1 # $FreeBSD: src/share/examples/ipfilter/firewall.1,v 1.1.2.2 2002/12/29 16:35:38 schweikh Exp $
2 # $DragonFly: src/share/examples/ipfilter/firewall.1,v 1.2 2003/06/17 04:36:57 dillon Exp $
4 # This is an example of a very light firewall used to guard against
5 # some of the most easily exploited common security holes.
7 # The example assumes it is running on a gateway with interface ppp0
8 # attached to the outside world, and interface ed0 attached to
9 # network 192.168.4.0 which needs to be protected.
12 # Pass any packets not explicitly mentioned by subsequent rules
14 pass out from any to any
15 pass in from any to any
17 # Block any inherently bad packets coming in from the outside world.
18 # These include ICMP redirect packets and IP fragments so short the
19 # filtering rules won't be able to examine the whole UDP/TCP header.
21 block in log quick on ppp0 proto icmp from any to any icmp-type redir
22 block in log quick on ppp0 proto tcp/udp all with short
24 # Block any IP spoofing attempts. (Packets "from" our network
25 # shouldn't be coming in from outside).
27 block in log quick on ppp0 from 192.168.4.0/24 to any
28 block in log quick on ppp0 from localhost to any
29 block in log quick on ppp0 from 0.0.0.0/32 to any
30 block in log quick on ppp0 from 255.255.255.255/32 to any
32 # Block any incoming traffic to NFS ports, to the RPC portmapper, and
35 block in log on ppp0 proto tcp/udp from any to any port = sunrpc
36 block in log on ppp0 proto tcp/udp from any to any port = 2049
37 block in log on ppp0 proto tcp from any to any port = 6000