[geeks] ipf fun
Martijn Pronk
martijn at smartie.xs4all.nl
Tue Jun 4 16:21:36 CDT 2002
Gary Nichols wrote:
> Does anyone have an ipf config that they've used successfully and wouldn't
> mind sharing?
yeah, sure, here is mine:
rl0 and rl1 are my home networks, ed0 is my interface to my adsl
modem and ng0 is my "virtual" interface to the rest of the world.
block in quick on lo0 all head 100
block in quick on ng0 all head 200
block out quick on ng0 all head 250
block in quick on rl0 all head 300
block in quick on rl1 all head 400
block in quick on ed0 all head 500
# Group 100 (lo0)
pass in all group 100
# group 200 (ng0)
# Block net's that should not be seen on the 'net
block in log level uucp.debug quick from 10.0.0.0/8 to any group 200
block in log level uucp.debug quick from 127.0.0.0/8 to any group 200
block in log level uucp.debug quick from 172.16.0.0/12 to any group 200
block in log level uucp.debug quick from 192.0.2.0/24 to any group 200
block in log level uucp.debug quick from 192.168.0.0/16 to any group 200
block in log level uucp.debug quick from 169.254.0.0/16 to any group 200
block in log level uucp.debug quick from 240.0.0.0/4 to any group 200
# Block anything else and allow only a selected few
block return-rst in log level uucp.debug proto tcp all
group 200
block in log level uucp.debug proto udp all
group 200
# Log these ports in a different logfile
block return-rst in log level uucp.info proto tcp from any to any
port <
1025 group 200
block in log level uucp.info proto udp from any to any
port <
1025 group 200
# The selected few...
pass in proto tcp from any to 213.84.1.157 port = 21 group 200
pass in proto tcp from any to 213.84.1.157 port = 22 group 200
pass in proto tcp from any to 213.84.1.157 port = 25 group 200
pass in proto tcp/udp from any to 213.84.1.157 port = 53 group 200
pass in proto tcp from any to 213.84.1.157 port = 80 group 200
pass in proto tcp from any to 213.84.1.157 port = 113 group 200
pass in proto tcp from any to 213.84.1.157 port = 143 group 200
pass in proto tcp from any to 213.84.1.157 port = 443 group 200
pass in proto tcp from any to 213.84.1.157 port = 993 group 200
pass in proto ipv6 all group 200
pass in proto icmp all group 200
pass in proto udp from 194.109.6.66 port = 53 to any group 200
pass in proto udp from 194.109.9.99 port = 53 to any group 200
# Group 250 (outgoing ng0)
# Make sure outbound connections can recieve...
pass out proto tcp all flags S keep state group 250
pass out proto udp all keep state group 250
pass out proto icmp all keep state group 250
pass out proto ipv6 all group 250
pass out proto tcp from 213.84.1.157 port 20 >< 23 to any group 250
pass out proto tcp from 213.84.1.157 port = 25 to any group 250
pass out proto tcp from 213.84.1.157 port = 80 to any group 250
pass out proto tcp from 213.84.1.157 port = 113 to any group 250
pass out proto tcp from 213.84.1.157 port = 143 to any group 250
pass out proto tcp from 213.84.1.157 port = 443 to any group 250
pass out proto tcp from 213.84.1.157 port = 993 to any group 250
# Block outgoing windows net'orking
block out log level uucp.debug proto tcp/udp from any to any port 134
>< 140
group 250
# Block outgoing RFC 1918 addresses
block out log level uucp.debug from 192.168.10.0/24 to
10.0.0.0/8 group
250
block out log level uucp.debug from 192.168.11.0/24 to
10.0.0.0/8 group
250
block out log level uucp.debug from 192.168.10.0/24 to
172.16.0.0/12 gr
oup 250
block out log level uucp.debug from 192.168.11.0/24 to
172.16.0.0/12 gr
oup 250
# Group 300 (rl0)
pass in all group 300
# Group 400 (rl1)
pass in all group 400
# Group 500 (ed1)
pass in all group 500
Hope this helps,
Martijn
More information about the geeks
mailing list