datamike
April 24th, 2003, 17:24
Hi All, I know this has been beat to death but can you please look over my ruleset and see if there is anything I should add or remove. Thanks.
################################################## #################
## Internet -> Cisco Router -> Bridge Firewall -> Switch #########
################################################## #################
Ext_if = "{ sis0 }"
NoRouteIPs = "{ 172.16.0.0/12, 255.255.255.255/32, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/32,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }"
############
##In Rules##
############
# Clean up fragmented and abnormal packets
scrub in all
# don't allow anyone to spoof non-routeable addresses
block in quick on $Ext_iF inet from $NoRouteIPs to any
block in quick on $Ext_iF inet from any to $NoRouteIPs
# allow certain classes of ICMP (PING)
pass in quick on $Ext_iF proto icmp all icmp-type 0
pass in quick on $Ext_iF proto icmp all icmp-type 3
pass in quick on $Ext_iF proto icmp all icmp-type 11
#Allow SSH,SMTP,POP,HTTP,and DNS to the Sun box.
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 22
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 80
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 110
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 25
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 53
# allow udp DNS replies from 205.171.3.65 and 65.112.18.137.
pass in quick on $Ext_iF proto udp from 205.171.3.65 port = 53 to any
pass in quick on $Ext_iF proto udp from 65.112.18.137 port = 53 to any
# REJECT auth conections for fast SMTP handshake
block return-rst in on $Ext_iF proto tcp from any to any port = 113
# finally lock the rest down with a default deny
block in on $Ext_IF all
###################
##End of In Rules##
###################
#############
##Out Rules##
#############
#Let ALL out-going traffic out and maintain state on established connections.
pass out on $Ext_if proto tcp all keep state
####################
##End of out Rules##
####################
################################################## #################
## Internet -> Cisco Router -> Bridge Firewall -> Switch #########
################################################## #################
Ext_if = "{ sis0 }"
NoRouteIPs = "{ 172.16.0.0/12, 255.255.255.255/32, 10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/32,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24 }"
############
##In Rules##
############
# Clean up fragmented and abnormal packets
scrub in all
# don't allow anyone to spoof non-routeable addresses
block in quick on $Ext_iF inet from $NoRouteIPs to any
block in quick on $Ext_iF inet from any to $NoRouteIPs
# allow certain classes of ICMP (PING)
pass in quick on $Ext_iF proto icmp all icmp-type 0
pass in quick on $Ext_iF proto icmp all icmp-type 3
pass in quick on $Ext_iF proto icmp all icmp-type 11
#Allow SSH,SMTP,POP,HTTP,and DNS to the Sun box.
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 22
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 80
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 110
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 25
pass in quick on $Ext_iF proto tcp from any to 192.168.0.250 port = 53
# allow udp DNS replies from 205.171.3.65 and 65.112.18.137.
pass in quick on $Ext_iF proto udp from 205.171.3.65 port = 53 to any
pass in quick on $Ext_iF proto udp from 65.112.18.137 port = 53 to any
# REJECT auth conections for fast SMTP handshake
block return-rst in on $Ext_iF proto tcp from any to any port = 113
# finally lock the rest down with a default deny
block in on $Ext_IF all
###################
##End of In Rules##
###################
#############
##Out Rules##
#############
#Let ALL out-going traffic out and maintain state on established connections.
pass out on $Ext_if proto tcp all keep state
####################
##End of out Rules##
####################