Annotation of src/share/ipf/firewall.4, Revision 1.1
1.1 ! kjell 1: #!/sbin/ipf -f -
! 2: #
! 3: # SAMPLE: PERMISSIVE FILTER RULES
! 4: #
! 5: # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
! 6: #
! 7: # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
! 8: #
! 9: # ed0 - (internal) network interface, address w.x.y.z/32
! 10: #
! 11: # This file contains the basic rules needed to construct a firewall for the
! 12: # above situation.
! 13: #
! 14: #-------------------------------------------------------
! 15: # *Nasty* packets we don't want to allow near us at all!
! 16: # short packets which are packets fragmented too short to be real.
! 17: block in log quick all with short
! 18: #-------------------------------------------------------
! 19: # Group setup.
! 20: # ============
! 21: # By default, block and log everything. This maybe too much logging
! 22: # (especially for ed0) and needs to be further refined.
! 23: #
! 24: block in log on ppp0 all head 100
! 25: block out log on ppp0 all head 150
! 26: block in log on ed0 from w.x.y.z/24 to any head 200
! 27: block out log on ed0 all head 250
! 28: #-------------------------------------------------------
! 29: # Invalid Internet packets.
! 30: # =========================
! 31: #
! 32: # Deny reserved addresses.
! 33: #
! 34: block in log quick from 10.0.0.0/8 to any group 100
! 35: block in log quick from 192.168.0.0/16 to any group 100
! 36: block in log quick from 172.16.0.0/12 to any group 100
! 37: #
! 38: # Prevent IP spoofing.
! 39: #
! 40: block in log quick from a.b.c.d/24 to any group 100
! 41: #
! 42: #-------------------------------------------------------
! 43: # Localhost packets.
! 44: # ==================
! 45: # packets going in/out of network interfaces that aren't on the loopback
! 46: # interface should *NOT* exist.
! 47: block in log quick from 127.0.0.0/8 to any group 100
! 48: block in log quick from any to 127.0.0.0/8 group 100
! 49: block in log quick from 127.0.0.0/8 to any group 200
! 50: block in log quick from any to 127.0.0.0/8 group 200
! 51: # And of course, make sure the loopback allows packets to traverse it.
! 52: pass in quick on lo0 all
! 53: pass out quick on lo0 all
! 54: #-------------------------------------------------------
! 55: # Allow any communication between the inside network and the outside only.
! 56: #
! 57: # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
! 58: #
! 59: pass in log quick proto tcp all flags S/SA keep state group 200
! 60: #
! 61: # Support all UDP `connections' initiated from inside.
! 62: #
! 63: # Allow ping out
! 64: #
! 65: pass in log quick proto icmp all keep state group 200
! 66: #-------------------------------------------------------
! 67: # Log these:
! 68: # ==========
! 69: # * return RST packets for invalid SYN packets to help the other end close
! 70: block return-rst in log proto tcp from any to any flags S/SA group 100
! 71: # * return ICMP error packets for invalid UDP packets
! 72: block return-icmp(net-unr) in proto udp all group 100