# After editing this file, run # ipf -F a -f /etc/ipf.rules # Block everything unless it's allowed later block in on tun0 all # Allow everything out quickly pass out quick on tun0 all keep state # To block everything unless it is later permitted, use # block out on tun0 all # LAN: xl2 # Allow everything on the LAN to move freely pass out quick on xl2 all pass in quick on xl2 all # Allow everything on the loopback interface to move freely pass in quick on lo0 all pass out quick on lo0 all # --- Now everything on tun0, the PPP interface (ie ADSL on xl1) # FTP pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state # SSH pass out quick on tun0 proto tcp from any to any port = 22 flags S keep state # telnet pass out quick on tun0 proto tcp from any to any port = 23 flags S keep state # SMTP pass out quick on tun0 proto tcp from any to any port = 25 flags S keep state # whois pass out quick on tun0 proto tcp from any to any port = 43 flags S keep state # DNS pass out quick on tun0 proto tcp from any to any port = 53 flags S keep state pass out quick on tun0 proto udp from any to any port = 53 keep state pass in quick on tun0 proto tcp from any to any port = 53 flags S keep state pass in quick on tun0 proto udp from any to any port = 53 keep state # HTTP pass out quick on tun0 proto tcp from any to any port = 80 flags S keep state # POP # pass out quick on tun0 proto tcp from any to any port = 110 flags S keep state # NNTP pass out quick on tun0 proto tcp from any to any port = 119 flags S keep state # NTP pass out quick on tun0 proto udp from any to any port = 123 keep state # HTTPS pass out quick on tun0 proto tcp from any to any port = 443 flags S keep state # cvsup pass out quick on tun0 proto tcp from any to any port = 5999 flags S keep state # IRC pass out quick on tun0 proto tcp from any to any port = 6667 flags S keep state # BitTorrent pass out quick on tun0 proto tcp from any to any port = 6881 keep state pass in quick on tun0 proto tcp from any to any port = 6881 keep state # ping pass in quick on tun0 proto icmp from any to any icmp-type 8 keep state pass out quick on tun0 proto icmp from any to any icmp-type 8 keep state # traceroute pass in quick on tun0 proto icmp from any to any icmp-type 11 keep state pass out quick on tun0 proto icmp from any to any icmp-type 11 keep state block in log quick on tun0 proto icmp from any to any # Block and log only the first occurrence of everything else that's trying to get out. block out log first quick on tun0 all # Block all inbound traffic from non-routable or reserved address spaces block in quick on tun0 from 192.168.0.0/16 to any # RFC 1918 private IP block in quick on tun0 from 172.16.0.0/12 to any # RFC 1918 private IP block in quick on tun0 from 10.0.0.0/8 to any # RFC 1918 private IP block in quick on tun0 from 127.0.0.0/8 to any # loopback block in quick on tun0 from 0.0.0.0/8 to any # loopback block in quick on tun0 from 169.254.0.0/16 to any # DHCP auto-config block in quick on tun0 from 192.0.2.0/24 to any # reserved for docs block in quick on tun0 from 204.152.64.0/23 to any # Sun cluster interconnect block in quick on tun0 from 224.0.0.0/3 to any # Class D & E multicast # Block frags block in quick on tun0 all with frags # Block short tcp packets block in quick on tun0 proto tcp all with short # Block source routed packets block in quick on tun0 all with opt lsrr block in quick on tun0 all with opt ssrr # Block nmap OS fingerprint attempts block in log first quick on tun0 proto tcp from any to any flags FUP # Block anything with special options block in quick on tun0 all with ipopts # Block public pings # block in quick on tun0 proto icmp all icmp-type 8 # Block ident block in quick on tun0 proto tcp from any to any port = 113 # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a denial of service attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on tun0 all