Blocking RIP requests on firewall
Darryl Hoar
darryl at osborne-ind.com
Wed Aug 13 07:51:37 PDT 2003
Greetings,
I have a FreeBSD 4.7S machine that is running
IPFilter and is configured as a firewall.
My external interface is xl0.
I put block in quick on xl0 proto udp from 10.0.0.1 to any port = 520
reloaded the rules (by rebooting. I have it locked down).
it still generates log entries in my firewall_log file.
here is my ipf.rules file.
################################################################
# Outside Interface
################################################################
#---------------------------------------------------------------
# Allow out all TCP, UDP and ICMP traffic & keep state on it
# so that it's allowed back in.
#---------------------------------------------------------------
pass out quick on xl0 proto tcp from any to any keep state
pass out quick on xl0 proto udp from any to any keep state
pass out quick on xl0 proto icmp from any to any keep state
block out quick on xl0 all
#--------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only
#--------------------------------------------------------------
pass in quick on xl0 proto udp from 10.0.0.1/32 to any port = 68 keep state
#-----------------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service isn't
listening
# - Block UDP with an ICMP Port Unreachable (make it appear as if it isn't
# listening)
# - Block all remaining traffic the good 'ol fashioned way
#------------------------------------------------------------------------
block return-rst in log quick on xl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any
to any
block in quick on xl0 proto udp from 10.0.0.1 to any port = 520
block in log quick on xl0 all
##########################################################################
# Inside Interface
##########################################################################
#-------------------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#-------------------------------------------------------------------------
pass out quick on xl1 proto tcp from any to any keep state
pass out quick on xl1 proto udp from any to any keep state
pass out quick on xl1 proto icmp from any to any keep state
block out quick on xl1 all
#------------------------------------------------------------------------
# Allow in all TCP, UDP and ICMP traffic and keep state
#------------------------------------------------------------------------
pass in quick on xl1 proto tcp from any to any flags S
pass in quick on xl1 proto udp from any to any keep state
pass in quick on xl1 proto icmp from any to any keep state
block in quick on xl1 all
########################################################################
# Loopback Interface
########################################################################
#----------------------------------------------------------------------
# Alow everything to/from your loopback interface so you
# can ping yourself (e.g ping localhost)
#---------------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
thanks in advance.
-Darryl
More information about the freebsd-questions
mailing list