Permission Specifying:
# setup default to block all packets.
block in all
block out all
# pass packets from host firewall to any destination
pass in from firewall to any
Select network Interfaces:
# drop all inbound packets from localhost coming from ethernet
block in on le0 from localhost to any
Netmasks and hosts:
#
block in on le0 from mynet/26 to any
#
block in on le0 from mynet/255.255.255.192 to any
#
block in on le0 from mynet mask 255.255.255.192 to any
#
block in on le0 from mynet mask 0xffffffc0 to any
The default netmask, when none is given is 255.255.255.255 or "/32".
Protocol:
# block all incoming ICMP packets
block in on le0 proto icmp all
The name of the protocol can be any valid name from /etc/protocols or a number.
# allow all IP packets in which are protocol 4
pass in on le0 proto 4 all
# prevent any packets destined for NFS from coming in
block in on le0 proto tcp/udp from any to any port = 2049
Filtering IP fragments:
#
# get rid of all IP fragments
block in all with frag
#
# get rid of all short IP fragments (too small for valid comparison)
block in proto tcp all with short
IP Options:
#
# drop and log any IP packets with options set in them.
block in log all with ipopts
# drop any source routing options
block in quick all with opt lsrr
block in quick all with opt ssrr
# Allow anyone to telnet in so long as they don't use IP options.
pass in proto tcp from any to any port = 23 with no ipopts
# Allow packets with strict source routing and no loose source routing
pass in from any to any with opt ssrr not opt lsrr
Filtering by ports:
Filtering by port number only works with the TCP and UDP IP protocols. When specifying port numbers, either the number or the service name from /etc/services may be used.
The possible operands available for use with port numbers are:
Operand Alias Parameters Result
< lt port# true if port is less than given value
> gt port# true if port is greater than given value
= eq port# true if port is equal to than given value
!= ne port# true if port is not equal to than given value
<= le port# true if port is less than or equal to given value
=> ge port# true if port is greater than or equal to given value
# allow any TCP packets from the same subnet as foo is on through to host
# 10.1.1.2 if they are destined for port 6667.
pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
#
# allow in UDP packets which are NOT from port 53 and are destined for
# localhost
pass in proto udp from fubar port != 53 to localhost
# allow any connections to be made, except to BSD print/r-services
# this will also protect syslog.
pass in proto tcp/udp all
block in proto tcp/udp from any to any port 511 >< 516
TCP Flags:
# pass established (A/A) packets
pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
# block incoming connection requests to my internal network from the big bad
# internet.
block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
# or block reply:
block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
ICMP Type/Code:
# block all ICMP packets.
block in proto icmp all
# allow in ICMP echos and echo-replies.
pass in on le1 proto icmp from any to any icmp-type echo
pass in on le1 proto icmp from any to any icmp-type echorep
To specify an ICMP code, the numeric value must be used. So, if we wanted to block all port-unreachables, we would do:
#
# block all ICMP destination unreachable packets which are port-unreachables
block in on le1 proto icmp from any to any icmp-type unreach code 3
Responding to a BAD packet:
#
# block all incoming TCP connections but send back a TCP-RST for ones to
# the ident port
block in proto tcp from any to any flags S/SA
block return-rst in quick proto tcp from any to any port = 113 flags S/SA
#
# block all inbound UDP packets and send back an ICMP error.
block return-icmp in proto udp from any to any
# block all inbound UDP packets and send back an ICMP error.
block return-icmp (3) in proto udp from any to any port > 30000
block return-icmp (port-unr) in proto udp from any to any port > 30000
Filtering IP Security Classes:
#
# drop all packets without IP security options
block in all with no opt sec
#
# only allow packets in and out on le0 which are top secret
block out on le1 all
pass out on le1 all with opt sec-class topsecret
block in on le1 all
pass in on le1 all with opt sec-class topsecret
Packet state filtering:
#
# Keep state for all outgoing telnet connections
# and disallow all other TCP traffic.
pass out on le1 proto tcp from any to any port = telnet keep state
block out on le1 all
#
# allow UDP replies back from name servers
pass out on le1 proto udp from any to any port = domain keep state
Network Address Translation (NAT):
# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
# port number to something between 10,000 and 20,000 inclusive. For all other
# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
# for each new user. In this example, ed1 is the external interface.
# Use ipnat, not ipf to load these rules.
map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
map ed1 10.1.0.0/16 -> 240.1.0.0/24
Transparent Proxy Support:
# Redirection is triggered for input packets.
# For example, to redirect FTP connections through this box (in this case ed0
# is the interface on the "inside" where default routes point), to the local
# ftp port, forcing them to connect through a proxy, you would use:
rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
Transparent routing:
#
pass in quick fastroute proto udp all
#
# Route all ICMP packets to network 10 (on le0) out through le1, to "router"
pass in quick on le0 to le1:router proto icmp all
Logging packets to the network:
# Log all short TCP packets to qe3, with "packetlog" as the intended
# destination for the packet.
block in quick to qe3:packetlog proto tcp all with short
#
# Log all connection attempts for TCP
pass in quick on ppp0 dup-to le1:packetlog proto tcp all flags S/SA
Rule groups:
# Process all incoming ppp packets on ppp0 with group 100, with the default for
# this interface to block all incoming.
block in quick on ppp0 all head 100
If we then wanted to allow people to connect to our WWW server, via ppp0, we could then just add a rule about WWW.
# Allow connections to the WWW server via ppp0.
pass in quick proto tcp from any to any port = WWW keep state group 100
