Can you criticize my rules!!!

Sun, 20 Mar 2005 23:35:43 -0800

  Hi, i have done my rules with IPFILTER v3.4.35 on Freebsd 4.11 Release. This rules are only to let the users:
--no serves on any client
--Check mails
--Surf the Web
--access ftp servers
--and for the firewall to get updates over cvs serves

Private IP: 192.168.0.1 ---default router
Clients:192.168.0.2/3/4 Freebsd/win2k/winXP

/etc/ipf.rules
block in on tun0 all head 1
block in quick on tun0 from 192.168.0.0/16     to any group 1
block in quick on tun0 from 172.16.0.0/12       to any group 1
block in quick on tun0 from 10.0.0.0/8            to any group 1
block in quick on tun0 from 127.0.0.0/8          to any group 1
block in quick on tun0 from 0.0.0.0/8             to any group 1
block in quick on tun0 from 169.254.0.0/16    to any group 1
block in quick on tun0 from 192.0.2.0/24        to any group 1
block in quick on tun0 from 204.152.64.0/23   to any group 1
block in quick on tun0 from 224.0.0.0/3         to any group 1
block in quick on tun0 from 192.168.0.0/8     to any group 1
block in quick on tun0 from 192.168.0.0/16   to any group 1
block in quick on tun0 from 192.168.0.0/24   to any group 1
block in quick on tun0 from 192.168.0.0/32   to any group 1
block in quick on tun0 from 192.168.0.255/32  to any group 1
block in quick on tun0 all with frags group 1 to any group 1
block in quick on tun0  proto tcp all with short group 1
block in quick on tun0 all with opt lsrr group 1
block in quick on tun0 all with opt ssrr group 1
block in quick on tun0 proto tcp from any to any flags FUP group 1
block in quick on tun0 all with ipopts group 1
block in quick on tun0 proto icmp all icmp-type 8 group 1
block in quick on tun0 proto tcp from any to any port = 113 group 1
block in quick on tun0 proto tcp/udp from any to any port = 135 group 1
block in quick on tun0 proto tcp/udp from any to any port = 137 group 1
block in quick on tun0 proto tcp/udp from any to any port = 138 group 1
block in quick on tun0 proto tcp/udp from any to any port = 139 group 1
block in quick on tun0 proto tcp/udp from any to any port = 81 group 1
block in quick on tun0 proto tcp/udp from any to any port = 445 group 1
block in quick on tun0 proto tcp/udp from any to any port = 500 group 1
block in quick on tun0 proto tcp/udp from any to any port = 593 group 1
block in log first quick on tun0 group 1

block out on tun0 all head 2
pass out quick on tun0 proto tcp from any to 200.38.10.1/32 port=53 flags S keep state group 2
pass out quick on tun0 proto udp from any to 200.38.10.1/32 port=53 keep state group 2
pass out quick on tun0 proto tcp from any to 200.23.249.1/32 port=53 flags S keep state group                                                                                                                                                 2
pass out quick on tun0 proto udp from any to 200.23.249.1/32 port=53 keep state group 2
pass out quick on tun0 proto tcp from any to any port = 80 flags S keep state group 2
pass out quick on tun0 proto tcp from any to any port = 443 flags S keep state group 2
pass out quick on tun0 proto tcp from any to any port = 21 flags S keep state group 2
pass out quick on tun0 proto tcp from any to any port = 23 flags S keep state group 2
pass out quick on tun0 proto tcp from any to any port = 5999 flags S keep state group 2
pass out quick on tun0 proto tcp from any to any port = 43 flags S keep state group 2
pass out quick on tun0 proto icmp from any to any icmp-type 8 keep state group 2
block out log first quick on tun0 all group 2

block out on ed0 all head 3
pass out quick on ed0 all group 3

block in on ed0 all head 4
pass in quick on ed0 all group 4

block out on lo0 all head 5
pass out quick on lo0 all group 5

block in on lo0 all head 6
pass in quick on lo0 all group 6

block out on lp0 all head 7
pass out quick on lp0 all group 7

block in on lp0 all head 8
pass in quick on lp0 all group 8

block in quick all
block out quick all

/etc/ipnat.rules
map tun0 0/0 ->0/32 proxy port ftp ftp/tcp
map tun0 0/0 ->0/32 portmap tcp/udp 20000/60000
map tun0 0/0 ->0/32

   I will apreciate any coments, only one questions, suposed that i want to let emule work, the rdr on ipnat.rules, goes before map o after map??? or where it goes?

   Thanks all.





 
Create tu cuenta webmail en http://www.starlinux.net

Reply via email to