IPF ruleset

[Ilya Ayzenshtok]

Hello ,

Would you please look at the following rule-set and let me know what
things should be added / removed from there? Any comments are welcome.
Thank you.

# this is an IPF ruleset for a LAN gateway
# Internet <--> [pppoe0 (OS) sip0] <--> LAN
# setting up a policy to allow all the normal client activities on the Internet,
# but to restrict the incoming traffic only to the responses to clients's sessions

# start with a block all policy
block in all

# dsl  – default block all
# LAN  - default pass all
block in log on pppoe0 all
block out log on pppoe0 all
pass in log on sip0 all
pass out log on sip0 all

# block address spoofing on the dsl interface
block in quick on pppoe0 from 127.0.0.1/8 to any
block in quick on pppoe0 from 10.0.0.0/8 to any
block in quick on pppoe0 from 172.16.0.0/12 to any
block in quick on pppoe0 from 192.168.0.0/16 to any
block in quick on pppoe0 from 224.0.0.0/4 to any
block in quick on pppoe0 from 240.0.0.0/5 to any

# drop and log any IP packets with options set in them; drop source routing options
# this is done for external link only, as I might want to play with IP options on LAN
block in log quick on pppoe0 from any to any with ipopts
block in log quick on pppoe0 proto tcp from any to any with short
block in log quick on pppoe0 all with opt lsrr # is this redundant?
block in log quick on pppoe0 all with opt ssrr # is this redundant?

# restrict icmp to only internal interface from internal hosts
pass out quick on pppoe0 proto icmp from 10.0.0.0/16 to any keep state
block in quick on pppoe0 proto icmp from any to any

# block ssh through dsl – is this redundant?
block in quick on pppoe0 log proto tcp from any to any port = 22

# let all the traffic out of dsl link (should reconsider this)
# pass out quick proto tcp/udp from any to any keep state
# pass out quick proto icmp from any to any keep state

# allow all the normal services in through the dsl link

# send RST flag when contacted on identd port – resolved irc and smtp issues
block return-rst in quick proto tcp from any to any port = 113

# allow clients on LAN to send DNS queries, but accept only responses to those
pass out quick on pppoe0 proto tcp from any to any port = 53 flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = 53 flags S keep state

# allow outgoing traffic for ftp, smtp, www, pop3, nntp, ntp, and ssl
# keep track of sessions and allow responses
pass out quick on pppoe0 proto tcp from any to any port = ftp flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = ftp-data flags S keep state
pass out quick on pppoe0 proto tcp from any port = ftp-data to any port > 1023 flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = smtp flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = 80 flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = 110 flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = 119 flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = 123 flags S keep state
pass out quick on pppoe0 proto tcp from any to any port = 443 flags S keep state


-- 
Best regards,
 Ilya                          mailto:ilyaa11 at hotpop.com