Subject: Re: ipf.conf rulesets for outside firewall.
To: Alicia da Conceicao <alicia@cyberstation.ca>
From: None <mcmahill@mtl.mit.edu>
List: port-i386
Date: 01/06/2000 08:57:26
On Thu, 6 Jan 2000, Alicia da Conceicao wrote:
> Rene Hexel wrote:
> > Basically, what you do is block everything and then let through the
> > services you want (the followin example uses groups to make things more
> > readable):
> > block in log on fxp1 all head 100
> > block in log proto tcp all flags S/SA head 101 group 100
> > block in log proto udp all head 102 group 100
> > pass in quick proto tcp from any to any port = 22 keep state group 101
> > pass in quick proto udp from any to any port = 22 keep state group 102
> > pass in quick proto udp from any to any port = 53 keep state group 102
>
> Hi Rene:
>
> Thank you for your quick response. Although the above rulesets do the
> trick, and restrict access from the outside. These rules unfortunately
> do not allow the internal lan or the firewall server itself to access
> the outside Internet. When logged into the firewall, I cannot ping the
> outside, or make tcp socket connections either.
>
> Any ideas on what changes need to make to the above rules so that they
> can allow the firewall to access the outside Internet, while restricting
> the outside from coming in?
>
> Thanks in advance. Sincerely, Alicia.
assuming fxp1 is the external internet interface:
# keep state on tcp/udp and icmp connections so we can allow
# incoming packets which are in response to ones we sent out
pass out quick on fxp1 proto tcp/udp from any to any keep state
pass out quick on fxp1 proto icmp from any to any keep state
# allow PING
pass in quick on fxp1 proto icmp from any to any icmp-type 8
# allow TRACEROUTE
pass in quick on fxp1 proto icmp from any to any icmp-type 11
-Dan