Annotation of src/share/ipf/firewall.3, Revision 1.1
1.1 ! kjell 1: #!/sbin/ipf -f -
! 2: #
! 3: # SAMPLE: RESTRICTIVE FILTER RULES
! 4: #
! 5: # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
! 6: #
! 7: # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
! 8: #
! 9: # ed0 - (internal) network interface, address w.x.y.z/32
! 10: #
! 11: # This file contains the basic rules needed to construct a firewall for the
! 12: # above situation.
! 13: #
! 14: #-------------------------------------------------------
! 15: # *Nasty* packets we don't want to allow near us at all!
! 16: # short packets which are packets fragmented too short to be real.
! 17: block in log quick all with short
! 18: #-------------------------------------------------------
! 19: # Group setup.
! 20: # ============
! 21: # By default, block and log everything. This maybe too much logging
! 22: # (especially for ed0) and needs to be further refined.
! 23: #
! 24: block in log on ppp0 all head 100
! 25: block in log proto tcp all flags S/SA head 101 group 100
! 26: block out log on ppp0 all head 150
! 27: block in log on ed0 from w.x.y.z/24 to any head 200
! 28: block in log proto tcp all flags S/SA head 201 group 200
! 29: block in log proto udp all head 202 group 200
! 30: block out log on ed0 all head 250
! 31: #-------------------------------------------------------
! 32: # Localhost packets.
! 33: # ==================
! 34: # packets going in/out of network interfaces that aren't on the loopback
! 35: # interface should *NOT* exist.
! 36: block in log quick from 127.0.0.0/8 to any group 100
! 37: block in log quick from any to 127.0.0.0/8 group 100
! 38: block in log quick from 127.0.0.0/8 to any group 200
! 39: block in log quick from any to 127.0.0.0/8 group 200
! 40: # And of course, make sure the loopback allows packets to traverse it.
! 41: pass in quick on lo0 all
! 42: pass out quick on lo0 all
! 43: #-------------------------------------------------------
! 44: # Invalid Internet packets.
! 45: # =========================
! 46: #
! 47: # Deny reserved addresses.
! 48: #
! 49: block in log quick from 10.0.0.0/8 to any group 100
! 50: block in log quick from 192.168.0.0/16 to any group 100
! 51: block in log quick from 172.16.0.0/12 to any group 100
! 52: #
! 53: # Prevent IP spoofing.
! 54: #
! 55: block in log quick from a.b.c.d/24 to any group 100
! 56: #
! 57: #-------------------------------------------------------
! 58: # Allow outgoing DNS requests (no named on firewall)
! 59: #
! 60: pass in quick proto udp from any to any port = 53 keep state group 202
! 61: #
! 62: # If we were running named on the firewall and all internal hosts talked to
! 63: # it, we'd use the following:
! 64: #
! 65: #pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
! 66: #pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
! 67: #
! 68: # Allow outgoing FTP from any internal host to any external FTP server.
! 69: #
! 70: pass in quick proto tcp from any to any port = ftp keep state group 201
! 71: pass in quick proto tcp from any to any port = ftp-data keep state group 201
! 72: pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
! 73: #
! 74: # Allow NTP from any internal host to any external NTP server.
! 75: #
! 76: pass in quick proto udp from any to any port = ntp keep state group 202
! 77: #
! 78: # Allow outgoing connections: SSH, TELNET, WWW
! 79: #
! 80: pass in quick proto tcp from any to any port = 22 keep state group 201
! 81: pass in quick proto tcp from any to any port = telnet keep state group 201
! 82: pass in quick proto tcp from any to any port = www keep state group 201
! 83: #
! 84: #-------------------------------------------------------
! 85: block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
! 86: #
! 87: # Allow incoming to the external firewall interface: mail, WWW, DNS
! 88: #
! 89: pass in log quick proto tcp from any to any port = smtp keep state group 110
! 90: pass in log quick proto tcp from any to any port = www keep state group 110
! 91: pass in log quick proto tcp from any to any port = 53 keep state group 110
! 92: pass in log quick proto udp from any to any port = 53 keep state group 100
! 93: #-------------------------------------------------------
! 94: # Log these:
! 95: # ==========
! 96: # * return RST packets for invalid SYN packets to help the other end close
! 97: block return-rst in log proto tcp from any to any flags S/SA group 100
! 98: # * return ICMP error packets for invalid UDP packets
! 99: block return-icmp(net-unr) in proto udp all group 100