/etc/ipf.conf - ipfilter
Nicolas de Bari Embriz G. R.
nbari at unixmexico.com
Fri Dec 19 16:16:44 PST 2003
Hi, this is what i use hope this can give you an idea.
---
#-----------------------------------------------------------------------
# Block all inbound traffic from non-routable or reserved address spaces
#-----------------------------------------------------------------------
# block in log quick on fxp0 from 192.168.0.0/16 to any #RFC 1918
private IP
block in log quick on fxp0 from 172.16.0.0/12 to any #RFC 1918 private
IP
block in log quick on fxp0 from 10.0.0.0/8 to any #RFC 1918 private
IP
block in log quick on fxp0 from 127.0.0.0/8 to any #loopback
block in log quick on fxp0 from 0.0.0.0/8 to any #loopback
block in log quick on fxp0 from 169.254.0.0/16 to any #DHCP auto-config
block in log quick on fxp0 from 192.0.2.0/24 to any #reserved for
doc's
block in log quick on fxp0 from 204.152.64.0/23 to any #Sun cluster
interconnect
block in quick on fxp0 from 224.0.0.0/3 to any #Class D & E
multicast
#---------------------------------------------
# pass ping from secure hosts to my host.
#---------------------------------------------
pass out quick on fxp0 proto icmp from 32.11.234.123/32 to
23.122.12.243/32 icmp-type 0
pass out quick on fxp0 proto icmp from 32.11.234.123/32 to
200.57.40.53/32 icmp-type 0
pass in quick on fxp0 proto icmp from 23.122.12.243/32 to
32.11.234.123/32 icmp-type 8
pass in quick on fxp0 proto icmp from 200.57.40.53/32 to
32.11.234.123/32 icmp-type 8
pass out quick on fxp0 proto icmp from 32.11.234.123/32 to
23.122.12.243/32 icmp-type 3
pass out quick on fxp0 proto icmp from 32.11.234.123/32 to
200.57.40.53/32 icmp-type 3
pass out quick on fxp0 proto icmp from 32.11.234.123/32 to
23.122.12.243/32 icmp-type 1
pass out quick on fxp0 proto icmp from 32.11.234.123/32 to
200.57.40.53/32 icmp-type 1
#------------
# block pings
#------------
block out quick on fxp0 proto icmp all icmp-type 0
block in quick on fxp0 proto icmp all icmp-type 8
block out quick on fxp0 proto icmp all icmp-type 3
block out quick on fxp0 proto icmp all icmp-type 16
#-------------------
# bloquear Null cans
#-------------------
block in log quick on fxp0 proto tcp all flags /
block in log quick on fxp0 proto tcp all flags FUP
block in log quick on fxp0 all with ipopts
#------------
# Pass all
#------------
pass in from any to any
pass out from any to any
---
and on the sysctl.conf file
i have this:
net.inet.tcp.blackhole=1
net.inet.udp.blackhole=1
On Fri, 2003-12-19 at 15:17, Arie J. Gerszt wrote:
> hi,
>
> i was just about to configure and fine tune mit /etc/ipf.conf and wondered,
> what kind of settings you use on your servers.
>
> is anybody interested in exchanging about this topic?
>
>
> thanks,
> arie
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-isp/attachments/20031219/5b9a4f10/attachment.bin
More information about the freebsd-isp
mailing list