Subject: Re: IPF Rules
To: Todd Gruhns Acct <tgruhn2@mail.com>
From: David S. <davids@idiom.com>
List: netbsd-users
Date: 01/04/2002 20:47:03
On Fri, Jan 04, 2002 at 10:29:37PM -0500, Todd Gruhns Acct wrote:
> I decided to write my own IPF ruleset. I can now access mail.com,
> but I cannot access netbsd.org. Whats wrong with this IPF ruleset?
What do you mean by "access"? FTP? HTTP? CVS? 'ping'?
>
>
> block in quick on ppp0 all #Absolutely no one allowed in on the ppp0
> #interface
With this rule, any other "block in" rules are redundant, and will never
be in effect.
>
>
> # block invalid source address packets (anti-spoofing rules)
> block in log quick on ppp0 from 192.168.0.0/16 to any
> block in log quick on ppp0 from 172.16.0.0/12 to any
> block in log quick on ppp0 from 10.0.0.0/8 to any
> block in log quick on ppp0 from 127.0.0.0/8 to any
>
> #NOW LOOSEN RULES TO ALLOW TRAFFIC IN
>
> # implicit allow (see section 2.13)
> pass out quick on ppp0 proto tcp/udp all keep state
> pass out quick on ppp0 proto udp all keep state
These two are redundant, in terms of UDP.
> pass out quick on ppp0 proto icmp all keep state
> pass out quick on ppp0 proto igmp all
>
>
>
> block out log quick all
>
>
For what you seem to be after, I'd use the rules
pass in quick on ppp0 icmp from any to any icmp-type 3
# destination unreachable
block return-rst in quick on ppp0 proto tcp from any to any
block return-icmp(host-unr) in quick on ppp0 proto udp from any to any
block in quick on ppp0 from any to any
pass out quick on ppp0 proto tcp from any to any flags S keep state
pass out quick on ppp0 proto udp from any to any keep state
pass out quick on ppp0 proto icmp from any to any keep state
pass out quick on ppp0 proto igmp from any to any
# Do you need IGMP for PPP?
block out log on ppp0 from any to any
David S.