# # Object: $Id: ipfilter,v 1.38 2001/04/24 09:28:01 gdmr Exp $ # # >>>> comment.head <<<< # $Id: comment.head,v 1.1 2001/04/11 14:32:50 gdmr Exp $ # This is the configuration file for IPfilter. It's created from various # small functional blocks, which are included under the control of the # ipfilter object's , and resources. # The name of each block's source file appears here flagged by ">>>>" and # "<<<<" before the corresponding rules. # # There are two types of these files. Those whose names begin with # "generated" are tcl or shell scripts, whose stdout is included in the # final configuration; this is useful for things which depend on other # resources or on a machine's specific configuration in some way. All # other files are included verbatim. # # Finally, the whole lot is post-processed with sed to make some simple # substitutions. # # >>>> generated.in.NTP <<<< # $Id: generated.in.NTP,v 1.4 2001/04/06 09:26:34 gdmr Exp $ # block in on qfe0 proto udp from any to any port = 123 head 301 # # ntp_server: araig-s -> araig.dcs.ed.ac.uk # ntp_server: bigga-s -> bigga.dcs.ed.ac.uk # ntp_server: sligga-s -> sligga.dcs.ed.ac.uk # # Wire S server addresses first pass in quick from any to 129.215.216.240 group 301 pass in quick from any to 129.215.216.108 group 301 pass in quick from any to 129.215.216.103 group 301 # # Then wire A server addresses, if any pass in quick from any to 129.215.160.240 group 301 # # Then the rest of the server addresses pass in quick from any to 129.215.217.250 group 301 pass in quick from any to 129.215.58.240 group 301 pass in quick from any to 129.215.96.240 group 301 pass in quick from any to 129.215.124.108 group 301 pass in quick from any to 129.215.202.135 group 301 pass in quick from any to 129.215.212.108 group 301 pass in quick from any to 129.215.252.108 group 301 pass in quick from any to 129.215.39.2 group 301 pass in quick from any to 129.215.46.102 group 301 pass in quick from any to 129.215.58.108 group 301 pass in quick from any to 129.215.124.109 group 301 pass in quick from any to 129.215.202.134 group 301 pass in quick from any to 129.215.212.109 group 301 pass in quick from any to 129.215.252.109 group 301 pass in quick from any to 129.215.39.3 group 301 pass in quick from any to 129.215.46.103 group 301 pass in quick from any to 129.215.58.109 group 301 # # Finally, ignore all other NTP from anywhere at all block in quick from any to any group 301 # # >>>> block.in.SRopts <<<< # $Id: block.in.SRopts,v 1.3 2001/04/11 13:54:37 gdmr Exp $ # Source-routing is nasty. Drop it now. block in log quick from any to any with opt lsrr block in log quick from any to any with opt ssrr # # >>>> block.in.short <<<< # $Id: block.in.short,v 1.5 2001/04/11 11:17:13 gdmr Exp $ # Block all short TCP and UDP packets. ICMP is handled later. # Think about what to do with other protocols if the need ever arises... block in log quick proto tcp/udp from any to any with short # # >>>> pass.in.loopback <<<< # $Id: pass.in.loopback,v 1.3 2000/10/04 10:05:39 gdmr Exp $ # bypass any other processing on the loopback interface # # The following rule would be necessary if the loopback interface # were filtered, but since it isn't we'll skip it to save a little time. #pass in quick on lo0 from 127.0.0.1 to 127.0.0.1 # # "localhost" shouldn't ever be on a real wire block in log quick from 127.0.0.0/8 to any block in log quick from any to 127.0.0.0/8 # # >>>> comment.pre <<<< # $Id: comment.pre,v 1.1 2001/04/06 15:43:08 gdmr Exp $ # The rules above come from the resource. They're intended as # a small common set which will be used by (almost?) all machines. # # The next lot of rules come from the resource. There's a common # core, but it's expected that machines will prepend and append as required. # # >>>> ignore.in.from-gibson-ucs <<<< # $Id: ignore.in.from-gibson-ucs,v 1.1 2001/03/13 09:42:37 gdmr Exp $ # Throw away everything from gibson.ucs. Don't bother sending anything back. block in quick from 129.215.200.12 to any # # >>>> generated.in.RIP-Wire-P <<<< # $Id: generated.in.RIP-Wire-P,v 1.2 2000/10/04 10:37:07 gdmr Exp $ block in quick proto udp from 129.215.96.0/24 to any port = 520 # # >>>> generated.in.RIP-Wire-R <<<< # $Id: generated.in.RIP-Wire-R,v 1.1 2001/04/12 13:56:36 gdmr Exp $ block in quick proto udp from 129.215.199.0/24 to any port = 520 # # >>>> generated.in.dcs <<<< # $Id: generated.in.dcs,v 1.6 2001/04/12 11:23:44 gdmr Exp $ # Local wires: 129.215.216.0 129.215.160.0 129.215.58.0 129.215.96.0 129.215.199.0 # Wire: wire-s, network: 129.215.216.0 pass in quick from 129.215.216.0/24 to any # Wire: wire-r, network: 129.215.199.0 pass in quick from 129.215.199.0/24 to any # Wire: wire-h, network: 129.215.58.0 pass in quick from 129.215.58.0/24 to any # Wire: wire-p, network: 129.215.96.0 pass in quick from 129.215.96.0/24 to any # Wire: wire-q, network: 129.215.11.0 pass in quick from 129.215.11.0/24 to any # Wire: wire-m, network: 129.215.212.0 pass in quick from 129.215.212.0/24 to any # Wire: wire-j, network: 129.215.224.0 pass in quick from 129.215.224.0/24 to any # Wire: wire-i, network: 129.215.186.0 pass in quick from 129.215.186.0/24 to any # Wire: wire-k, network: 129.215.46.0 pass in quick from 129.215.46.0/24 to any # Wire: wire-d, network: 129.215.124.0 pass in quick from 129.215.124.0/24 to any # Wire: wire-u, network: 129.215.39.0 pass in quick from 129.215.39.0/24 to any # Wire: wire-at1, network: 129.215.202.0 pass in quick from 129.215.202.0/24 to 129.215.0.0/16 # Wire: wire-t, network: 129.215.2.0 pass in quick from 129.215.2.0/24 to any # Wire: wire-e, network: 129.215.252.0 pass in quick from 129.215.252.0/24 to any # UNTRUSTED wire: wire-a, network: 129.215.160.0 # UNTRUSTED wire: wire-at2, network: 129.215.42.0 # UNTRUSTED wire: wire-csee, network: 129.215.217.0 # Local broadcast pass in quick proto udp from any to 255.255.255.255 pass in quick proto icmp from any to 255.255.255.255 # # >>>> pass.in.from-wire-A-hosts <<<< # $Id: pass.in.from-wire-A-hosts,v 1.2 2001/05/23 12:14:39 gdmr Exp $ # We don't trust wire A addresses in general. However, there are a few # specific machines on that wire that we may receive packets from. Let them # through here. Group them to speed things along. # block in from 129.215.160.0/24 to any head 314 # # lewis pass in quick from 129.215.160.251 to any group 314 # harris pass in quick from 129.215.160.252 to any group 314 # flugga pass in quick from 129.215.160.243 to any group 314 # jura pass in quick from 129.215.160.242 to any group 314 # araig pass in quick from 129.215.160.240 to any group 314 # mhoraidh pass in quick from 129.215.160.246 to any group 314 # sunniva pass in quick from 129.215.160.253 to any group 314 # denhaag (yuk) pass in quick from 129.215.160.7 to any group 314 # # >>>> generated.in.Wire-A-broadcast <<<< # $Id: generated.in.Wire-A-broadcast,v 1.2 2000/10/12 11:35:19 gdmr Exp $ block in from any to 129.215.160.255 head 306 pass in quick proto udp from 129.215.160.0/24 to any port = 520 group 306 block in quick all group 306 # # >>>> generated.in.Wire-AT2-broadcast <<<< # $Id: generated.in.Wire-AT2-broadcast,v 1.1 2000/11/30 09:54:56 gdmr Exp $ # [No wire AT2 interface] # # >>>> block.in.SYN+FIN <<<< # $Id: block.in.SYN+FIN,v 1.1 1999/05/26 12:03:46 gdmr Exp $ # Block TCP with both the SYN and FIN flags set. Although it's legal in # principle it's only ever used by scanners. Don't even bother replying... block in log quick proto tcp from any to any flags SF/SF # # >>>> block.in.All-switches <<<< # $Id: block.in.All-switches,v 1.9 2001/03/15 14:51:13 gdmr Exp $ # Throw away everything for the switches. They really shouldn't be visible # from outside! There's a chunk taken for the KB switches, with the AT # switch being specified explicitly. block in log quick from any to 129.215.216.32/28 block in log quick from any to 129.215.202.249 # # >>>> block.in.source-zero <<<< # $Id: block.in.source-zero,v 1.2 1999/10/05 08:31:57 gdmr Exp $ # Drop things with either source port zero or source address zero, as they're # almost certainly bogus. block in log quick proto tcp/udp from any port = 0 to any block in log quick from 0.0.0.0/32 to any # # >>>> ignore.in.169.254 <<<< # $Id: ignore.in.169.254,v 1.1 2001/03/29 08:23:47 gdmr Exp $ # Throw away everything from 169.254.*.* -- it seems to be some # Micro$oft thing. block in quick from 169.254.0.0/16 to any # # >>>> ignore.in.broadcast <<<< # $Id: ignore.in.broadcast,v 1.1 2001/03/15 14:53:39 gdmr Exp $ # ALL broadcasts that get to here are dropped (all-zeros AND all-ones). # Don't bother logging anything -- the source address is often forged # in any case. block in quick from any to 0.0.0.0 mask 0.0.0.255 block in quick from any to 0.0.0.255 mask 0.0.0.255 # # >>>> block.in.RFC1597 <<<< # $Id: block.in.RFC1597,v 1.4 2001/04/05 10:07:35 gdmr Exp $ # Silently block everything from the RFC1597 address ranges, both source and # destination addresses. # # Net-10 is used by ResNet, so let it through here. It'll be filtered # by the other rules as though it were any other external network. #block in quick from any to 10.0.0.0/8 #block in quick from 10.0.0.0/8 to any # # These two blocks shouldn't appear on our wires. block in quick from any to 172.16.0.0/12 block in quick from 172.16.0.0/12 to any block in quick from any to 192.168.0.0/16 block in quick from 192.168.0.0/16 to any # # >>>> pass.in.ssh <<<< # $Id: pass.in.ssh,v 1.3 2001/04/05 10:10:14 gdmr Exp $ # pass in quick proto tcp from any to any port = 22 # (Consider whether this should be retricted...) # # >>>> pass.in.Wire-S-services <<<< # $Id: pass.in.Wire-S-services,v 1.31 2001/04/17 10:54:59 gdmr Exp $ # Specific services on wire-s machines which need to be passed through # by all our filtering routers. # # Put all of these into a group, so as to bypass them for non-wire-S # traffic. Block by default for safety, but we'll drop through if nothing # matches anyway as it's not "quick". block in proto tcp/udp from any to 129.215.216.0/24 head 216 # # telnet to remote and glory pass in quick proto tcp from any to 129.215.216.239 port = 23 group 216 pass in quick proto tcp from any to 129.215.216.201 port = 23 group 216 # smtp to muck (mailhub) pass in quick proto tcp from any to 129.215.216.15 port = 25 group 216 # ftp to muck and remote and glory pass in quick proto tcp from any to 129.215.216.15 port = 21 group 216 pass in quick proto tcp from any to 129.215.216.239 port = 21 group 216 pass in quick proto tcp from any to 129.215.216.201 port = 21 group 216 # nntp to kane (newsfeed) pass in quick proto tcp from any to 129.215.216.105 port = 119 group 216 # http to marmion, charlotte pass in quick proto tcp from any to 129.215.216.51 port = 80 group 216 pass in quick proto tcp from any to 129.215.216.53 port = 80 group 216 # https to marmion, charlotte pass in quick proto tcp from any to 129.215.216.51 port = 443 group 216 pass in quick proto tcp from any to 129.215.216.53 port = 443 group 216 # cvs pserver to charlotte pass in quick proto tcp from any to 129.215.216.51 port = 2401 group 216 # icp to dye pass in quick proto tcp/udp from any to 129.215.216.12 port = 3128 group 216 pass in quick proto udp from any to 129.215.216.12 port = 3130 group 216 # EdLAN lpr to gutenberg and caxton pass in quick proto tcp from 129.215.0.0/16 to 129.215.216.13 port = 515 group 216 pass in quick proto tcp from 129.215.0.0/16 to 129.215.216.14 port = 515 group 216 # pop and imap to muck pass in quick proto tcp from any to 129.215.216.15 port = 110 group 216 pass in quick proto tcp from any to 129.215.216.15 port = 143 group 216 # pop, imap, pops and imaps (110, 143, 995, 993) to cam pass in quick proto tcp from any to 129.215.216.17 port = 110 group 216 pass in quick proto tcp from any to 129.215.216.17 port = 143 group 216 pass in quick proto tcp from any to 129.215.216.17 port = 995 group 216 pass in quick proto tcp from any to 129.215.216.17 port = 993 group 216 # # >>>> pass.in.Wire-T-services <<<< # $Id: pass.in.Wire-T-services,v 1.1 2000/10/18 12:45:03 gdmr Exp $ # Specific services on wire-t machines which need to be passed through # by all our filtering routers. Basically, this lot is here to allow # remote hosts to access the "wrong" interfaces on our print servers. # # Put all of these into a group, so as to bypass them for non-wire-T # traffic. Block by default for safety, but we'll drop through if nothing # matches anyway as it's not "quick". block in proto tcp/udp from any to 129.215.2.0/24 head 2 # # EdLAN lpr to gutenberg and caxton pass in quick proto tcp from 129.215.0.0/16 to 129.215.2.150 port = 515 group 2 pass in quick proto tcp from 129.215.0.0/16 to 129.215.2.151 port = 515 group 2 # # >>>> pass.in.Wire-AT1-services <<<< # $Id: pass.in.Wire-AT1-services,v 1.1 1999/11/12 15:53:22 gdmr Exp $ # Specific services on wire-at1 machines which need to be passed through # by all our filtering routers (yes there are some...). # # SMTP to scarp (backup mail hub) # This should normally go through -at0, but occasionally it might come # in through -at1 instead. pass in quick proto tcp from any to 129.215.202.241 port = 25 # # >>>> pass.in.Wire-M-services <<<< # $Id: pass.in.Wire-M-services,v 1.3 2001/05/10 11:50:34 gdmr Exp $ # Specific services on wire-m (dice) machines which need to be passed through # by all our filtering routers. # # Group head first block in proto tcp/udp from any to 129.215.212.0/24 head 212 # # Kerberos to dice1 and dice3 pass in quick proto tcp/udp from any to 129.215.212.1 port = 88 group 212 pass in quick proto tcp/udp from any to 129.215.212.3 port = 88 group 212 # # kadmin to dice1 pass in quick proto tcp from any to 129.215.212.1 port = 749 group 212 # # DICE bugzilla server pass in quick proto tcp from any to 129.215.212.3 port = 80 group 212 # # >>>> block.in.Wire-T-high <<<< # $Id: block.in.Wire-T-high,v 1.2 2001/03/15 15:16:34 gdmr Exp $ # Block everything to the top end of wire T. That's where the # printers live. (Note that this needs to come before the rules # that let EdLAN stuff in.) Log TCP; just ignore the rest. block in log quick proto tcp from any to 129.215.2.128/25 block in quick from any to 129.215.2.128/25 # # >>>> pass.in.EdLAN-grouped <<<< # $Id: pass.in.EdLAN-grouped,v 1.4 2001/03/15 15:02:36 gdmr Exp $ # Pass in various things from EdLAN. This lot is grouped to avoid # ploughing through loads of rules in the general case. # # Group head first block in proto tcp/udp from 129.215.0.0/16 to any head 304 # # Telnet, mostly for historical reasons pass in quick proto tcp from any to any port = 23 group 304 # # X:0, xfs:0 and xdmcp pass in quick proto tcp from any to any port = 6000 group 304 pass in quick proto tcp from any to any port = 7100 group 304 pass in quick proto udp from any to any port = 177 group 304 # # Allow EdLAN NFS daemons to speak to our kernel pass in quick proto tcp/udp from any port = 2049 to any port 767 >< 1024 group 304 pass in quick proto tcp/udp from any port = 111 to any port 767 >< 1024 group 304 # # Yuk. We need to allow in TCP from ports 768(ish) -- 1023, because the # rsh protocol (sic) says that stderr is done by the remote host connecting # back to us on a port in that range that we pick out of the air. We also need # to allow UDP back in on the same range so that mounting of remote NFS # servers by us works. pass in quick proto tcp/udp from any port 767 >< 1024 to any port 767 >< 1024 group 304 # Ugh. # # sunrpc and nfs from holyrood and waverley to canna pass in quick proto udp from 129.215.16.0/24 to 129.215.216.106 port = 111 group 304 pass in quick proto tcp/udp from 129.215.16.0/24 to 129.215.216.106 port = 2049 group 304 pass in quick proto udp from 129.215.16.0/24 to 129.215.216.106 port = 4045 group 304 pass in quick proto udp from 129.215.16.0/24 to 129.215.216.106 port 32000 >< 35000 group 304 # # >>>> pass.in.All-for-Tardis <<<< # $Id: pass.in.All-for-Tardis,v 1.1 1999/11/04 11:24:42 gdmr Exp $ # Let everything through to Tardis. pass in quick from any to 193.62.81.0/24 # # >>>> pass.in.araig-DNS <<<< # $Id: pass.in.araig-DNS,v 1.2 2001/04/06 14:55:55 gdmr Exp $ # DNS from anywhere at all to araig, other than... # We don't need to bother about araig-a, as it'll get # there directly. pass in quick proto tcp/udp from any to 129.215.216.240 port = 53 pass in quick proto tcp/udp from any to 129.215.58.240 port = 53 pass in quick proto tcp/udp from any to 129.215.96.240 port = 53 # # >>>> pass.out.XDMCP <<<< # $Id: pass.out.XDMCP,v 1.3 2000/01/28 12:00:45 gdmr Exp $ # The chooser seems keen on ignoring the anon-port range set by ndd and # just doing its own thing. This is a bit irritating, so to avoid tripping # over the filter rules we'll keep state for the outbound connections... pass out quick proto udp from any to any port = 177 keep state # # >>>> comment.post <<<< # $Id: comment.post,v 1.1 2001/04/06 15:46:12 gdmr Exp $ # The immediately-preceding set of rules come from the resource, # a common core which can be added to as appropriate. # # The rules below come from the resource. This is intended # as a common list which (almost?) all machines will use. There is some # scope for tailoring the end of the list, but this facility is not expected # to be much used. # # >>>> pass.in.DNS <<<< # $Id: pass.in.DNS,v 1.8 2001/05/23 12:17:17 gdmr Exp $ # Pass in UDP-based DNS. Don't pass TCP-based stuff here -- if it was # initiated from our end it's already covered, and if it's the other end # sending a SYN then we don't want it anyway. # # We originate from 5353, so let that back in. (Filtering on the source # port is, of course, SbO.) pass in quick proto udp from any port = 53 to any port = 5353 # # We always send from 5353, so anything coming in to 53 must be someone out # there trying to query one of our servers. We've let EdLAN in elsewhere, # so just drop anything that gets to here. block in quick proto udp from any to any port = 53 # # >>>> generated.in.AI-smb <<<< # $Id: generated.in.AI-smb,v 1.5 2000/10/04 10:28:58 gdmr Exp $ block in proto udp from 129.215.0.0/16 to any port = 139 head 302 pass in quick from 129.215.200.0/24 to any group 302 pass in quick from 129.215.153.0/24 to any group 302 pass in quick from 129.215.155.0/24 to any group 302 pass in quick from 129.215.25.0/24 to any group 302 pass in quick from 129.215.41.0/24 to any group 302 pass in quick from 129.215.45.0/24 to any group 302 pass in quick from 129.215.59.0/24 to any group 302 # # >>>> pass.in.EdLAN-ident <<<< # $Id: pass.in.EdLAN-ident,v 1.6 2000/10/19 11:18:27 gdmr Exp $ # Pass in ident from EdLAN. Block it from anywhere else. Return a # RST so that things don't have to time out. pass in quick proto tcp from 129.215.0.0/16 to any port = 113 block return-rst in quick proto tcp from any to any port = 113 # # >>>> pass.in.misc-exceptions <<<< # $Id: pass.in.misc-exceptions,v 1.26 2001/04/26 14:45:37 gdmr Exp $ # This is a collection of miscellaneous exceptions to the final "deny all" # rules. It's meant for things like special requests from users for ports # to be opened up on an ad hoc basis. # # uid_lookup hole for rwt pass in quick proto udp from 129.215.166.13 to any port > 40010 pass in quick proto udp from 129.215.200.7 to any port > 40010 # # K -> barker.ucs: the SGIs need to be able to get things from EdVEC at the # Bush. Let stuff through for them -- they're all on low addresses in # the subnet, hence the /26 -- but not for anything else on the wire. # Likewise for a couple of other EUCS machines. pass in quick proto udp from 129.215.15.0/24 to 129.215.46.0/26 port > 640 pass in quick proto udp from 129.215.16.2 to 129.215.46.0/26 port > 640 pass in quick proto udp from 129.215.166.15 to 129.215.46.0/26 port > 640 # # Web/ftp service to zermelo (for da) pass in quick proto tcp from any to 129.215.96.75 port = 80 #pass in quick proto tcp from any to 129.215.96.75 port = 20 #pass in quick proto tcp from any to 129.215.96.75 port = 21 # # Various netmeeting stuff for Arvind block in proto tcp/udp from any to 129.215.96.118 head 308 pass in quick proto tcp from any to any port = 522 group 308 pass in quick proto tcp from any to any port = 389 group 308 pass in quick proto tcp from any to any port = 1503 group 308 pass in quick proto tcp from any to any port = 1720 group 308 pass in quick proto tcp from any to any port = 1731 group 308 pass in quick proto udp from any to any port 1024 >< 30000 group 308 pass in quick proto udp from any to any port > 40000 group 308 # Ditto for jhb block in proto tcp/udp from any to 129.215.96.42 head 309 pass in quick proto tcp from any to any port = 522 group 309 pass in quick proto tcp from any to any port = 389 group 309 pass in quick proto tcp from any to any port = 1503 group 309 pass in quick proto tcp from any to any port = 1720 group 309 pass in quick proto tcp from any to any port = 1731 group 309 pass in quick proto tcp/udp from any to any port 1024 >< 30000 group 309 pass in quick proto udp from any to any port > 40000 group 309 # # High tcp and udp from nameservers for milliways pass in quick proto tcp/udp from any port = 53 to 129.215.96.248 port > 50000 # # # >>>> block.in.NFS+lock <<<< # $Id: block.in.NFS+lock,v 1.6 2001/04/10 11:05:35 gdmr Exp $ # Block inbound NFS and lockd traffic. The TCP rules only block SYNs, # since we don't want to stomp unnecessarily on outbound connections. # We can't be so kind for UDP... block in log quick proto tcp from any to any port = 2049 flags S/SA block in log quick proto udp from any to any port = 2049 block in log quick proto tcp from any to any port = 4045 flags S/SA block in log quick proto udp from any to any port = 4045 # # >>>> block.in.gnats <<<< # $Id: block.in.gnats,v 1.2 1999/02/02 15:49:19 gdmr Exp $ # Block S/SA for gnats. Don't bother replying. block in log quick proto tcp from any to any port = 1529 flags S/SA # # >>>> block.in.SNMP <<<< # $Id: block.in.SNMP,v 1.5 2001/03/15 15:06:34 gdmr Exp $ #block in quick proto udp from 129.215.0.0/16 to any port = 161 block in log quick proto udp from any to any port = 161 block in log quick proto udp from any to any port = 162 # # >>>> block.in.dmi <<<< # $Id: block.in.dmi,v 1.1 2001/03/26 10:55:16 gdmr Exp $ # Block everything to Sun's DMI port block in log quick proto udp from any to any port = 6500 # # >>>> block.in.amanda <<<< # $Id: block.in.amanda,v 1.2 2000/03/20 14:19:51 gdmr Exp $ # Throw away without reply anything heading for our amanda ports block in log quick proto udp from any to any port = 10080 # # >>>> block.in.rsyncprobe <<<< # $Id: block.in.rsyncprobe,v 1.1 2000/03/17 12:15:56 gdmr Exp $ # Block everything to the rsyncprobe port block in log quick proto udp from any to any port = 5706 # # >>>> ignore.in.http <<<< # $Id: ignore.in.http,v 1.3 2000/02/02 14:45:54 gdmr Exp $ # Silently ignore (and don't bother replying to) any would-be web traffic. # Real genuine web servers should have been listed before here. block in quick proto tcp from any to any port = 80 block in quick proto tcp from any to any port = 8080 # # >>>> ignore.in.syslog <<<< # $Id: ignore.in.syslog,v 1.1 2000/10/02 14:18:33 gdmr Exp $ # Ignore all syslog from anywhere at all. It's *probably* one of our users # on an ISP connection, but OTOH it might be malevolent... block in quick proto udp from any to any port = 514 # # >>>> ignore.in.netbios <<<< # $Id: ignore.in.netbios,v 1.5 2001/04/05 10:35:27 gdmr Exp $ # Throw away anything to do with netbios. We're really not interested in # all this stuff! block in quick proto tcp/udp from any to any port 136 >< 140 # # >>>> ignore.in.fragglies <<<< # $Id: ignore.in.fragglies,v 1.2 1999/06/21 15:47:00 gdmr Exp $ # Silently ignore (and don't bother replying to) anything that could be # a fraggle target. Normally these would be broadcast, of course, so caught # anyway, but it'll also get rid of doubleclick's rubbish. block in quick proto tcp/udp from any to any port < 20 # # >>>> block.in.irc <<<< # $Id: block.in.irc,v 1.1 2001/03/23 14:40:48 gdmr Exp $ # Block the "standard" irc ports: 6665, 6666, 6667, 6668, 6669 block in log quick proto tcp/udp from any to any port 6664 >< 6670 # # >>>> pass.in.TCP-ACK+RST <<<< # $Id: pass.in.TCP-ACK+RST,v 1.3 2001/04/06 15:10:23 gdmr Exp $ # Pass in TCP packets with the ACK bit set. The motivation for this is that # if we accept SYN packets separately then everything else should come with # an ACK. Anything that doesn't is then quite likely to belong to a stealth # scan and can get picked up by the final catch-all blocking rule. Meanwhile # this'll let through connections originated at our end. Unfortunately this # does allow ACK->RST probes. pass in quick proto tcp from any to any flags A/A # # Also let RST-only packets through, though not RST+anything. RST+ACK is # covered by the previous rule, while RST+anything-else is illegal. pass in quick proto tcp from any to any flags R # # >>>> pass.in.TCP-anon-ports <<<< # $Id: pass.in.TCP-anon-ports,v 1.5 2001/04/23 10:50:11 gdmr Exp $ # Let through traffic for "non-privileged" ports. The hole in the middle # is because we let the standard daemons start up in that range and then # (with ndd in the system object) move the goalposts so they're protected. pass in quick proto tcp from any to any port 1023 >< 9999 flags S pass in quick proto tcp from any to any port > 40010 flags S # # >>>> pass.in.UDP-anon-ports <<<< # $Id: pass.in.UDP-anon-ports,v 1.5 2001/04/23 10:51:31 gdmr Exp $ # Let through traffic for "non-privileged" ports. The hole in the middle # is because we let the standard daemons start up in that range and then # (with ndd in the system object) move the goalposts so they're protected. # Note that only EdLAN gets to use the high lot... pass in quick proto udp from any to any port 1023 >< 9999 pass in quick proto udp from 129.215.0.0/16 to any port > 40010 # # >>>> pass.in.ICMP <<<< # $Id: pass.in.ICMP,v 1.16 2001/04/12 11:22:35 gdmr Exp $ # Handle ICMP. # # Group head first pass in proto icmp all head 281 # # Silently throw away ICMP with fragmentation. There's no real reason # why anyone should want to send us that. block in quick all with frag group 281 # # Multicast... pass in quick from any to 224.0.0.0/8 group 281 # # Pass in other relevant ICMP pass in quick proto icmp all icmp-type unreach group 281 pass in quick proto icmp all icmp-type paramprob group 281 pass in quick proto icmp all icmp-type timex group 281 pass in quick proto icmp all icmp-type echorep group 281 pass in quick proto icmp all icmp-type timestrep group 281 pass in quick proto icmp all icmp-type squench group 281 # # Be generous to EdLAN and Tardis pass in quick proto icmp from 129.215.0.0/16 to any icmp-type echo group 281 pass in quick proto icmp from 193.62.81.0/24 to any icmp-type echo group 281 # # Extra stuff where it's needed: charlotte, marmion, muck, remote, glory pass in quick proto icmp from any to 129.215.216.53 icmp-type echo group 281 pass in quick proto icmp from any to 129.215.216.51 icmp-type echo group 281 pass in quick proto icmp from any to 129.215.216.15 icmp-type echo group 281 pass in quick proto icmp from any to 129.215.216.239 icmp-type echo group 281 pass in quick proto icmp from any to 129.215.216.201 icmp-type echo group 281 # # Finally, just toss anything else that gets to here. #block in quick proto icmp all icmp-type echo group 281 #block in quick proto icmp all icmp-type redir group 281 block in quick all group 281 # # >>>> pass.in.frag <<<< # $Id: pass.in.frag,v 1.3 2000/02/03 14:29:38 gdmr Exp $ # We have to let fragments through, as otherwise various things will stop # working. Assume that the IP stack does the right thing... # Only pass TCP or UDP, as there's no reason for anything else to # be coming in fragmented, if indeed it even gets this far at all. pass in quick proto tcp/udp from any to any with frag # # >>>> ignore.in.All-forus <<<< # $Id: ignore.in.All-forus,v 1.1 2000/10/04 09:51:29 gdmr Exp $ # Throw away everything. Don't bother sending anything back to the other end. block in quick from any to 129.215.216.251 block in quick from any to 129.215.160.251 block in quick from any to 129.215.58.250 block in quick from any to 129.215.96.17 block in quick from any to 129.215.199.251 # # >>>> block.in.All <<<< # $Id: block.in.All,v 1.11 2001/04/25 10:32:46 gdmr Exp $ # Backstop rules: drop everything that reaches as far as here. # # TCP: packets that contain a RST get silently dropped; all others have a # RST returned for them. The purpose of the RST is twofold: it's kinder # to genuine-but-misguided callers; and it helps to mask the open ports # that we leave to the end systems' stacks to deal with and the ACK->RST # probes that we noted in an earlier rules file. block in log quick proto tcp from any to any flags R/R block return-rst in log quick proto tcp from any to any # # Everything else: just log and drop it. Don't send anything back. block in log quick from any to any #