$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow HTTP connections to internal web server #$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state # Replace x.x.x.x with the same IP address used in rule 00120. $cmd 00332 deny tcp from any to any established in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 00330 deny all from any to any frag in via $pif $cmd 00323 deny tcp from any to any 81 in via $pif $cmd 00322 deny tcp from any to any 139 in via $pif $cmd 00321 deny tcp from any to any 138 in via $pif $cmd 00320 deny tcp from any to any 137 in via $pif $cmd 00315 deny tcp from any to any 113 in via $pif $cmd 00310 deny icmp from any to any in via $pif $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP # Deny all inbound traffic from non-routable reserved address spaces $cmd 00299 deny log all from any to any out via $pif # deny and log all other outbound connections $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state $cmd 00260 allow udp from any to any 123 out via $pif keep-state $cmd 00250 allow icmp from any to any out via $pif keep-state $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state # Allow outbound HTTP and HTTPS connections #$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state $cmd 00120 allow log udp from any to any 67 out via $pif keep-state # Then, uncomment the second rule, input the IP address, and delete the first rule # Use the first rule and check log for IP address. # Allow access to ISP's DHCP server for cable/DSL configurations. $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state # and repeat for each DNS server in /etc/nf
# Replace x.x.x.x with the IP address of a public DNS server Commonly used options include in or out, which specify the direction of packet flow, icmptypes followed by the type of ICMP message, and keep-state.
As the name suggests, OPTIONS are optional. Several keywords can follow the source and destination. DST_PORTĪn optional destination port can be specified using the port number or name from /etc/services. The same keywords and addresses described in the SRC section can be used to describe the destination. The to keyword must be followed by the destination address or a keyword that represents the destination address. SRC_PORTĪn optional source port can be specified using the port number or name from /etc/services.
When specifying an IP address, it can be optionally followed by its CIDR mask or subnet mask. An address can be represented by any, me (any address configured on an interface on this system), me6, (any IPv6 address configured on an interface on this system), or table followed by the number of a lookup table which contains a list of addresses. The from keyword must be followed by the source address or a keyword that represents the source address. This optional value can be used to specify any protocol name or number found in /etc/protocols. The administrator decides which rules to enable logging on. Logging is done after all other packet matching conditions have been met, and before performing the final action on the packet.
0 kommentar(er)
