# by MJM # Block everthing by default block in all block out all # send packets to rule set organized by group block in quick on lo0 all head 100 block out quick on lo0 all head 150 block in quick on hme0 all head 200 block out quick on hme0 all head 250 #block in quick on le0 all head 300 #block out quick on le0 all head 350 ##### Group 100/150 ##### # Allow loopback packets unrestricted flow. pass in quick all group 100 pass out quick all group 150 ##### Group 200 ##### # Block any inherently bad packets coming in from external networks. # These include ICMP redirect packets and IP fragments so short the # filtering rules won't be able to examine the whole UDP/TCP header. block in log quick all with ipopts group 200 block in log quick proto icmp all icmp-type redir group 200 block in log quick proto tcp/udp all with short group 200 # Block any IP spoofing atempts. (Packets "from" our network # shouldn't be coming in from outside). # reserved for internal use/non internet routable block in log quick from 10.0.0.0/8 to any group 200 block in log quick from 172.16.0.0/12 to any group 200 block in log quick from 192.168.0.0/16 to any group 200 # reserved by IANA # see http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space # synced w/ April 6 2001 version block in log quick from 0.0.0.0/8 to any group 200 block in log quick from 1.0.0.0/8 to any group 200 block in log quick from 2.0.0.0/8 to any group 200 block in log quick from 7.0.0.0/8 to any group 200 block in log quick from 23.0.0.0/8 to any group 200 block in log quick from 27.0.0.0/8 to any group 200 block in log quick from 31.0.0.0/8 to any group 200 block in log quick from 36.0.0.0/8 to any group 200 block in log quick from 37.0.0.0/8 to any group 200 block in log quick from 39.0.0.0/8 to any group 200 block in log quick from 41.0.0.0/8 to any group 200 block in log quick from 42.0.0.0/8 to any group 200 block in log quick from 58.0.0.0/8 to any group 200 block in log quick from 59.0.0.0/8 to any group 200 block in log quick from 60.0.0.0/8 to any group 200 block in log quick from 67.0.0.0/8 to any group 200 block in log quick from 69.0.0.0/8 to any group 200 block in log quick from 70.0.0.0/8 to any group 200 block in log quick from 71.0.0.0/8 to any group 200 block in log quick from 72.0.0.0/8 to any group 200 block in log quick from 73.0.0.0/8 to any group 200 block in log quick from 74.0.0.0/8 to any group 200 block in log quick from 75.0.0.0/8 to any group 200 block in log quick from 76.0.0.0/8 to any group 200 block in log quick from 77.0.0.0/8 to any group 200 block in log quick from 78.0.0.0/8 to any group 200 block in log quick from 79.0.0.0/8 to any group 200 block in log quick from 82.0.0.0/8 to any group 200 block in log quick from 83.0.0.0/8 to any group 200 block in log quick from 84.0.0.0/8 to any group 200 block in log quick from 85.0.0.0/8 to any group 200 block in log quick from 86.0.0.0/8 to any group 200 block in log quick from 87.0.0.0/8 to any group 200 block in log quick from 88.0.0.0/8 to any group 200 block in log quick from 89.0.0.0/8 to any group 200 block in log quick from 90.0.0.0/8 to any group 200 block in log quick from 91.0.0.0/8 to any group 200 block in log quick from 92.0.0.0/8 to any group 200 block in log quick from 93.0.0.0/8 to any group 200 block in log quick from 94.0.0.0/8 to any group 200 block in log quick from 95.0.0.0/8 to any group 200 block in log quick from 96.0.0.0/8 to any group 200 block in log quick from 97.0.0.0/8 to any group 200 block in log quick from 98.0.0.0/8 to any group 200 block in log quick from 99.0.0.0/8 to any group 200 block in log quick from 100.0.0.0/8 to any group 200 block in log quick from 101.0.0.0/8 to any group 200 block in log quick from 102.0.0.0/8 to any group 200 block in log quick from 103.0.0.0/8 to any group 200 block in log quick from 104.0.0.0/8 to any group 200 block in log quick from 105.0.0.0/8 to any group 200 block in log quick from 106.0.0.0/8 to any group 200 block in log quick from 107.0.0.0/8 to any group 200 block in log quick from 108.0.0.0/8 to any group 200 block in log quick from 109.0.0.0/8 to any group 200 block in log quick from 110.0.0.0/8 to any group 200 block in log quick from 111.0.0.0/8 to any group 200 block in log quick from 112.0.0.0/8 to any group 200 block in log quick from 113.0.0.0/8 to any group 200 block in log quick from 114.0.0.0/8 to any group 200 block in log quick from 115.0.0.0/8 to any group 200 block in log quick from 116.0.0.0/8 to any group 200 block in log quick from 117.0.0.0/8 to any group 200 block in log quick from 118.0.0.0/8 to any group 200 block in log quick from 119.0.0.0/8 to any group 200 block in log quick from 120.0.0.0/8 to any group 200 block in log quick from 121.0.0.0/8 to any group 200 block in log quick from 122.0.0.0/8 to any group 200 block in log quick from 123.0.0.0/8 to any group 200 block in log quick from 124.0.0.0/8 to any group 200 block in log quick from 125.0.0.0/8 to any group 200 block in log quick from 126.0.0.0/8 to any group 200 block in log quick from 127.0.0.0/8 to any group 200 block in log quick from 197.0.0.0/8 to any group 200 block in log quick from 201.0.0.0/8 to any group 200 block in log quick from 221.0.0.0/8 to any group 200 block in log quick from 222.0.0.0/8 to any group 200 block in log quick from 223.0.0.0/8 to any group 200 block in log quick from 240.0.0.0/8 to any group 200 block in log quick from 241.0.0.0/8 to any group 200 block in log quick from 242.0.0.0/8 to any group 200 block in log quick from 243.0.0.0/8 to any group 200 block in log quick from 244.0.0.0/8 to any group 200 block in log quick from 245.0.0.0/8 to any group 200 block in log quick from 246.0.0.0/8 to any group 200 block in log quick from 247.0.0.0/8 to any group 200 block in log quick from 248.0.0.0/8 to any group 200 block in log quick from 249.0.0.0/8 to any group 200 block in log quick from 250.0.0.0/8 to any group 200 block in log quick from 251.0.0.0/8 to any group 200 block in log quick from 252.0.0.0/8 to any group 200 block in log quick from 253.0.0.0/8 to any group 200 block in log quick from 254.0.0.0/8 to any group 200 block in log quick from 255.0.0.0/8 to any group 200 ###### # example: open up connections from specific external host # pass in quick from x.x.x.x/32 to any group 200 ###### # example: open up high ports for passive ftp clients # ftp server MUST be set to use this range (i.e. "passive ports" # option in ftpaccess using Wu-ftpd) pass in quick proto tcp from any to any port 10000 >< 15000 flags S keep state keep frags group 200 # allow ssh in from any # other lines left as examples pass in quick proto tcp from any to any port = ftp flags S keep state keep frags group 200 pass in quick proto tcp from any to any port = 20 flags S keep state keep frags group 200 pass in quick proto tcp from any to any port = 22 flags S keep state keep frags group 200 pass in quick proto udp from any to any port = 22 keep state group 200 #pass in quick proto tcp from any to any port = telnet flags S keep state keep frags group 200 pass in log quick proto tcp from any to any port = smtp flags S keep state keep frags group 200 #pass in quick proto tcp from any to any port = domain flags S keep state keep frags group 200 #pass in quick proto udp from any to any port = domain keep state group 200 pass in quick proto tcp from any to any port = 80 flags S keep state keep frags group 200 pass in quick proto tcp from any to any port = 443 flags S keep state keep frags group 200 pass in quick proto tcp from any to any port = 143 flags S keep state keep frags group 200 pass in quick proto tcp from any to any port = 993 flags S keep state keep frags group 200 # allow ping and traceroute to work from internet to ext. interface pass in quick proto icmp all icmp-type 0 group 200 pass in quick proto icmp all icmp-type 3 group 200 pass in quick proto icmp all icmp-type 8 group 200 pass in quick proto icmp all icmp-type 11 group 200 pass in quick proto udp from any to any port 33000 >< 65535 group 200 # return RST packets for invalid SYN packets to help the other end close block return-rst in quick proto tcp all group 200 # return ICMP error packets for invalid/unwanted UDP packets block return-icmp-as-dest(port-unr) in quick proto udp all group 200 ##### Group 250 ##### # Block any IP spoofing atempts. (Packets "from" our network # shouldn't be going to internet) block out log quick from any to 192.168.0.0/16 group 250 block out log quick from any to 172.16.0.0/12 group 250 block out log quick from any to 10.0.0.0/8 group 250 block out log quick from any to 127.0.0.0/8 group 250 block out log quick from any to 0.0.0.0/32 group 250 # let all connections out to internet and keep state for return packets pass out quick proto tcp all keep state group 250 pass out quick proto udp all keep state group 250 pass out quick proto icmp all keep state group 250 #pass in quick all group 300 #pass out quick all group 350