FWIW, with ipv6, this is what I do:
int="xl0"
ext="{ xl1, gif0 }"
# block and log everything from the outside by default
block out log on $ext all
block in log on $ext all
block return-rst out log on $ext proto tcp all
block return-rst in log on $ext proto tcp all
block return-icmp out log on $ext proto udp all
block return-icmp in log on $ext proto udp all
# be picky about inside inet6 stuff, since this is world reachable
block out log on $int inet6 all
block in log on $int inet6 all
block return-rst out log on $int inet6 proto tcp all
block return-rst in log on $int inet6 proto tcp all
#block return-icmp6(port-unr) in log on $int inet6 proto tcp all
block return-icmp6 out log on $int inet6 proto udp all
block return-icmp6 in log on $int inet6 proto udp all
... and of course rules to allow 'allowed' services inside.
--
Todd Fries .. [EMAIL PROTECTED]
(last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $)
Penned by Daniel Hartmeier on Wed, Nov 20, 2002 at 02:22:48PM +0100, we have:
| On Tue, Nov 19, 2002 at 10:00:08PM -0800, Ed Herkel wrote:
|
| > block out log all
| > block in log all
| > block return-rst in log inet proto tcp all
| > block return-rst out log inet proto tcp all
| > block return-icmp in log inet proto udp all
| > block return-icmp out log inet proto udp all
|
| This default block section applies to all interfaces, including the
| internal interface. Note that states created on the external interface
| don't allow associated packets to pass other interfaces automatically.
|
| If you really want to filter on the internal interface as well, add
| rules that define which connections to pass there as well (including
| creating states there). Otherwise, add something like this after the
| default block section:
|
| pass in quick on $int_if all
| pass out quick on $int_if all
|
| so the internal interface isn't filtered at all, and all filtering
| happens on the external interface.
|
| Daniel
