[rescue] IPFilter experts?
Mike Johnson
mike at enoch.org
Mon Nov 11 11:30:26 CST 2002
Bill Bradford [mrbill at mrbill.net] wrote:
> Any ipfilter wizards out there? I need assistance in changing my
> current config from "block ports I use, and only allow outside access
> to certain ports" to "block everything, only allow certain ports".
You might check the howto at http://www.obfuscation.org/ipf/
But here's a ruleset that might get you going. Lemmie know if I can
help.
fxp0 is my external interface, fxp1 is the internal.
10.0.0.1/32 is the IP address of our office after it's gone through
another firewall to reach this one.
192.168.5.0/24 is the internal network, which is NATed.
While not a complete example, it should help ya get started. You should
be able to add new allowed ports pretty easily.
# block all inbound
# block all traffic
block in log on fxp0 from any to any
# don't allow echo-replies to leave
block out on fxp0 proto icmp from !10.0.0.1/32 to any
# To allow our internal net to reach the boxes
pass in on fxp0 proto tcp from 10.0.0.1/32 to any flags S keep state
pass in on fxp0 proto udp from 10.0.0.1/32 to any keep state
pass in on fxp0 proto icmp from 10.0.0.1/32 to any keep state
# To allow external boxes to reach ssh
pass in on fxp0 proto tcp from any to 192.168.5.5/32 port = 22 flags S keep state
# To allow external to reach helpdesk server
pass in on fxp0 proto tcp from any to 192.168.5.6/32 port = 22 flags S keep state
pass in on fxp0 proto tcp from any to 192.168.5.6/32 port = 80 flags S keep state
# Allow world access to http on two systems
pass in on fxp0 proto tcp from any to 192.168.5.8/32 port = 80 flags S keep state
pass in on fxp0 proto tcp from any to 192.168.5.9/32 port = 80 flags S keep state
# Allow network traffic out
pass out on fxp0 proto tcp from any to any keep state
pass out on fxp0 proto icmp from any to any keep state
pass out on fxp0 proto udp from any to any keep state
# Allow all on 192.168.5 network out
pass in on fxp1 proto any from 192.168.5.0/24 to any
--
"Would you like to take advantage of wiretap Wednesdays?"
-- Fed on Sealab 2021
GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
More information about the rescue
mailing list