# # +-----------+ +-------------------------+ +------------------+ # | ADSL-Modem|---| pppoe0 NAT+IPF rtk0 |---| Internal Network | # +-----------+ +-------------------------+ +------------------+ # # Possibly dangerous: packets with ip-options, short and fragmented packets block in log body quick from any to any with ipopts block in log body quick proto tcp from any to any with short block in log body quick all with frag # Loopback traffic is allowed pass out quick on lo0 pass in quick on lo0 # Local network traffic is allowed pass out quick on rtk0 pass in quick on rtk0 # Block File sharing ports without logging: # Kazaa : Port 1214 # GNUtella: Port 6346 # Napster : Port 6699 block return-rst in quick on pppoe0 proto tcp from any to any port = 1214 block return-rst in quick on pppoe0 proto tcp from any to any port = 6346 block return-icmp-as-dest in quick on pppoe0 proto udp from any to any port = 6346 block return-rst in quick on pppoe0 proto tcp from any to any port = 6699 # Block faked or unlikely "local" addresses block in log body quick on pppoe0 from 192.168.0.0/16 to any block in log body quick on pppoe0 from 172.16.0.0/12 to any block in log body quick on pppoe0 from 10.0.0.0/8 to any block in log body quick on pppoe0 from 127.0.0.0/8 to any block in log body quick on pppoe0 from 0.0.0.0/8 to any block in log body quick on pppoe0 from 169.254.0.0/16 to any block in log body quick on pppoe0 from 192.0.2.0/24 to any block in log body quick on pppoe0 from 204.152.64.0/23 to any block in log body quick on pppoe0 from 224.0.0.0/3 to any block in log body quick on pppoe0 from 213.25.76.141 to any # Log all other blocks block in log body all block return-rst in log body on pppoe0 proto tcp from any to any block return-icmp-as-dest in log body on pppoe0 proto udp from any to any # The pass rules to enable Services pass in log on pppoe0 proto icmp from any to any icmp-type echo pass in log on pppoe0 proto tcp from any to any port = auth pass in log on pppoe0 proto tcp from any to any port = qotd pass in log on pppoe0 proto tcp from any to any port = ssh pass in log on pppoe0 proto tcp from any to any port = ftp-data pass in log on pppoe0 proto tcp from any to any port = ftp pass in log on pppoe0 proto tcp from any to any port = http pass in log on pppoe0 proto tcp from any to any port = https pass in log on pppoe0 proto tcp from any to any port = cvspserver pass in log on pppoe0 proto tcp from any to any port = 3000 # ntop pass in log on pppoe0 proto tcp from any to any port 65500 >< 65505 # ftp pass in log on pppoe0 proto tcp from any to any port = 4661 # edonkey tecneeq pass in log on pppoe0 proto tcp from any to any port = 4662 # edonkey tecneeq pass in log on pppoe0 proto udp from any to any port = 4666 # edonkey tecneeq pass in log on pppoe0 proto tcp from any to any port = 6112 # warcraft3 tarra pass in log on pppoe0 proto tcp from any to any port = 2005 # t-ops tarra pass in log on pppoe0 proto udp from any to any port = 9110 # gamevoice tarra pass in log on pppoe0 proto tcp from any to any port = 6120 # warcraft3 pusty pass in log on pppoe0 proto tcp from any to any port = 5324 # xfriskserver # Blocking of outgoing faked or unlikely "internal" addresses block out log body all block out log body quick on pppoe0 from any to 192.168.0.0/16 block out log body quick on pppoe0 from any to 172.16.0.0/12 block out log body quick on pppoe0 from any to 10.0.0.0/8 block out log body quick on pppoe0 from any to 127.0.0.0/8 block out log body quick on pppoe0 from any to 0.0.0.0/8 block out log body quick on pppoe0 from any to 169.254.0.0/16 block out log body quick on pppoe0 from any to 192.0.2.0/24 block out log body quick on pppoe0 from any to 204.152.64.0/23 block out log body quick on pppoe0 from any to 224.0.0.0/3 # The general pass rules. pass out quick on pppoe0 proto tcp from any to any keep state pass out quick on pppoe0 proto udp from any to any keep state pass out quick on pppoe0 proto icmp from any to any keep state pass out quick on any proto tcp from any to any keep state pass out quick on any proto udp from any to any keep state pass out quick on any proto icmp from any to any keep state # Counting tecneeq.home (192.168.1.20) count out on pppoe0 proto tcp from 192.168.1.20 to any count out on pppoe0 proto udp from 192.168.1.20 to any count out on pppoe0 proto icmp from 192.168.1.20 to any count in on pppoe0 proto tcp from any to 192.168.1.20 count in on pppoe0 proto udp from any to 192.168.1.20 count in on pppoe0 proto icmp from any to 192.168.1.20 # Counting DSL #count out on pppoe0 proto tcp from any to any #count out on pppoe0 proto udp from any to any #count out on pppoe0 proto icmp from any to any #count in on pppoe0 proto tcp from any to any #count in on pppoe0 proto udp from any to any #count in on pppoe0 proto icmp from any to any # Counting Loopback #count out on io0 proto tcp from any to any #count out on io0 proto udp from any to any #count out on io0 proto icmp from any to any #count in on io0 proto tcp from any to any #count in on io0 proto udp from any to any #count in on io0 proto icmp from any to any # Counting Internal #count out on rtk0 proto tcp from any to any #count out on rtk0 proto udp from any to any #count out on rtk0 proto icmp from any to any #count in on rtk0 proto tcp from any to any #count in on rtk0 proto udp from any to any #count in on rtk0 proto icmp from any to any # eof