dariusii
Silver Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору # Statistics for incoming and outcoming packets through iinet #Global Send packets $cmd 510 count ip from any to any out via $pif #Global Receive packets $cmd 520 count ip from any to any in via $pif #$cmd 530 check-state #iinet # Allow all connections that I initiate. $cmd $skip tcp from any to any out xmit $pif setup # Once connections are made, allow them to stay open. $cmd $skip tcp from any to any out xmit $pif established $cmd allow tcp from any to any in recv $pif established #Allow all traffic to VoIP machine #Allow ping $cmd allow icmp from any to $voip in recv $pif $cmd allow icmp from $voip to any out xmit $pif #Allow traceroute with 255 hops max in and out $cmd allow udp from any to $voip 33434-33689 in recv $pif $cmd allow udp from $voip to any 33434-33689 out xmit $pif #Allow ssh $cmd allow tcp from any to $voip 22 in recv $pif setup $cmd allow tcp from any to $voip 80 in recv $pif setup #IAX2 port $cmd allow udp from $voip 4569 to any out xmit $pif $cmd allow udp from any to $voip 4569 in recv $pif #IAX port $cmd allow udp from $voip 5036 to any out xmit $pif $cmd allow udp from any to $voip 5036 in recv $pif #SIP ports $cmd allow tcp from any to $voip 5060-5070 in recv $pif setup $cmd allow tcp from any to $voip 5190 in recv $pif setup $cmd allow tcp from any to $voip 5298 in recv $pif setup #Allow UDP for SIP $cmd allow udp from $voip 5060-5070 to any out xmit $pif $cmd allow udp from any to $voip 5060-5070 in recv $pif $cmd allow udp from $voip 10000-20000 to any out xmit $pif $cmd allow udp from any to $voip 10000-20000 in recv $pif #Allow all local traffic to VOIP (shouldn't be necessary until we put a different network card) $cmd allow ip from 192.168.0.1/16 to $voip $cmd allow ip from $voip to 192.168.0.1/16 # Deny everything else $cmd deny log ip from $voip to any via $pif $cmd deny log ip from any to $voip via $pif #VPN server $cmd allow tcp from any to 192.168.0.1 1723 in recv $pif setup $cmd allow gre from any to any in recv $pif $cmd $skip gre from any to any out xmit $pif #Allow traffic on VPN connections ng0 to ng5 $cmd allow all from any to any via ng0 $cmd allow all from any to any via ng1 $cmd allow all from any to any via ng2 $cmd allow all from any to any via ng3 $cmd allow all from any to any via ng4 $cmd allow all from any to any via ng5 # Everyone on the internet is allowed to connect to the following # services on the machine. #SSH server on server1 and gateway $cmd allow tcp from any to 192.168.0.3 22 setup in recv $pif setup $cmd allow tcp from any to 192.168.0.1 22 setup in recv $pif setup #mail server is on 192.168.0.3/4/5 $cmd allow tcp from any to 192.168.0.5 25 in recv $pif setup $cmd allow tcp from any to 192.168.0.5 8025 in recv $pif setup $cmd allow tcp from any to 192.168.0.5 465 in recv $pif setup #LDAP $cmd allow tcp from any to 192.168.0.5 636,389 in recv $pif setup #COURIER-IMAP $cmd allow tcp from any to 192.168.0.5 8110,8143,8993,8995 in recv $pif setup $cmd allow tcp from any to 192.168.0.3 8110,8143,8993,8995 in recv $pif setup #Web server is on 192.168.0.3 for iinet $cmd allow tcp from any to 192.168.0.3 80 in recv $pif setup $cmd allow tcp from any to 192.168.0.3 8180 in recv $pif setup $cmd allow tcp from any to 192.168.0.3 8080 in recv $pif setup #SSL Web server is on 192.168.0.3 $cmd allow tcp from any to 192.168.0.3 443 in recv $pif setup #SSL Web server is on 192.168.0.6 $cmd allow tcp from any to 192.168.0.6 443 in recv $pif setup #Secure POP server is on 192.168.0.5 $cmd allow tcp from any to 192.168.0.5 pop3s in recv $pif setup #Secure IMAPs server is on 192.168.0.5 $cmd allow tcp from any to 192.168.0.5 imaps in recv $pif setup #Secure IMAP server is on 192.168.0.3 $cmd allow tcp from any to 192.168.0.5 imap in recv $pif setup ##Servlet/Tomcat #$cmd allow tcp from any to 192.168.0.5 8080 in recv $pif setup #$cmd allow tcp from any to 192.168.0.5 80 in recv $pif setup #$cmd allow tcp from any to 192.168.0.5 8443 in recv $pif setup #$cmd allow tcp from any to 192.168.0.5 8180 in recv $pif setup #Allow CISCO VPN connection $cmd allow udp from any to 192.168.0.1/23 500,10000,20001 $cmd $skip udp from 192.168.0.1/23 to any 500,10000,20001 $cmd allow esp from any to any $cmd divert 8669 ip from any to any in recv $pifvpn #Only allow ssh to TI-CVS so far $cmd $skipvpn tcp from me to any 22 setup via $pifvpn keep-state $cmd $skipvpn tcp from 192.168.0.0/23 to any 22 setup via $pifvpn keep-state #Also allow DNS query $cmd allow udp from any 53 to 192.168.0.1/23 in recv $pifvpn $cmd $skipvpn udp 192.168.0.0/23 to any 53 out xmit $pifvpn $cmd $skipvpn tcp from 192.168.0.0/23 to any 53 setup via $pifvpn keep-state #deny all other traffic $cmd deny log ip from any to any via $pifvpn #Open port for vnc on JYAPC $cmd allow tcp from any to 192.168.0.2 5900 setup $cmd allow tcp from any to 192.168.0.2 5800 setup $cmd allow tcp from any to 192.168.0.61 5900 setup $cmd allow tcp from any to 192.168.0.61 5800 setup $cmd allow tcp from any to 192.168.0.2 3389 setup $cmd allow tcp from any to 192.168.0.2 80 setup #open port for limewire on powerbook $cmd allow tcp from any to 192.168.0.59 6346 setup $cmd allow tcp from any to 192.168.0.2 4661 setup $cmd allow tcp from any to 192.168.0.2 4662 setup $cmd allow udp from any to 192.168.0.2 4665 $cmd $skip udp from 192.168.0.2 to any 4665 $cmd $skip udp from 202.59.106.233 to any 4665 $cmd allow tcp from any to 192.168.0.61 4661 setup $cmd allow tcp from any to 192.168.0.61 4662 setup $cmd allow udp from any to 192.168.0.61 4665 $cmd $skip udp from 192.168.0.61 to any 4665 $cmd $skip udp from 58.6.68.93 to any 4665 $cmd allow udp from any to 192.168.0.61 4666 $cmd $skip udp from 192.168.0.61 to any 4666 $cmd $skip udp from 58.6.68.93 to any 4666 #Kazaa $cmd allow tcp from any to 192.168.0.61 1214 setup $cmd allow udp from any to 192.168.0.61 1214 #BitTorrent $cmd allow tcp from any to 192.168.0.61 6881 setup $cmd allow udp from any to 192.168.0.61 6881 # Allow query to/from local DNS server from outside $cmd allow tcp from any to me 53 in recv $pif $cmd allow udp from any to me 53 in recv $pif $cmd $skip tcp from me to any 53 out xmit $pif setup $cmd $skip udp from me to any 53 out xmit $pif #Allow DNS query from ns1 and ns4 $cmd $skip udp from 203.217.31.225 53 to any out xmit $pif $cmd $skip udp from 58.6.68.93 53 to any out xmit $pif #Allow DNS query and answer from server2 $cmd $skip udp from 192.168.0.5 to any 53 out xmit $pif $cmd allow udp from any 53 to 192.168.0.5 in recv $pif # Deny all inbound traffic from non-routable reserved address spaces $cmd deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's $cmd deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd deny tcp from any to any 134 in via $pif $cmd deny udp from any to any 134 in via $pif $cmd deny tcp from any to any 135 in via $pif $cmd deny udp from any to any 135 in via $pif $cmd deny tcp from any to any 137 in via $pif $cmd deny udp from any to any 137 in via $pif $cmd deny tcp from any to any 138 in via $pif $cmd deny udp from any to any 138 in via $pif $cmd deny tcp from any to any 139 in via $pif $cmd deny udp from any to any 139 in via $pif $cmd deny tcp from any to any 81 in via $pif $cmd deny udp from any to any 81 in via $pif # Deny MS shit $cmd deny tcp from any to any 445 in via $pif $cmd deny udp from any to any 445 in via $pif # Deny any late arriving packets $cmd deny all from any to any frag in via $pif # This sends a RESET to all ident packets. $cmd reset log tcp from any to any 113 in recv $pif #allow connection in and out to Internode NTP server $cmd allow udp from 203.16.214.199 123 to me in recv $pif $cmd $skip udp from me to 203.16.214.199 123 out xmit $pif #allow connection in and out to ntp.cs.mu.OZ.AU NTP server (it has 2 IP addresses) $cmd allow udp from 128.250.37.1 123 to me in recv $pif $cmd $skip udp from me to 128.250.37.1 123 out xmit $pif $cmd allow udp from 128.250.36.2 123 to me in recv $pif $cmd $skip udp from me to 128.250.36.2 123 out xmit $pif #Allow connection in and out to ntp.mel.nml.CSIRO.AU $cmd allow udp from 138.194.21.154 to me in recv $pif $cmd $skip udp from me to 138.194.21.154 123 out xmit $pif # Allow ICMP (for ping and traceroute to work). $cmd $skip icmp from any to any out xmit $pif # Allow in icmp responces (such as ping) $cmd allow icmp from any to any in recv $pif # Rules for DCC $cmd allow udp from any 6277 to 192.168.0.5 in recv $pif $cmd $skip udp from 192.168.0.5 to any 6277 out xmit $pif $cmd allow udp from any 1023 to 192.168.0.5 in recv $pif $cmd $skip udp from 192.168.0.5 to any 1023 out xmit $pif #Rules for Pyzor $cmd allow udp from any 24441 to 192.168.0.5 in recv $pif $cmd $skip udp from 192.168.0.5 to any 24441 out xmit $pif #Allow UDP from localhost $cmd $skip udp from me to any $cmd allow udp from any to me # Deny all the rest. $cmd deny log ip from any to any $cmd deny log all from any to any $cmd 30000 divert natd ip from any to any out xmit $pif $cmd allow ip from any to any #Authorised traffic on my DSL interface $cmd 30000 divert natd ip from any to any out xmit $pif $cmd allow ip from any to any #Authorised traffic on VPN $cmd 40000 divert 8669 ip from any to any out xmit $pifvpn $cmd allow ip from any to any via $pifvpn | Всего записей: 2458 | Зарегистр. 08-11-2003 | Отправлено: 06:00 25-09-2006 | Исправлено: dariusii, 07:26 25-09-2006 |
|