Description

This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.

23 Implementation (filtering rules for a kernel-based packet screen)

Here, our organization is using a private (RFC 1918) Class C network
192.168.1.0. Our ISP has assigned us the address 201.123.102.32 for our
gateway's external interface and 201.123.102.33 for our external mail
server. Organizational policy says:

* Allow all outgoing TCP connections
* Allow incoming SMTP and DNS to external mail server
* Block all other traffic

The following block of commands can be placed in a system boot file (perhaps
rc.local on Unix systems).

      ipfwadm -F -f
      ipfwadm -F -p deny
      ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 25
      ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
      ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
      ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0

/sbin/route add -host 201.123.102.33 gw 192.168.1.2

 

Continue to:

• prev: 22 What are some reasonable filtering rules for a kernel-based packet screen?
• Index
• next: 24 Explanation (filtering rules for a kernel-based packet screen)

Share and Enjoy

Tags

security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms