1# 2# This is an example of a very light firewall used to guard against 3# some of the most easily exploited common security holes. 4# 5# The example assumes it is running on a gateway with interface ppp0 6# attached to the outside world, and interface ed0 attached to 7# network 192.168.4.0 which needs to be protected. 8# 9# 10# Pass any packets not explicitly mentioned by subsequent rules 11# 12pass out from any to any 13pass in from any to any 14# 15# Block any inherently bad packets coming in from the outside world. 16# These include ICMP redirect packets and IP fragments so short the 17# filtering rules won't be able to examine the whole UDP/TCP header. 18# 19block in log quick on ppp0 proto icmp from any to any icmp-type redir 20block in log quick on ppp0 proto tcp/udp all with short 21# 22# Block any IP spoofing attempts. (Packets "from" our network 23# shouldn't be coming in from outside). 24# 25block in log quick on ppp0 from 192.168.4.0/24 to any 26block in log quick on ppp0 from localhost to any 27block in log quick on ppp0 from 0.0.0.0/32 to any 28block in log quick on ppp0 from 255.255.255.255/32 to any 29# 30# Block any incoming traffic to NFS ports, to the RPC portmapper, and 31# to X servers. 32# 33block in log on ppp0 proto tcp/udp from any to any port = sunrpc 34block in log on ppp0 proto tcp/udp from any to any port = 2049 35block in log on ppp0 proto tcp from any to any port = 6000 36