1# $FreeBSD$ 2# 3# This is an example of a very light firewall used to guard against 4# some of the most easily exploited common security holes. 5# 6# The example assumes it is running on a gateway with interface ppp0 7# attached to the outside world, and interface ed0 attached to 8# network 192.168.4.0 which needs to be protected. 9# 10# 11# Pass any packets not explicitly mentioned by subsequent rules 12# 13pass out from any to any 14pass in from any to any 15# 16# Block any inherently bad packets coming in from the outside world. 17# These include ICMP redirect packets and IP fragments so short the 18# filtering rules won't be able to examine the whole UDP/TCP header. 19# 20block in log quick on ppp0 proto icmp from any to any icmp-type redir 21block in log quick on ppp0 proto tcp/udp all with short 22# 23# Block any IP spoofing attempts. (Packets "from" our network 24# shouldn't be coming in from outside). 25# 26block in log quick on ppp0 from 192.168.4.0/24 to any 27block in log quick on ppp0 from localhost to any 28block in log quick on ppp0 from 0.0.0.0/32 to any 29block in log quick on ppp0 from 255.255.255.255/32 to any 30# 31# Block any incoming traffic to NFS ports, to the RPC portmapper, and 32# to X servers. 33# 34block in log on ppp0 proto tcp/udp from any to any port = sunrpc 35block in log on ppp0 proto tcp/udp from any to any port = 2049 36block in log on ppp0 proto tcp from any to any port = 6000 37