppp0 proto icmp from any to any icmp-type redir
22: block in log quick on ppp0 proto tcp/udp all with short
23: block in log quick on ppp0 from any to any with ipopts
24: #
25: # Block any IP spoofing atempts. (Packets "from" our network
26: # shouldn't be coming in from outside).
27: #
28: block in log quick on ppp0 from 198.168.4.0/24 to any
29: block in log quick on ppp0 from localhost to any
1.3 ! mickey 30: block in log quick on ppp0 from 0.0.0.0/32 to any
! 31: block in log quick on ppp0 from 255.255.255.255/32 to any
1.1 dm 32: #
33: # Block all incoming UDP traffic except talk and DNS traffic. NFS
34: # and portmap are special-cased and logged.
35: #
36: block in on ppp0 proto udp from any to any
37: block in log on ppp0 proto udp from any to any port = sunrpc
38: block in log on ppp0 proto udp from any to any port = 2049
39: pass in on ppp0 proto udp from any to any port = domain
40: pass in on ppp0 proto udp from any to any port = talk
41: pass in on ppp0 proto udp from any to any port = ntalk
42: #
43: # Block all incoming TCP traffic connections to known services,
44: # returning a connection reset so things like ident don't take
45: # forever timing out. Don't log ident (auth port) as it's so common.
46: #
47: block return-rst in log on ppp0 proto tcp from any to any flags S/SA
1.2 dm 48: block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA
1.1 dm 49: #
50: # Allow incoming TCP connections to ports between 1024 and 5000, as
51: # these don't have daemons listening but are used by outgoing
52: # services like ftp and talk. For slightly more obscurity (though
53: # not much more security), the second commented out rule can chosen
54: # instead.
55: #
56: pass in on ppp0 proto tcp from any to any port 1024 >< 5000
57: #pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
58: #
59: # Now allow various incoming TCP connections to particular hosts, TCP
60: # to the main nameserver so secondaries can do zone transfers, SMTP
61: # to the mail host, www to the web server (which really should be
62: # outside the firewall if you care about security), and ssh to a
63: # hypothetical machine caled 'gatekeeper' that can be used to gain
64: # access to the protected network from the outside world.
65: #
66: pass in on ppp0 proto tcp from any to ns1 port = domain
67: pass in on ppp0 proto tcp from any to mail port = smtp
68: pass in on ppp0 proto tcp from any to www port = www
69: pass in on ppp0 proto tcp from any to gatekeeper port = ssh