diff options
| -rw-r--r-- | share/ipf/example.1 | 4 | ||||
| -rw-r--r-- | share/ipf/example.10 | 4 | ||||
| -rw-r--r-- | share/ipf/example.11 | 5 | ||||
| -rw-r--r-- | share/ipf/example.13 | 12 | ||||
| -rw-r--r-- | share/ipf/example.15 | 4 | ||||
| -rw-r--r-- | share/ipf/example.2 | 5 | ||||
| -rw-r--r-- | share/ipf/example.5 | 12 | ||||
| -rw-r--r-- | share/ipf/firewall.3 | 99 | ||||
| -rw-r--r-- | share/ipf/firewall.4 | 72 | ||||
| -rw-r--r-- | share/ipf/nat.3 | 45 |
10 files changed, 240 insertions, 22 deletions
diff --git a/share/ipf/example.1 b/share/ipf/example.1 index 604346e13db..ff93f492caf 100644 --- a/share/ipf/example.1 +++ b/share/ipf/example.1 @@ -1,4 +1,4 @@ # -# block all incoming TCP packets on le0 from host "foo" to any destination. +# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. # -block in on le0 proto tcp from foo/32 to any +block in on le0 proto tcp from 10.1.1.1/32 to any diff --git a/share/ipf/example.10 b/share/ipf/example.10 index 477c2e071a0..560d1e670f6 100644 --- a/share/ipf/example.10 +++ b/share/ipf/example.10 @@ -1,8 +1,8 @@ # # pass ack packets (ie established connection) # -pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A -pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A +pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A +pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A # # block incoming connection requests to my internal network from the big bad # internet. diff --git a/share/ipf/example.11 b/share/ipf/example.11 index 7fc26ebdca3..e9045d24f1b 100644 --- a/share/ipf/example.11 +++ b/share/ipf/example.11 @@ -1,13 +1,14 @@ +# For this example, "foo" has an IP address of 10.2.2.2 # # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass in proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block anything trying to get to X terminal ports, X:0 to X:9 # diff --git a/share/ipf/example.13 b/share/ipf/example.13 index df13d0af471..854f07f1694 100644 --- a/share/ipf/example.13 +++ b/share/ipf/example.13 @@ -1,17 +1,17 @@ # -# Log all short TCP packets to qe3, with "packetlog" as the intended +# Log all short TCP packets to qe3, with 10.3.3.3 as the intended # destination for the packet. # -block in to qe3:packetlog proto tcp all with short +block in on qe0 to qe3:10.3.3.3 proto tcp all with short # # Log all connection attempts for TCP # -pass in dup-to le0:packetlog proto tcp all flags S/SA +pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA # # Route all UDP packets through transparently. # -pass in fastroute proto udp all +pass in on ppp0 fastroute proto udp all # -# Route all ICMP packets to network 10 out through le1, to "router" +# Route all ICMP packets to network 10 out through le1, to 10.3.3.1 # -pass in to le1:router proto icmp all +pass in on le0 to le1:10.3.3.1 proto icmp all diff --git a/share/ipf/example.15 b/share/ipf/example.15 index 5eafc7c0216..f2fb2041faf 100644 --- a/share/ipf/example.15 +++ b/share/ipf/example.15 @@ -6,6 +6,6 @@ # or # pass in quick on le0 from 128.1.40.0/24 to any -block in quick log on le0 from any to any -block in quick log on le1 from 128.1.1.0/24 to any +block in log quick on le0 from any to any +block in log quick on le1 from 128.1.1.0/24 to any pass in quick on le1 from any to any diff --git a/share/ipf/example.2 b/share/ipf/example.2 index 8d8fe577143..4f81725eeb0 100644 --- a/share/ipf/example.2 +++ b/share/ipf/example.2 @@ -1,4 +1,5 @@ # -# block all outgoing TCP packets on le0 from any host to port 23 of host bar. +# block all outgoing TCP packets on le0 from any host to port 23 of +# host 10.1.1.2 # -block out on le0 proto tcp from any to bar/32 port = 23 +block out on le0 proto tcp from any to 10.1.1.3/32 port = 23 diff --git a/share/ipf/example.5 b/share/ipf/example.5 index 6e122e03bc7..a45a4fa5b34 100644 --- a/share/ipf/example.5 +++ b/share/ipf/example.5 @@ -1,25 +1,25 @@ # # test ruleset # -# allow packets coming from foo to bar through. +# allow packets coming from foo (10.1.1.2) to bar (10.2.1.1) through. # -pass from foo to bar +pass in from 10.1.1.2 to 10.2.1.1 # # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block all ICMP unreachables. # -block from any to any icmp unreach +block in proto icmp from any to any icmp-type unreach # # allow packets through which have a non-standard IP header length (ie there # are IP options such as source-routing present). # -pass from any to any with ipopts +pass in from any to any with ipopts diff --git a/share/ipf/firewall.3 b/share/ipf/firewall.3 new file mode 100644 index 00000000000..d2bd60a3188 --- /dev/null +++ b/share/ipf/firewall.3 @@ -0,0 +1,99 @@ +#!/sbin/ipf -f - +# +# SAMPLE: RESTRICTIVE FILTER RULES +# +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 +# +# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 +# +# ed0 - (internal) network interface, address w.x.y.z/32 +# +# This file contains the basic rules needed to construct a firewall for the +# above situation. +# +#------------------------------------------------------- +# *Nasty* packets we don't want to allow near us at all! +# short packets which are packets fragmented too short to be real. +block in log quick all with short +#------------------------------------------------------- +# Group setup. +# ============ +# By default, block and log everything. This maybe too much logging +# (especially for ed0) and needs to be further refined. +# +block in log on ppp0 all head 100 +block in log proto tcp all flags S/SA head 101 group 100 +block out log on ppp0 all head 150 +block in log on ed0 from w.x.y.z/24 to any head 200 +block in log proto tcp all flags S/SA head 201 group 200 +block in log proto udp all head 202 group 200 +block out log on ed0 all head 250 +#------------------------------------------------------- +# Localhost packets. +# ================== +# packets going in/out of network interfaces that aren't on the loopback +# interface should *NOT* exist. +block in log quick from 127.0.0.0/8 to any group 100 +block in log quick from any to 127.0.0.0/8 group 100 +block in log quick from 127.0.0.0/8 to any group 200 +block in log quick from any to 127.0.0.0/8 group 200 +# And of course, make sure the loopback allows packets to traverse it. +pass in quick on lo0 all +pass out quick on lo0 all +#------------------------------------------------------- +# Invalid Internet packets. +# ========================= +# +# Deny reserved addresses. +# +block in log quick from 10.0.0.0/8 to any group 100 +block in log quick from 192.168.0.0/16 to any group 100 +block in log quick from 172.16.0.0/12 to any group 100 +# +# Prevent IP spoofing. +# +block in log quick from a.b.c.d/24 to any group 100 +# +#------------------------------------------------------- +# Allow outgoing DNS requests (no named on firewall) +# +pass in quick proto udp from any to any port = 53 keep state group 202 +# +# If we were running named on the firewall and all internal hosts talked to +# it, we'd use the following: +# +#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 +#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state +# +# Allow outgoing FTP from any internal host to any external FTP server. +# +pass in quick proto tcp from any to any port = ftp keep state group 201 +pass in quick proto tcp from any to any port = ftp-data keep state group 201 +pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 +# +# Allow NTP from any internal host to any external NTP server. +# +pass in quick proto udp from any to any port = ntp keep state group 202 +# +# Allow outgoing connections: SSH, TELNET, WWW +# +pass in quick proto tcp from any to any port = 22 keep state group 201 +pass in quick proto tcp from any to any port = telnet keep state group 201 +pass in quick proto tcp from any to any port = www keep state group 201 +# +#------------------------------------------------------- +block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 +# +# Allow incoming to the external firewall interface: mail, WWW, DNS +# +pass in log quick proto tcp from any to any port = smtp keep state group 110 +pass in log quick proto tcp from any to any port = www keep state group 110 +pass in log quick proto tcp from any to any port = 53 keep state group 110 +pass in log quick proto udp from any to any port = 53 keep state group 100 +#------------------------------------------------------- +# Log these: +# ========== +# * return RST packets for invalid SYN packets to help the other end close +block return-rst in log proto tcp from any to any flags S/SA group 100 +# * return ICMP error packets for invalid UDP packets +block return-icmp(net-unr) in proto udp all group 100 diff --git a/share/ipf/firewall.4 b/share/ipf/firewall.4 new file mode 100644 index 00000000000..46564f0ee41 --- /dev/null +++ b/share/ipf/firewall.4 @@ -0,0 +1,72 @@ +#!/sbin/ipf -f - +# +# SAMPLE: PERMISSIVE FILTER RULES +# +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 +# +# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 +# +# ed0 - (internal) network interface, address w.x.y.z/32 +# +# This file contains the basic rules needed to construct a firewall for the +# above situation. +# +#------------------------------------------------------- +# *Nasty* packets we don't want to allow near us at all! +# short packets which are packets fragmented too short to be real. +block in log quick all with short +#------------------------------------------------------- +# Group setup. +# ============ +# By default, block and log everything. This maybe too much logging +# (especially for ed0) and needs to be further refined. +# +block in log on ppp0 all head 100 +block out log on ppp0 all head 150 +block in log on ed0 from w.x.y.z/24 to any head 200 +block out log on ed0 all head 250 +#------------------------------------------------------- +# Invalid Internet packets. +# ========================= +# +# Deny reserved addresses. +# +block in log quick from 10.0.0.0/8 to any group 100 +block in log quick from 192.168.0.0/16 to any group 100 +block in log quick from 172.16.0.0/12 to any group 100 +# +# Prevent IP spoofing. +# +block in log quick from a.b.c.d/24 to any group 100 +# +#------------------------------------------------------- +# Localhost packets. +# ================== +# packets going in/out of network interfaces that aren't on the loopback +# interface should *NOT* exist. +block in log quick from 127.0.0.0/8 to any group 100 +block in log quick from any to 127.0.0.0/8 group 100 +block in log quick from 127.0.0.0/8 to any group 200 +block in log quick from any to 127.0.0.0/8 group 200 +# And of course, make sure the loopback allows packets to traverse it. +pass in quick on lo0 all +pass out quick on lo0 all +#------------------------------------------------------- +# Allow any communication between the inside network and the outside only. +# +# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) +# +pass in log quick proto tcp all flags S/SA keep state group 200 +# +# Support all UDP `connections' initiated from inside. +# +# Allow ping out +# +pass in log quick proto icmp all keep state group 200 +#------------------------------------------------------- +# Log these: +# ========== +# * return RST packets for invalid SYN packets to help the other end close +block return-rst in log proto tcp from any to any flags S/SA group 100 +# * return ICMP error packets for invalid UDP packets +block return-icmp(net-unr) in proto udp all group 100 diff --git a/share/ipf/nat.3 b/share/ipf/nat.3 new file mode 100644 index 00000000000..df041d1119c --- /dev/null +++ b/share/ipf/nat.3 @@ -0,0 +1,45 @@ +#!/sbin/ipnat -f - +# +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 +# +# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 +# +# ed0 - (internal) network interface, address w.x.y.z/32 +# +# If we have only 1 valid IP address from our ISP, then we do this: +# +map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 +map ppp0 w.x.y.z/24 -> a.b.c.d/32 +# +# if we get a different dialup IP address each time, then we would use: +# +#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.z/24 -> 0/32 +# +# If we have a class C address space of valid IP#'s from our ISP, then we can +# do this: +# +#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.z/24 -> a.b.c.d/24 +# +# or, if we only have a small number of PC's, this: +# +#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.v/32 -> a.b.c.E/32 +#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.u/32 -> a.b.c.F/32 +#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.t/32 -> a.b.c.G/32 +#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.s/32 -> a.b.c.H/32 +#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.r/32 -> a.b.c.I/32 +#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.q/32 -> a.b.c.J/32 +#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000 +#map ppp0 w.x.y.p/32 -> a.b.c.K/32 +# +# To make ftp work, using the internal ftp proxy, use: +# +map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp +# |