xref: /freebsd/share/examples/ipfilter/firewall.2 (revision 61e21613) 
1#
2#  This is an example of a fairly heavy firewall used to keep everyone
3#  out of a particular network while still allowing people within that
4#  network to get outside.
5#
6#  The example assumes it is running on a gateway with interface ppp0
7#  attached to the outside world, and interface ed0 attached to
8#  network 192.168.4.0 which needs to be protected.
9#
10#
11#  Pass any packets not explicitly mentioned by subsequent rules
12#
13pass out from any to any
14pass in from any to any
15#
16#  Block any inherently bad packets coming in from the outside world.
17#  These include ICMP redirect packets, IP fragments so short the
18#  filtering rules won't be able to examine the whole UDP/TCP header,
19#  and anything with IP options.
20#
21block in log quick on ppp0 proto icmp from any to any icmp-type redir
22block in log quick on ppp0 proto tcp/udp all with short
23block in log quick on ppp0 from any to any with ipopts
24#
25#  Block any IP spoofing attempts.  (Packets "from" our network
26#  shouldn't be coming in from outside).
27#
28block in log quick on ppp0 from 192.168.4.0/24 to any
29block in log quick on ppp0 from localhost to any
30block in log quick on ppp0 from 0.0.0.0/32 to any
31block in log quick on ppp0 from 255.255.255.255/32 to any
32#
33#  Block all incoming UDP traffic except talk and DNS traffic.  NFS
34#  and portmap are special-cased and logged.
35#
36block in on ppp0 proto udp from any to any
37block in log on ppp0 proto udp from any to any port = sunrpc
38block in log on ppp0 proto udp from any to any port = 2049
39pass in on ppp0 proto udp from any to any port = domain
40pass in on ppp0 proto udp from any to any port = talk
41pass in on ppp0 proto udp from any to any port = ntalk
42#
43#  Block all incoming TCP traffic connections to known services,
44#  returning a connection reset so things like ident don't take
45#  forever timing out.  Don't log ident (auth port) as it's so common.
46#
47block return-rst in log on ppp0 proto tcp from any to any flags S/SA
48block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA
49#
50#  Allow incoming TCP connections to ports between 1024 and 5000, as
51#  these don't have daemons listening but are used by outgoing
52#  services like ftp and talk.  For slightly more obscurity (though
53#  not much more security), the second commented out rule can chosen
54#  instead.
55#
56pass in on ppp0 proto tcp from any to any port 1024 >< 5000
57#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
58#
59#  Now allow various incoming TCP connections to particular hosts, TCP
60#  to the main nameserver so secondaries can do zone transfers, SMTP
61#  to the mail host, www to the web server (which really should be
62#  outside the firewall if you care about security), and ssh to a
63#  hypothetical machine caled 'gatekeeper' that can be used to gain
64#  access to the protected network from the outside world.
65#
66pass in on ppp0 proto tcp from any to ns1 port = domain
67pass in on ppp0 proto tcp from any to mail port = smtp
68pass in on ppp0 proto tcp from any to www port = www
69pass in on ppp0 proto tcp from any to gatekeeper port = ssh
70