ipfilter Schnipsel

© Copyright 2003 Hellmuth Michaelis. All Rights reserved.

Version: $Id: ipfilter-schnippel.html,v 1.1 2003/02/23 15:37:22 cvs Exp $

ipfilter: Beispiele

Dies sind Beispiele eines ipfilter - Konfigurationsfiles.

Die verwendeten IP - Adressen stammen aus einer dynamischen Addresszuweisung (dieses ipfilter - Konfigurationsfile wird aus einer Template dynamisch erstellt). Ein Angriff auf diese Addressen ist daher unsinnig, da es hoechstwahrscheinlich einen voellig Ahnungslosen treffen würde ....

Setzen der default policy:

block in  log all

block out log all

blockieren von illegalen Pakteten:

block in log quick from any to any with ipopts

block in log quick proto tcp from any to any with short

Handling localhost / 127.0.0.1:

pass in  quick from 127.0.0.1/32 to 127.0.0.1/32

pass out quick from 127.0.0.1/32 to 127.0.0.1/32

Allen Traffic auf dem internen LAN-Interface erlauben:

pass in  quick on ste0 from 172.31.42.0/24 to 172.31.42.0/24

pass out quick on ste0 from 172.31.42.0/24 to 172.31.42.0/24

Private Netze (RFC 1918) blockieren:

block in log quick from 192.168.0.0/16 to any

block in log quick from 172.16.0.0/12 to any

block in log quick from 10.0.0.0/8 to any

block in log quick from 127.0.0.0/8 to any

block in log quick from 0.0.0.0/8 to any

block in log quick from 169.254.0.0/16 to any

block in log quick from 224.0.0.0/3 to any


block out log quick from any to 192.168.0.0/16

block out log quick from any to 172.16.0.0/12

block out log quick from any to 10.0.0.0/8

block out log quick from any to 127.0.0.0/8

block out log quick from any to 0.0.0.0/8

block out log quick from any to 169.254.0.0/16

block out log quick from any to 224.0.0.0/3

Ausgehende externe TCP Verbindungen erlauben:

pass out quick on tun1 proto tcp from 80.129.216.169/32 to any flags S keep state keep frags

externen DNS Traffic erlauben:

pass out quick on tun1 proto udp from 80.129.216.169/32 port = 53 to any port = 53

pass in  quick on tun1 proto udp from any port = 53 to 80.129.216.169/32 port = 53

eingehenden http Traffic erlauben:

pass in quick on tun1 proto tcp from any to 80.129.216.169/32 port = 80 flags S/SA keep state

ICMP type 3 erlauben:

pass in quick on tun1 proto icmp from any to 80.129.216.169/32 icmp-type 3

ausgehende "pings" erlauben:

pass out quick on tun1 proto icmp from 80.129.216.169/32 to any icmp-type echo keep state

alle weiteren TCP Verbindungsversuche mit RST beantworten:

block return-rst in log quick on tun1 proto tcp all

alle weiteren UDP Verbindungsversuche mit ICMP Port Unreachable beantworten:

block return-icmp-as-dest(port-unr) in log quick on tun1 proto udp all

Hellmuth Michaelis

Tel: +49 4101 473574