################################################################################ ################################################################################ # # IPF Ruleset ############# # File: /etc/ipf.rules # # Description: a firewall ruleset loaded using 'ipf -Fa -f /etc/ipf.rules' # # ruleset start: ################ # loopback in/out: pass in quick on lo0 all pass out quick on lo0 all # our netblock: pass in quick on fxp0 from 213.152.51.192/29 to 213.152.51.194 pass out quick on fxp0 from 213.152.51.194 to 213.152.51.192/29 ## no spoofing: block in log quick on fxp0 from 127.0.0.0/8 to any block in log quick on fxp0 from 192.168.0.0/16 to any block in log quick on fxp0 from 172.16.0.0/12 to any block in log quick on fxp0 from 10.0.0.0/8 to any block in log quick on fxp0 from 255.255.255.255/32 to any block in log quick on fxp0 from 0.0.0.0/8 to any block in log quick on fxp0 from 0.0.0.0/32 to any block in log quick on fxp0 from 169.254.0.0/16 to any block in log quick on fxp0 from 192.0.2.0/24 to any block in log quick on fxp0 from 204.152.64.0/23 to any block in log quick on fxp0 from 224.0.0.0/3 to any block out log quick on fxp0 from any to 127.0.0.0/8 block out log quick on fxp0 from any to 192.168.0.0/16 block out log quick on fxp0 from any to 172.16.0.0/12 block out log quick on fxp0 from any to 10.0.0.0/8 block out log quick on fxp0 from any to 255.255.255.255/32 block out log quick on fxp0 from any to 0.0.0.0/8 block out log quick on fxp0 from any to 0.0.0.0/32 block out log quick on fxp0 from any to 169.254.0.0/16 block out log quick on fxp0 from any to 192.0.2.0/24 block out log quick on fxp0 from any to 204.152.64.0/23 block out log quick on fxp0 from any to 224.0.0.0/3 ## ssh incoming: pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 22 flags S keep state count in quick on fxp0 proto tcp from any to 213.152.51.194 port = 22 flags S keep state # ## http incoming: pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 80 flags S keep state # ftp incoming: pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 21 flags S keep state count in quick on fxp0 proto tcp from any to 213.152.51.194 port = 21 flags S keep state pass in quick on fxp0 proto tcp from any to 213.152.51.194 port 49152 >< 65535 flags S keep state # smtp incoming: pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 25 flags S keep state # pop incoming: pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 110 flags S keep state # dns incoming: pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 53 flags S keep state pass in quick on fxp0 proto udp from any to 213.152.51.194 port = 53 # ircd incoming: pass in quick on fxp0 proto tcp from any to 213.152.51.194 port 6666 >< 7001 flags S keep state # block stuff bound for us from ircd (proxychecks): block in quick on fxp0 proto tcp from any to 213.152.51.194 port = 3128 block in quick on fxp0 proto tcp from any to 213.152.51.194 port = 1080 block in quick on fxp0 proto tcp from any to 213.152.51.194 port = 8080 # hlds incoming: pass in quick on fxp0 proto udp from any to 213.152.51.194 port = 27015 pass in quick on fxp0 proto tcp from any to 213.152.51.194 port = 27015 flags S keep state # external iface in: # restricted icmp: #pass in quick on fxp0 proto icmp all pass in quick on fxp0 proto icmp all icmp-type 0 pass in quick on fxp0 proto icmp all icmp-type 8 pass in quick on fxp0 proto icmp all icmp-type 11 pass in quick on fxp0 proto icmp all icmp-type 14 # external iface out: # icmp out: pass out quick on fxp0 proto icmp from 213.152.51.194 to any # UDP out: pass out quick on fxp0 proto udp from 213.152.51.194 to any keep state keep frags # TCP out: #pass out proto tcp from 213.152.51.194 to any keep state # add this rule to keep state on irc client connections outgoing # (stop logging proxy checks from ircd): #pass out quick proto tcp from 212.152.51.194 to any port 6666 <> 7001 keep state pass out quick proto tcp from 213.152.51.194 to any flags S/SA keep state pass out quick proto tcp from 213.152.51.194 to any keep state #get rid of everything else # note the icmp shiznit don't work if type 8 is allowed above block return-rst in log first level local3.info quick on fxp0 proto tcp from any to 213.152.51.194 flags S block in log first level local3.info quick on fxp0 proto tcp from any to 213.152.51.194 block return-icmp-as-dest(port-unr) in log first level local3.info quick on fxp0 proto udp from any to 213.152.51.194 block return-icmp-as-dest(host-unr) in log first level local3.info quick on fxp0 proto icmp from any to 213.152.51.194 block in log first level local3.info quick on fxp0 from any to 213.152.51.194 ################################################################################ ################################################################################ # ruleset end # # cf. # # - IPF Site Proper # # # - Good article on rebuilding kernel for security optimization # # # - mirror of http://www.obfuscation.org/ipf/ - currently down # links to ipf HOWTO and FAQ, with thanks # # ################################################################################ ################################################################################