# # $Id: ipf.rules,v 1.1 2002/11/14 20:24:19 raptor Exp $ # # ipf.rules v1.0 - Sample IPFilter rules file # Copyright (c) 2001 Raptor # # Sample rules for the configuration of the stateful # packet filter IPFilter, with detailed comments. # Tested on OpenBSD 2.9 with dual NIC. # # Change it to fit your local configuration. # ######################################################### # VPN Configuration # # Uncomment the following rules to quickly enable traffic # on the Encapsulation interface, for IPSec VPN. # #pass in quick on enc0 from any to any #pass out quick on enc0 from any to any ######################################################### # INCOMING traffic default policy # # Set the default policy for incoming packets. # Return a TCP/RST for blocked TCP traffic and an ICMP # Port-Unreachable for blocked UDP traffic, following # RFCs specifications. Logs every blocked TCP and UDP # packet. # block return-rst in log on de0 proto tcp all block return-icmp-as-dest(port-unr) in log on de0 proto udp all block in on de0 proto icmp all ######################################################### # OUTGOING traffic default policy # # Set the default policy for outgoing packets. # Here we are blocking by default every output on the # external interface. # block out on de0 all ######################################################### # Loopback interface # # Take care of the loopback interface, allowing all # traffic to/from localhost. # pass in quick on lo0 all pass out quick on lo0 all ######################################################### # BLOCK and LOG incoming suspect packets # # Now we are blocking packets that are too short to # contain a complete header, or with source routing # options (most-likely setted to bypass our firewall). # block in log quick all with short block in log quick on de0 all with opt lsrr block in log quick on de0 all with opt ssrr ######################################################### # Anti-spoofing # # Block IP spoofing attacks on the external interface. # block in log quick on de0 from 127.0.0.0/8 to any block in log quick on de0 from any to 127.0.0.0/8 block in log quick on de0 from 0.0.0.0/8 to any block in log quick on de0 from any to 0.0.0.0/8 block in log quick on de0 from 10.0.0.0/8 to any block in log quick on de0 from any to 10.0.0.0/8 block in log quick on de0 from 172.16.0.0/12 to any block in log quick on de0 from any to 172.16.0.0/12 block in log quick on de0 from 192.168.0.0/16 to any block in log quick on de0 from any to 192.168.0.0/16 ######################################################### # ICMP traffic # # Handle outgoing ICMP traffic, accepting reply packets. # pass out on de0 proto icmp from any to any keep state ######################################################### # TCP traffic # # Handle outgoing TCP traffic, keeping the state of # established connections. Allow incoming connection # to the SSH port only from the local DMZ (IP address # changed to protect the innocents). # block return-rst in on de0 proto tcp from any to any port = 113 pass in on de0 proto tcp from 195.1.2.0/25 to any port = 22 keep state pass out on de0 proto tcp from any to any keep state ######################################################### # UDP traffic # # Handle outgoing UDP traffic, accepting replies. # pass out on de0 proto udp from any to any keep state ######################################################### # Enforce local policies # # Example of internal policy enforcing. Uncommenting the # following rule forbids Morpheus and Gnutella connections # from the internal LAN, to protect bandwidth. # #block out on de0 proto tcp from any to any port = 1214 # Morpheus #block out on de0 proto tcp from any to any port = 6346 # Gnutella #block out on de0 proto tcp from any to any port = 6347 # Gnutella ######################################################### # Local rules # # We can forbid by default outgoing traffic from the internal # LAN and then explicitly authorize single IP addresses or # subnets for Internet access. Note that the previous TCP and # UDP rules allowing all outgoing TCP/UDP traffic must be # modified to reflect these changes. # # Full Internet Access # #pass out quick on de0 proto tcp/udp from 10.0.0.5/32 to any keep state # # Restricted DMZ Access # #pass out quick on de0 proto tcp/udp from 10.0.0.6/32 to 195.1.2.0/25 keep state