########## quickly deny malicious packets # #block in quick from any to any with short #block in log quick from any to any with ipopts ########## group setup # block in on sppp0 all head 100 block out on sppp0 all head 150 #block in on hme1 all head 100 #block out on hme1 all head 150 #pass in quick on hme0 all #pass out quick on hme0 all ########## INCOMING ########## deny IP spoofing # #block in log quick from 127.0.0.0/8 to any group 100 #block in log quick from 123.45.2.10/32 to any group 100 #block in log quick from 123.45.1.111/24 to any group 100 # ########## deny reserved addresses # #block in log quick from 10.0.0.0/8 to any group 100 #block in log quick from 192.168.0.0/16 to any group 100 #block in log quick from 172.16.0.0/12 to any group 100 # ######### local machines # for ipv6 pass in quick from 202.255.45.5 to any group 100 # inari #pass in quick from 130.54.208.213 to any group 100 # all #pass in quick from 130.54.208.0/23 to any head 180 group 100 pass in quick from 10.0.0.0/8 to any head 180 group 100 # kajiki #pass in quick from 130.54.208.194 to any group 180 #block in quick proto tcp from 130.54.208.0/23 to any port = telnet group 180 #block in quick proto tcp from 130.54.208.0/23 to any port = sunrpc group 180 #block in quick proto tcp from 130.54.208.0/23 to any port = lockd group 180 #block in quick proto tcp from 130.54.208.0/23 to any port = 32771 group 180 # ## ICMP (ping) # pass in quick proto icmp from any to any group 100 # ## ftp # pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100 pass in quick proto tcp from any to any port 10050 >< 10070 flags S/SA keep state group 100 # ## ident # pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100 # ## smtp # pass in quick proto tcp from any to any port = 25 flags S/SA keep state group 100 # ## ssh # pass in quick proto tcp from any to any port = 22 flags S/SA keep state group 100 pass in quick proto tcp from any to any port = 8022 flags S/SA keep state group 100 # ## http # pass in quick proto tcp from any to any port = 80 flags S/SA keep state group 100 # ## pop # pass in quick proto tcp from any to any port = 110 flags S/SA keep state group 100 # ## ftp # pass in quick proto tcp from any to any port = 21 flags S/SA keep state group 100 # ## traceroute # pass in quick proto udp from any to any port > 33433 group 100 # ## smtp # pass in quick proto tcp from any to any port = 6667 flags S/SA keep state group 100 # # dns pass in quick proto tcp from any to any port = 53 flags S/SA keep state group 100 pass in quick proto udp from any to any port = 53 group 100 ## netbios block out quick proto tcp from any to any port 136 >< 140 group 100 block out quick proto udp from any to any port 136 >< 140 group 100 ## pptp gre pass in quick proto gre from any to any group 100 pass in quick proto tcp from any port = 1723 to any group 100 ########## OUTGOING # ## allow ping out # pass out quick proto icmp from any to any keep state group 150 ## allow all outgoing UDP packets # pass out quick proto udp from any to any keep state group 150 # ## pass all TCP connection setup packets # pass out quick proto tcp from any to any keep state group 150 ## pptp gre pass out quick proto gre from any to any group 150 pass out quick proto tcp from any to any port = 1723 group 150 ########## OTHER # ## log blocked packets # block in log quick from any to any group 100 block out log quick from any to any group 150