Ok, Matthew i change my rules and let only
"block in quick on tun0 from 192.168.0.0/8 to any group 1"
and delete the others /16/24/32, thanks.
Thomas, then your recomedation is no use group on the rules for:
---ed0
---lo0
---lp0
And change to:
block in on tun0 all head 1
all the rules
block out on tun0 all head 2
all the rules
pass in quick on ed0 all
pass out quick on ed0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on lp0 all
pass out quick on lo0 all
block in quick all
block out quick all
I like this one, i is correct my changes?
--- Thomas Beer <[EMAIL PROTECTED]> wrote:
From: Thomas Beer <[EMAIL PROTECTED]>
Date: Tue, 22 Mar 2005 17:55:12 +0100
To: [EMAIL PROTECTED]
Cc: [email protected]
Subject: Re: Can you criticize my rules!!!
This rules seem to me senseless
block out on ed0 all head 3
pass out quick on ed0 all group 3
block in on ed0 all head 4
pass in quick on ed0 all group 4
block out on lo0 all head 5
pass out quick on lo0 all group 5
block in on lo0 all head 6
pass in quick on lo0 all group 6
block out on lp0 all head 7
pass out quick on lp0 all group 7
block in on lp0 all head 8
pass in quick on lp0 all group 8
Cheers Tom
On Sun, 20 Mar 2005 23:31:37 -0800 (PST), bsdboy <[EMAIL PROTECTED]> wrote:
> Hi, i have done my rules with IPFILTER v3.4.35 on Freebsd 4.11 Release.
> This rules are only to let the users:
> --no serves on any client
> --Check mails
> --Surf the Web
> --access ftp servers
> --and for the firewall to get updates over cvs serves
>
> Private IP: 192.168.0.1 ---default router
> Clients:192.168.0.2/3/4 Freebsd/win2k/winXP
>
> /etc/ipf.rules
> block in on tun0 all head 1
> block in quick on tun0 from 192.168.0.0/16 to any group 1
> block in quick on tun0 from 172.16.0.0/12 to any group 1
> block in quick on tun0 from 10.0.0.0/8 to any group 1
> block in quick on tun0 from 127.0.0.0/8 to any group 1
> block in quick on tun0 from 0.0.0.0/8 to any group 1
> block in quick on tun0 from 169.254.0.0/16 to any group 1
> block in quick on tun0 from 192.0.2.0/24 to any group 1
> block in quick on tun0 from 204.152.64.0/23 to any group 1
> block in quick on tun0 from 224.0.0.0/3 to any group 1
> block in quick on tun0 from 192.168.0.0/8 to any group 1
> block in quick on tun0 from 192.168.0.0/16 to any group 1
> block in quick on tun0 from 192.168.0.0/24 to any group 1
> block in quick on tun0 from 192.168.0.0/32 to any group 1
> block in quick on tun0 from 192.168.0.255/32 to any group 1
> block in quick on tun0 all with frags group 1 to any group 1
> block in quick on tun0 proto tcp all with short group 1
> block in quick on tun0 all with opt lsrr group 1
> block in quick on tun0 all with opt ssrr group 1
> block in quick on tun0 proto tcp from any to any flags FUP group 1
> block in quick on tun0 all with ipopts group 1
> block in quick on tun0 proto icmp all icmp-type 8 group 1
> block in quick on tun0 proto tcp from any to any port = 113 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 135 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 137 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 138 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 139 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 81 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 445 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 500 group 1
> block in quick on tun0 proto tcp/udp from any to any port = 593 group 1
> block in log first quick on tun0 group 1
>
> block out on tun0 all head 2
> pass out quick on tun0 proto tcp from any to 200.38.10.1/32 port=53 flags S
> keep state group 2
> pass out quick on tun0 proto udp from any to 200.38.10.1/32 port=53 keep
> state group 2
> pass out quick on tun0 proto tcp from any to 200.23.249.1/32 port=53 flags S
> keep state group
>
> 2
> pass out quick on tun0 proto udp from any to 200.23.249.1/32 port=53 keep
> state group 2
> pass out quick on tun0 proto tcp from any to any port = 80 flags S keep
> state group 2
> pass out quick on tun0 proto tcp from any to any port = 443 flags S keep
> state group 2
> pass out quick on tun0 proto tcp from any to any port = 21 flags S keep
> state group 2
> pass out quick on tun0 proto tcp from any to any port = 23 flags S keep
> state group 2
> pass out quick on tun0 proto tcp from any to any port = 5999 flags S keep
> state group 2
> pass out quick on tun0 proto tcp from any to any port = 43 flags S keep
> state group 2
> pass out quick on tun0 proto icmp from any to any icmp-type 8 keep state
> group 2
> block out log first quick on tun0 all group 2
>
> block out on ed0 all head 3
> pass out quick on ed0 all group 3
>
> block in on ed0 all head 4
> pass in quick on ed0 all group 4
>
> block out on lo0 all head 5
> pass out quick on lo0 all group 5
>
> block in on lo0 all head 6
> pass in quick on lo0 all group 6
>
> block out on lp0 all head 7
> pass out quick on lp0 all group 7
>
> block in on lp0 all head 8
> pass in quick on lp0 all group 8
>
> block in quick all
> block out quick all
>
> /etc/ipnat.rules
> map tun0 0/0 ->0/32 proxy port ftp ftp/tcp
> map tun0 0/0 ->0/32 portmap tcp/udp 20000/60000
> map tun0 0/0 ->0/32
>
> I will apreciate any coments, only one questions, suposed that i want to
> let emule work, the rdr on ipnat.rules, goes before map o after map??? or
> where it goes?
>
> Thanks all.
>
>
>
>
>
>
> ________________________________
> Create tu cuenta webmail en http://www.starlinux.net
>
Create tu cuenta webmail en http://www.starlinux.net
- Can you criticize my rules!!! bsdboy
- Re: Can you criticize my rules!!! Thomas Beer
- bsdboy
