1 1.1 christos #!/sbin/ipf -f - 2 1.1 christos # 3 1.1 christos # SAMPLE: PERMISSIVE FILTER RULES 4 1.1 christos # 5 1.1 christos # THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 6 1.1 christos # 7 1.1 christos # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 8 1.1 christos # 9 1.1 christos # ed0 - (internal) network interface, address w.x.y.z/32 10 1.1 christos # 11 1.1 christos # This file contains the basic rules needed to construct a firewall for the 12 1.1 christos # above situation. 13 1.1 christos # 14 1.1 christos #------------------------------------------------------- 15 1.1 christos # *Nasty* packets we don't want to allow near us at all! 16 1.1 christos # short packets which are packets fragmented too short to be real. 17 1.1 christos block in log quick all with short 18 1.1 christos #------------------------------------------------------- 19 1.1 christos # Group setup. 20 1.1 christos # ============ 21 1.1 christos # By default, block and log everything. This maybe too much logging 22 1.1 christos # (especially for ed0) and needs to be further refined. 23 1.1 christos # 24 1.1 christos block in log on ppp0 all head 100 25 1.1 christos block out log on ppp0 all head 150 26 1.1 christos block in log on ed0 from w.x.y.z/24 to any head 200 27 1.1 christos block out log on ed0 all head 250 28 1.1 christos #------------------------------------------------------- 29 1.1 christos # Invalid Internet packets. 30 1.1 christos # ========================= 31 1.1 christos # 32 1.1 christos # Deny reserved addresses. 33 1.1 christos # 34 1.1 christos block in log quick from 10.0.0.0/8 to any group 100 35 1.1 christos block in log quick from 192.168.0.0/16 to any group 100 36 1.1 christos block in log quick from 172.16.0.0/12 to any group 100 37 1.1 christos # 38 1.1 christos # Prevent IP spoofing. 39 1.1 christos # 40 1.1 christos block in log quick from a.b.c.d/24 to any group 100 41 1.1 christos # 42 1.1 christos #------------------------------------------------------- 43 1.1 christos # Localhost packets. 44 1.1 christos # ================== 45 1.1 christos # packets going in/out of network interfaces that aren't on the loopback 46 1.1 christos # interface should *NOT* exist. 47 1.1 christos block in log quick from 127.0.0.0/8 to any group 100 48 1.1 christos block in log quick from any to 127.0.0.0/8 group 100 49 1.1 christos block in log quick from 127.0.0.0/8 to any group 200 50 1.1 christos block in log quick from any to 127.0.0.0/8 group 200 51 1.1 christos # And of course, make sure the loopback allows packets to traverse it. 52 1.1 christos pass in quick on lo0 all 53 1.1 christos pass out quick on lo0 all 54 1.1 christos #------------------------------------------------------- 55 1.1 christos # Allow any communication between the inside network and the outside only. 56 1.1 christos # 57 1.1 christos # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) 58 1.1 christos # 59 1.1 christos pass in log quick proto tcp all flags S/SA keep state group 200 60 1.1 christos # 61 1.1 christos # Support all UDP `connections' initiated from inside. 62 1.1 christos # 63 1.1 christos # Allow ping out 64 1.1 christos # 65 1.1 christos pass in log quick proto icmp all keep state group 200 66 1.1 christos #------------------------------------------------------- 67 1.1 christos # Log these: 68 1.1 christos # ========== 69 1.1 christos # * return RST packets for invalid SYN packets to help the other end close 70 1.1 christos block return-rst in log proto tcp from any to any flags S/SA group 100 71 1.1 christos # * return ICMP error packets for invalid UDP packets 72 1.1 christos block return-icmp(net-unr) in proto udp all group 100 73
Indexes created Wed Mar 04 05:31:52 UTC 2026