A starter ipf.rules

FreeBSD supports IP Filter AKA ipf for firewalling your system.

More later!

ipfilter_enable=”YES”             # Start ipf firewall
ipfilter_rules=”/etc/ipf.rules”   # loads rules definition text file
ipmon_enable=”YES”                # Start IP monitor log
ipmon_flags=”-Ds”                 # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to names

 

# Reparse the ruleset: ipf -Fa -f /etc/ipf.rules
# Specific ip address require the /32
# Block entire subnets with /8, /16, /24 or custom /28
# Blocks at the top are recommended
# Enable the firewall in rc.conf

# Let me in you bastard guy!
# This kinda trumps all other denys.
# pass in log quick on xl0 proto tcp from any to any port = 22 flags S keep frags keep state

# From 10.5 home net.
pass in log quick from 10.5.1.0/24 to any port = 22 keep state
block in log quick from any to any port = 22
# identd
# pass in log quick on xl0 from any to any port = 113
# now, only for udp
pass in log quick on xl0 proto udp from any to any port = 113

# Interlopers
block in quick from 66.225.225.224/32 to any
block in quick from 64.236.240.190/32 to any
block in quick from 71.56.150.108/32 to any

# advertisers:
block in quick from 204.16.208.59/32 to any

# Chinese
block in log quick from 221.10.0.0/16 to any

# Israellis
block in log quick from 85.0.0.0/8 to any

# Russians
block in log quick from 81.0.0.0/8 to any

#repeated scanning
block in log quick from 71.56.123.125/32 to any
block in log quick from 71.56.255.188/32 to any

# Allow all else to port 80
pass in quick on xl0 proto tcp from any to any port = 80

# Allow ssh only from 10.5.1.0/24, internal net.
pass in quick on xl0 proto tcp from 10.5.1.0/24 to any

# block all other ssh src
block in log quick on xl0 proto tcp from any to any port = 22

# Block tiny IP frags
block in quick on xl0 all with frags

# Block short tcp packets
block in quick on xl0 proto tcp all with short

# block source routed packets
block in quick on xl0 all with opt lsrr
block in quick on xl0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on xl0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on xl0 all with ipopts

# Logging incoming mail ports TCP 25,  587 and 22
pass in log quick on xl0 proto tcp from any to any port = 25
# pass in log quick on xl0 proto tcp from any to any port = 587
# pass in log quick on xl0 proto tcp from any to any port = 22

# loopback in/out:
pass in quick on lo0 all
pass out quick on lo0 all

# Allow all outgoing ssh
pass out quick on xl0 proto tcp from any to any port = 22 flags S keep frags keep state

####	Then allow other web visitors	####
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep frags keep state
pass out quick on xl0 proto tcp from any to any port = 80 flags S keep frags keep state

####	Allow DNS lookups	####
pass out quick on xl0 proto udp from any to any port = 53 keep state keep frags

# Allow other requests out like ftp, icmp, udp.
# The UDP below probably duplicates dns lookups allow above.
# pass out quick on xl0 proto tcp from any to any keep frags keep state
pass out quick on xl0 proto tcp from any to any flags S keep frags keep state
pass out quick on xl0 proto udp from any to any keep state keep frags
pass out quick on xl0 proto icmp from any to any keep state
pass out quick on xl0 from 10.5.1.10 to any

# Dump all else. Who need them? (Block by default)
block in log quick on xl0 all
block out quick on xl0 all

# Unused
# Isn't that ident service?
# pass in quick on xl0 proto tcp from any to any port = 113 flags S keep frags keep state

# DHCP, not necessary unless NAT-ing for DHClients
# pass in log quick on xl0 proto udp from any to any port = 68 keep state