# # Interface: # lo0 - loopback # ep0 - internal to private network # ep1 - external to cable modem # # Filtering policy ordering: # + Block everything unless there are permit (pass) rules # - Permit all loopback packets to flow freely # - Permit all internal network packets to flow freely # - Permit individual type of service to flow freely to outside world: # ftp # smtp # whois # dns # http/https # pop3 # traceroute # ping # dhclient # + Since there are no permit(pass) rules at this stage, everything # else is blocked! # # share and enjoy, # hoang@muine.org # Nov 26, 2001 # # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Interface: all # Block all incoming and outgoing packets unless they're allowed later. # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ block in log all block out log all # ------------------------------------------------------------------------- # Interface: lo0 # Allow loopback to flow freely. # ------------------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all # ------------------------------------------------------------------------- # ------------------------------------------------------------------------- # Interface: ep0 # Allow internal traffic to flow freely. # ------------------------------------------------------------------------- pass in quick on ep0 all pass out quick on ep0 all # ------------------------------------------------------------------------- # ------------------------------------------------------------------------- # Interface: ep1 # Allow _internal_ and fw initiated connections from hosts behind NAT to # outside world. Additional permit individual type of service to flow freely # to outside world should be added in this section. # ------------------------------------------------------------------------- # [passive ftp client to outside world step 1] pass out quick on ep1 proto tcp from any to any port = 21 flags S keep state keep frags # [smtp to outside world] pass out quick on ep1 proto tcp from any to any port = 25 flags S keep state keep frags # [whois to outside world] pass out quick on ep1 proto tcp from any to any port = 43 flags S keep state keep frags # [domain to outside world] pass out quick on ep1 proto tcp from any to any port = 53 flags S keep state keep frags pass out quick on ep1 proto udp from any to any port = 53 keep state keep frags # [http to outside world] pass out quick on ep1 proto tcp from any to any port = 80 flags S keep state keep frags # [pop3 to outside world] pass out quick on ep1 proto tcp from any to any port = 110 flags S keep state keep frags # [https to outside world] pass out quick on ep1 proto tcp from any to any port = 443 flags S keep state keep frags # [passive ftp to outside world step 2 where the FTP server decides which port # for ftp data back] pass out quick on ep1 proto tcp from any to any port > 1023 flags S keep state keep frags # [traceroute to outside world 1st stage: probing...man traceroute(8)] pass out quick on ep1 proto udp from any to any port 33434 >< 33525 keep state keep frags # [ping to outside world] pass out quick on ep1 proto icmp from any to any keep state keep frags # ------------------------------------------------------------------------- # Allow _external_ initiated connections from outside world to hosts behind # NAT and the firewall. # ------------------------------------------------------------------------- # [dhclient] pass in quick on ep1 proto udp from any to any port = 68 keep state keep frags # [traceroute to internal host 2nd stage: receiving error code of icmp-type 3 # (destination unreachable) and icmp-type 11 (time exceeded)] pass in quick on ep1 proto icmp from any to any icmp-type 3 keep state keep frags pass in quick on ep1 proto icmp from any to any icmp-type 11 keep state keep frags # ------------------------------------------------------------------------- # Interface: ep1 # Since there are no permit(pass) rules at this stage, everything else is # blocked! # -------------------------------------------------------------------------