>From: David Forrai <d.forrai@ieee.org>
>CC: port-i386@netbsd.org
>Subject: Re: IPFiler ( ipf ) for dial-up and LAN
>Date: Fri, 12 Apr 2002 22:10:49 -0400
>#  Let all from the LAN traffic out to the Internet.
>#  This makes us a completely open Internet client.
>#
>pass out quick on ppp0 proto tcp from any to any keep state
>pass out quick on ppp0 proto udp from any to any keep state
>pass out quick on ppp0 proto icmp from any to any keep state
>

thanks i realy need that :)
i have made some reading on ipf and as the previos email that from david i 
have mix up the firewall with some example that i found but don't have the 
change to test because i have some troble with the hard disk on my netbsd 
box so here is the final result of my firewall is anyone here have some 
extra time to correct or test it is most greatfull!!

--- begin here ---

pass in quick on rtk0 all
pass out quick on rtk0 all

pass in quick on lo0 all
pass out quick on lo0 all

# Block traffic from reserved addresses on the Internet
#
#    192.168.0.0/16 (reserved for internal networks)
#    172.16.0.0/12 (reserved for internal networks)
#    10.0.0.0/8 (reserved for internal networks)
#    0.0.0.0/8 (used strangely by some stacks for routing)
#    127.0.0.0/8 (the localhost)
#    169.254.0.0/16 (IANA use)
#    192.0.2.0/24 (netblock for documentation authors)
#    204.152.64.0/23 (Sun Microsystems cluster interconnects)
#    224.0.0.0/3 (class D and E multicasts)
#
block in quick on ppp0 from 192.168.0.0/16 to any
block in quick on ppp0 from 172.16.0.0/12 to any
block in quick on ppp0 from 10.0.0.0/8 to any
block in quick on ppp0 from 0.0.0.0/8 to any
block in quick on ppp0 from 127.0.0.0/8 to any
block in quick on ppp0 from 169.254.0.0/16 to any
block in quick on ppp0 from 192.0.2.0/24 to any
block in quick on ppp0 from 204.152.64.0/23 to any
block in quick on ppp0 from 224.0.0.0/3 to any
block out quick on ppp0 from 192.168.0.0/16 to any
block out quick on ppp0 from 172.16.0.0/12 to any
block out quick on ppp0 from 10.0.0.0/8 to any
block out quick on ppp0 from 0.0.0.0/8 to any
block out quick on ppp0 from 127.0.0.0/8 to any
block out quick on ppp0 from 169.254.0.0/16 to any
block out quick on ppp0 from 192.0.2.0/24 to any
block out quick on ppp0 from 204.152.64.0/23 to any
block out quick on ppp0 from 224.0.0.0/3 to any

#  Let all from the LAN traffic out to the Internet.
#  This makes us a completely open Internet client.
#
pass out quick on ppp0 proto tcp from any to any keep state
pass out quick on ppp0 proto udp from any to any keep state
pass out quick on ppp0 proto icmp from any to any keep state

# allow in ICMP echos and echo-replies.
pass in on ppp0 proto icmp from any to any icmp-type echo
pass in on ppp0 proto icmp from any to any icmp-type echorep

# Services ( httpd,smtp,sshd,DNS )

pass in quick proto tcp from any to any port = smtp flags S keep state
pass in proto udp from any to any port = 53 keep state
pass in quick on ppp0 proto tcp from any to any port = 22
pass in quick on ppp0 proto tcp from any to any port = 80
pass out quick on ppp0 proto tcp from any port = 80 to any

# High Port
pass in quick on ppp0 proto tcp from any to any port 1023 >< 65535

#  Block all packets originating from the Internet
# Should we call it Port block ??

#
# block all inbound UDP packets and send back an ICMP error.
#
block return-icmp (3) in proto udp from any to any port > 30000
block return-icmp (port-unr) in proto udp from any to any port > 30000

# block ident
block return-rst in quick on ppp0 proto tcp from any to any port = 113
block in on ext-interface proto tcp all


block in log quick on ppp0 proto tcp/udp from any to any port = 111

# prevent any packets destined for NFS from coming in
block in log quick on ppp0 proto tcp/udp from any to any port = 2049

# Syslog
block in log quick on ppp0 proto udp from any to any port = 514

block in log quick on ppp0 proto tcp/udp from any to any port = 23
block in log quick on ppp0 proto tcp from any to any port = 25

block return-rst in on ext-interface proto tcp all flags S
block in on rtk0 proto tcp from any to 192.168.1.0/24 flags S/SA

# block anything trying to get to X terminal ports, X:0 to X:9 and X font 
server

block in proto udp/tcp from any to any port 5999 >< 6010
block in proto udp/tcp from any to any port 7100 >< 7101

# NetBEUI/Samba
block in proto udp/tcp from any to any port 137 >< 139

# BSD print/r-services
# this will also protect syslog.
block in proto tcp/udp from any to any port 511 >< 516

# NetBUS ??
block in proto tcp/udp from any to any port 12345 >< 12346

# Back orifice
block in proto tcp/udp from any to any port 31337

block in log all with ipopts
block in proto tcp/udp all
block in on ppp0 all


-- end here --

should it have any extra rules or maybe a error on the rules ? pls do 
correct me if i'm wrong !!

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com