1# 2# This is an example of a fairly heavy firewall used to keep everyone 3# out of a particular network while still allowing people within that 4# network to get outside. 5# 6# The example assumes it is running on a gateway with interface ppp0 7# attached to the outside world, and interface ed0 attached to 8# network 192.168.4.0 which needs to be protected. 9# 10# 11# Pass any packets not explicitly mentioned by subsequent rules 12# 13pass out from any to any 14pass in from any to any 15# 16# Block any inherently bad packets coming in from the outside world. 17# These include ICMP redirect packets, IP fragments so short the 18# filtering rules won't be able to examine the whole UDP/TCP header, 19# and anything with IP options. 20# 21block in log quick on ppp0 proto icmp from any to any icmp-type redir 22block in log quick on ppp0 proto tcp/udp all with short 23block in log quick on ppp0 from any to any with ipopts 24# 25# Block any IP spoofing attempts. (Packets "from" our network 26# shouldn't be coming in from outside). 27# 28block in log quick on ppp0 from 192.168.4.0/24 to any 29block in log quick on ppp0 from localhost to any 30block in log quick on ppp0 from 0.0.0.0/32 to any 31block in log quick on ppp0 from 255.255.255.255/32 to any 32# 33# Block all incoming UDP traffic except talk and DNS traffic. NFS 34# and portmap are special-cased and logged. 35# 36block in on ppp0 proto udp from any to any 37block in log on ppp0 proto udp from any to any port = sunrpc 38block in log on ppp0 proto udp from any to any port = 2049 39pass in on ppp0 proto udp from any to any port = domain 40pass in on ppp0 proto udp from any to any port = talk 41pass in on ppp0 proto udp from any to any port = ntalk 42# 43# Block all incoming TCP traffic connections to known services, 44# returning a connection reset so things like ident don't take 45# forever timing out. Don't log ident (auth port) as it's so common. 46# 47block return-rst in log on ppp0 proto tcp from any to any flags S/SA 48block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA 49# 50# Allow incoming TCP connections to ports between 1024 and 5000, as 51# these don't have daemons listening but are used by outgoing 52# services like ftp and talk. For slightly more obscurity (though 53# not much more security), the second commented out rule can chosen 54# instead. 55# 56pass in on ppp0 proto tcp from any to any port 1024 >< 5000 57#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000 58# 59# Now allow various incoming TCP connections to particular hosts, TCP 60# to the main nameserver so secondaries can do zone transfers, SMTP 61# to the mail host, www to the web server (which really should be 62# outside the firewall if you care about security), and ssh to a 63# hypothetical machine caled 'gatekeeper' that can be used to gain 64# access to the protected network from the outside world. 65# 66pass in on ppp0 proto tcp from any to ns1 port = domain 67pass in on ppp0 proto tcp from any to mail port = smtp 68pass in on ppp0 proto tcp from any to www port = www 69pass in on ppp0 proto tcp from any to gatekeeper port = ssh 70