netbsd-help: ipfilter setup

Subject: ipfilter setup
To: None <netbsd-help@NetBSD.org>
From: Martin Schmitz <martin-schmitz@web.de>
List: netbsd-help
Date: 11/29/2003 21:01:28
Hi All,

today I have configured a firewall for the very first time. First let me
explain, which status I wanted to reach. I have a small home network with
a NetBSD router/firewall with to NICs: ne0 and ep0. While ne0 is
connected to the internal network ep0 is connected with an ADSL-modem
and runs pppoe0 on top of it.

Each part of the internal network should be able to start any kind of
network connection to whatever host it likes, while on the other hand
nobody on the internet should be able to connect to the firewall or any
internal hosts besides of through the ports and protocols explicitly enabled.

Now I would like to show you my /etc/ipf.conf and ask for comments,
because - as already mentioned - it is the first time I do this and
I really would like to be sure that there are no serious mistakes in it:

--8<--               --8<--               --8<--               --8<--

# First allow any outgoing tcp/udp packet and keep state of the connection
# to also allow packets coming back from the connected host
pass out quick on pppoe0 proto tcp/udp from any to any keep state keep frags

# Same thing for icmp
pass out quick on pppoe0 proto icmp from any to any keep state

# Just to complete outgoing ruleset - this never should match in praxis
block out log first on pppoe0 from any to any

# Now allow incoming connections for ssh, http, auth and https. These are
# either listening on the firewall itself or on any internal hosts where
# this port then is redirected to through ipnat
pass in quick on pppoe0 proto tcp from any to any port = 22 flags S \
 keep state keep frags
pass in quick on pppoe0 proto tcp from any to any port = 80 flags S \
 keep state keep frags
pass in quick on pppoe0 proto tcp from any to any port = 443 flags S \
 keep state keep frags
pass in quick on pppoe0 proto tcp from any to any port = 113 flags S \
 keep state keep frags

# block all other incoming traffic and return rst/port-unr packets;
# log only errors and warnings
block return-rst in log level auth.alert quick on pppoe0 proto tcp \
 from any to any
block return-icmp(port-unr) in log level auth.alert quick on pppoe0 \
 proto udp from any to any

# just to catch icmp errors
block in log level auth.alert quick on pppoe0 proto icmp from any to any

# like in outgoing rules this one never should match
block in log first on pppoe0 from any to any

--8<--               --8<--               --8<--               --8<--

Does this setup look reasonable for you? Do you have any comments
or suggestions? Thank you very much for spending your time with
reading this large e-mail. ;-)

TIA,
Martin