xref: /freebsd/share/examples/ipfilter/firewall.2 (revision c697fb7f) 
1# $FreeBSD$
2#
3#  This is an example of a fairly heavy firewall used to keep everyone
4#  out of a particular network while still allowing people within that
5#  network to get outside.
6#
7#  The example assumes it is running on a gateway with interface ppp0
8#  attached to the outside world, and interface ed0 attached to
9#  network 192.168.4.0 which needs to be protected.
10#
11#
12#  Pass any packets not explicitly mentioned by subsequent rules
13#
14pass out from any to any
15pass in from any to any
16#
17#  Block any inherently bad packets coming in from the outside world.
18#  These include ICMP redirect packets, IP fragments so short the
19#  filtering rules won't be able to examine the whole UDP/TCP header,
20#  and anything with IP options.
21#
22block in log quick on ppp0 proto icmp from any to any icmp-type redir
23block in log quick on ppp0 proto tcp/udp all with short
24block in log quick on ppp0 from any to any with ipopts
25#
26#  Block any IP spoofing attempts.  (Packets "from" our network
27#  shouldn't be coming in from outside).
28#
29block in log quick on ppp0 from 192.168.4.0/24 to any
30block in log quick on ppp0 from localhost to any
31block in log quick on ppp0 from 0.0.0.0/32 to any
32block in log quick on ppp0 from 255.255.255.255/32 to any
33#
34#  Block all incoming UDP traffic except talk and DNS traffic.  NFS
35#  and portmap are special-cased and logged.
36#
37block in on ppp0 proto udp from any to any
38block in log on ppp0 proto udp from any to any port = sunrpc
39block in log on ppp0 proto udp from any to any port = 2049
40pass in on ppp0 proto udp from any to any port = domain
41pass in on ppp0 proto udp from any to any port = talk
42pass in on ppp0 proto udp from any to any port = ntalk
43#
44#  Block all incoming TCP traffic connections to known services,
45#  returning a connection reset so things like ident don't take
46#  forever timing out.  Don't log ident (auth port) as it's so common.
47#
48block return-rst in log on ppp0 proto tcp from any to any flags S/SA
49block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA
50#
51#  Allow incoming TCP connections to ports between 1024 and 5000, as
52#  these don't have daemons listening but are used by outgoing
53#  services like ftp and talk.  For slightly more obscurity (though
54#  not much more security), the second commented out rule can chosen
55#  instead.
56#
57pass in on ppp0 proto tcp from any to any port 1024 >< 5000
58#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
59#
60#  Now allow various incoming TCP connections to particular hosts, TCP
61#  to the main nameserver so secondaries can do zone transfers, SMTP
62#  to the mail host, www to the web server (which really should be
63#  outside the firewall if you care about security), and ssh to a
64#  hypothetical machine caled 'gatekeeper' that can be used to gain
65#  access to the protected network from the outside world.
66#
67pass in on ppp0 proto tcp from any to ns1 port = domain
68pass in on ppp0 proto tcp from any to mail port = smtp
69pass in on ppp0 proto tcp from any to www port = www
70pass in on ppp0 proto tcp from any to gatekeeper port = ssh
71