1#-------------------------------------------------------------------------- 2# ed1 - external interface 3# fxp0 - internal interface 4#-------------------------------------------------------------------------- 5# First, nasty packets which we don't want near us at all 6# packets which are too short to be real except echo replies on lo0 7pass in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with short 8block in log quick all with short 9block in log quick all with opt lsrr 10block in log quick all with opt ssrr 11#-------------------------------------------------------------------------- 12# loopback packets left unmolested 13pass in log quick on lo0 all 14pass out log quick on lo0 all 15#-------------------------------------------------------------------------- 16# Group setup: 17# 100 incoming ed1 18# 150 outgoing ed1 19# 200 incoming fxp0 20# 250 outgoing fxp0 21#-------------------------------------------------------------------------- 22block in log body on ed1 all head 100 23block out log body on ed1 all head 150 24#-------------------------------------------------------------------------- 25block in log on fxp0 all head 200 26block out log on fxp0 all head 250 27#-------------------------------------------------------------------------- 28# incoming ed1 traffic - group 100 29# 1) prevent localhost spoofing 30block in log quick from 127.0.0.1/32 to 192.168.0.0/24 group 100 31block in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100 32block in log quick from any to 127.0.0.1/8 group 100 33#-------------------------------------------------------------------------- 34# 2) deny pakets which should not be seen on th internet (paranoid) 35block in log quick from 10.0.0.0/8 to any group 100 36block in log quick from any to 10.0.0.0/8 group 100 37block in log quick from 172.16.0.0/16 to any group 100 38block in log quick from any to 172.16.0.0/16 group 100 39block in log quick from 192.168.0.0/16 to any group 100 40block in log from any to 192.168.0.0/16 group 100 41# 3) implement policy 42# allow incoming ftp-data 43pass in log quick proto tcp/udp from any to 192.168.1.1/24 keep state group 100 44# if nothing applies, block and return icmp-replies (unreachable and rst) 45block return-icmp(net-unr) in proto udp from any to any group 100 46block return-rst in log proto tcp from any to any group 100 47#-------------------------------------------------------------------------- 48# outgoing ed1 traffic - group 150 49# Setup outgoing DNS 50pass out log quick proto tcp/udp from any to 212.40.0.10 port = 53 keep state group 150 51pass out log quick proto tcp/udp from any to 212.40.5.50 port = 53 keep state group 150 52# allow outgoing http-service 53pass out log quick proto tcp from any to any port = 80 flags S/SA keep state keep frags group 150 54# allow outgoing smtp traffic 55pass out log quick proto tcp from 192.168.1.1/24 to any port = 25 flags S/SA keep state group 150 56# allow outgoing pop3 traffic 57pass out log quick proto tcp from 192.168.1.1/24 to any port = 110 flags S/SA keep state group 150 58# allow outgoing ftp traffic 59pass out log quick proto tcp/udp from 192.168.1.1/24 to any port = ftp keep state group 150 60pass out log quick proto icmp from any to any keep state keep frags group 150 61#-------------------------------------------------------------------------- 62# incoming traffic on fxp0 - group 200 63#-------------------------------------------------------------------------- 64# 1) prevent localhost spoofing 65block in log quick from 127.0.0.0/8 to any group 200 66block in log quick from 192.168.0.1/32 to any group 200 67block in log quick from 192.168.1.110/24 to any group 200 68pass in log quick from any to any group 200 69#-------------------------------------------------------------------------- 70# outgoing traffic on fxp0 - group 250 71#-------------------------------------------------------------------------- 72block out log quick from 127.0.0.0/8 to any group 250 73block out quick from any to 127.0.0.0/8 group 250 74block out log quick from any to 192.168.0.1/32 group 250 75pass out log quick from any to nay group 250 76#-------------------------------------------------------------------------- 77