I've attempted to make the ruleset
as tight as possible while still being
understood by those other than myself. Any comments or tips would be
greatly welcomed.
ExtIF="xl0" #xl0 external dhcp interface
IntIF="sis0" #sis0 internal interface dhcpd
Services="{ 22, 25, 80 }"
NoRouteIPs="{0.0.0.0/32, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
172.16.0.0/12, 192.168.0.0/16, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }"
DnsServers="{ 24.93.35.62, 24.93.35.63, 24.93.35.33, 207.207.0.3 }"
IntNet="192.168.1.0/24"
IntIP="192.168.1.1"
#collection of packet and byte count statistics
set loginterface $ExtIF
#expire stale connections quickly
set optimization aggressive
#Set timeouts for keeping tcp connections
set timeout { tcp.established 86400, tcp.closing 6, tcp.opening
6,tcp.closed 10 }
#packet normalization
scrub in all
#NAT rules
nat on $ExtIF from $IntNet to any -> $ExtIF
#rdr on $ExtIF proto tcp from any to any port 113 -> 192.168.1.100 port
113
#rdr on $ExtIF proto tcp from any to any port 81 -> 192.168.1.100 port 80
#antispoofing
antispoof log quick for { $IntIF, $ExtIF } inet
#rr madness, broadcasta and such, don't log
block in quick on $ExtIF from any to 255.255.255.255
#dont log gnutella blocks
block in quick on $ExtIF inet proto tcp from any to any port { 6346,6347 }
block in quick on $ExtIF inet proto tcp from any port { 6346,6347 } to
any
#dont log stupid icq nonsense
block in quick on $ExtIF inet proto udp from any port 4000 to any
block in quick on $ExtIF inet proto udp from any to any port 4000
#no source routing
block in log quick from no-route to any
#basic spoof protection
block in log quick on $ExtIF inet from $NoRouteIPs to any
block out log quick on $ExtIF inet from any to $NoRouteIPs
#deny everything not explicitly allowed later on
block in log on $ExtIF all
block in log on $IntIF all
#inbound dns packets which lost state info, don't log
block in on $ExtIF inet proto udp from $DnsServers port 53 to any
#servers
pass in inet proto tcp from any to any port $Services flags S/SA modulate
state
#allow internal dhcp clients
pass in on $IntIF inet proto udp from any port 68 to any port 67
#allow pings from interal users
pass in on $IntIF inet proto icmp all icmp-type 8 code 0 keep state
#allow out onto internal network only for members of group wheel
pass out on $IntIF inet proto tcp all group wheel modulate state
pass out on $IntIF inet proto udp all group wheel keep state
pass out on $IntIF inet proto icmp all keep state
#allow everything to pass in on the internal and out to any
pass in on $IntIF inet proto tcp from $IntNet to !$IntIP modulate state
pass in on $IntIF inet proto { udp, icmp } from $IntNet to !$IntIP keep
state
#pass all outgoing and maintain states
pass out on $ExtIF inet proto tcp all modulate state
pass out on $ExtIF inet proto { udp, icmp } all keep state
