003 File Manager
Current Path:
/usr/src/share/examples/ipfilter
usr
/
src
/
share
/
examples
/
ipfilter
/
📁
..
📄
Makefile
(923 B)
📄
Makefile.depend
(176 B)
📄
README
(374 B)
📄
example.14
(2.05 KB)
📄
examples.txt
(18.47 KB)
📄
firewall.1
(1.36 KB)
📄
firewall.2
(3.01 KB)
📄
ipf-howto.txt
(112.46 KB)
📄
ipf.conf.permissive
(1.23 KB)
📄
ipf.conf.restrictive
(3.99 KB)
📄
ipf.conf.sample
(783 B)
📄
ipnat.conf.sample
(126 B)
📄
rules.txt
(5.1 KB)
Editing: firewall.2
# $FreeBSD$ # # This is an example of a fairly heavy firewall used to keep everyone # out of a particular network while still allowing people within that # network to get outside. # # The example assumes it is running on a gateway with interface ppp0 # attached to the outside world, and interface ed0 attached to # network 192.168.4.0 which needs to be protected. # # # Pass any packets not explicitly mentioned by subsequent rules # pass out from any to any pass in from any to any # # Block any inherently bad packets coming in from the outside world. # These include ICMP redirect packets, IP fragments so short the # filtering rules won't be able to examine the whole UDP/TCP header, # and anything with IP options. # block in log quick on ppp0 proto icmp from any to any icmp-type redir block in log quick on ppp0 proto tcp/udp all with short block in log quick on ppp0 from any to any with ipopts # # Block any IP spoofing attempts. (Packets "from" our network # shouldn't be coming in from outside). # block in log quick on ppp0 from 192.168.4.0/24 to any block in log quick on ppp0 from localhost to any block in log quick on ppp0 from 0.0.0.0/32 to any block in log quick on ppp0 from 255.255.255.255/32 to any # # Block all incoming UDP traffic except talk and DNS traffic. NFS # and portmap are special-cased and logged. # block in on ppp0 proto udp from any to any block in log on ppp0 proto udp from any to any port = sunrpc block in log on ppp0 proto udp from any to any port = 2049 pass in on ppp0 proto udp from any to any port = domain pass in on ppp0 proto udp from any to any port = talk pass in on ppp0 proto udp from any to any port = ntalk # # Block all incoming TCP traffic connections to known services, # returning a connection reset so things like ident don't take # forever timing out. Don't log ident (auth port) as it's so common. # block return-rst in log on ppp0 proto tcp from any to any flags S/SA block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA # # Allow incoming TCP connections to ports between 1024 and 5000, as # these don't have daemons listening but are used by outgoing # services like ftp and talk. For slightly more obscurity (though # not much more security), the second commented out rule can chosen # instead. # pass in on ppp0 proto tcp from any to any port 1024 >< 5000 #pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000 # # Now allow various incoming TCP connections to particular hosts, TCP # to the main nameserver so secondaries can do zone transfers, SMTP # to the mail host, www to the web server (which really should be # outside the firewall if you care about security), and ssh to a # hypothetical machine caled 'gatekeeper' that can be used to gain # access to the protected network from the outside world. # pass in on ppp0 proto tcp from any to ns1 port = domain pass in on ppp0 proto tcp from any to mail port = smtp pass in on ppp0 proto tcp from any to www port = www pass in on ppp0 proto tcp from any to gatekeeper port = ssh
Upload File
Create Folder