dariusii
Silver Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
# Statistics for incoming and outcoming packets through iinet
#Global Send packets
$cmd 510 count ip from any to any out via $pif
#Global Receive packets
$cmd 520 count ip from any to any in via $pif
#$cmd 530 check-state
#iinet
# Allow all connections that I initiate.
$cmd $skip tcp from any to any out xmit $pif setup
# Once connections are made, allow them to stay open.
$cmd $skip tcp from any to any out xmit $pif established
$cmd allow tcp from any to any in recv $pif established
#Allow all traffic to VoIP machine
#Allow ping
$cmd allow icmp from any to $voip in recv $pif
$cmd allow icmp from $voip to any out xmit $pif
#Allow traceroute with 255 hops max in and out
$cmd allow udp from any to $voip 33434-33689 in recv $pif
$cmd allow udp from $voip to any 33434-33689 out xmit $pif
#Allow ssh
$cmd allow tcp from any to $voip 22 in recv $pif setup
$cmd allow tcp from any to $voip 80 in recv $pif setup
#IAX2 port
$cmd allow udp from $voip 4569 to any out xmit $pif
$cmd allow udp from any to $voip 4569 in recv $pif
#IAX port
$cmd allow udp from $voip 5036 to any out xmit $pif
$cmd allow udp from any to $voip 5036 in recv $pif
#SIP ports
$cmd allow tcp from any to $voip 5060-5070 in recv $pif setup
$cmd allow tcp from any to $voip 5190 in recv $pif setup
$cmd allow tcp from any to $voip 5298 in recv $pif setup
#Allow UDP for SIP
$cmd allow udp from $voip 5060-5070 to any out xmit $pif
$cmd allow udp from any to $voip 5060-5070 in recv $pif
$cmd allow udp from $voip 10000-20000 to any out xmit $pif
$cmd allow udp from any to $voip 10000-20000 in recv $pif
#Allow all local traffic to VOIP (shouldn't be necessary until we put a different network card)
$cmd allow ip from 192.168.0.1/16 to $voip
$cmd allow ip from $voip to 192.168.0.1/16
# Deny everything else
$cmd deny log ip from $voip to any via $pif
$cmd deny log ip from any to $voip via $pif
#VPN server
$cmd allow tcp from any to 192.168.0.1 1723 in recv $pif setup
$cmd allow gre from any to any in recv $pif
$cmd $skip gre from any to any out xmit $pif
#Allow traffic on VPN connections ng0 to ng5
$cmd allow all from any to any via ng0
$cmd allow all from any to any via ng1
$cmd allow all from any to any via ng2
$cmd allow all from any to any via ng3
$cmd allow all from any to any via ng4
$cmd allow all from any to any via ng5
# Everyone on the internet is allowed to connect to the following
# services on the machine.
#SSH server on server1 and gateway
$cmd allow tcp from any to 192.168.0.3 22 setup in recv $pif setup
$cmd allow tcp from any to 192.168.0.1 22 setup in recv $pif setup
#mail server is on 192.168.0.3/4/5
$cmd allow tcp from any to 192.168.0.5 25 in recv $pif setup
$cmd allow tcp from any to 192.168.0.5 8025 in recv $pif setup
$cmd allow tcp from any to 192.168.0.5 465 in recv $pif setup
#LDAP
$cmd allow tcp from any to 192.168.0.5 636,389 in recv $pif setup
#COURIER-IMAP
$cmd allow tcp from any to 192.168.0.5 8110,8143,8993,8995 in recv $pif setup
$cmd allow tcp from any to 192.168.0.3 8110,8143,8993,8995 in recv $pif setup
#Web server is on 192.168.0.3 for iinet
$cmd allow tcp from any to 192.168.0.3 80 in recv $pif setup
$cmd allow tcp from any to 192.168.0.3 8180 in recv $pif setup
$cmd allow tcp from any to 192.168.0.3 8080 in recv $pif setup
#SSL Web server is on 192.168.0.3
$cmd allow tcp from any to 192.168.0.3 443 in recv $pif setup
#SSL Web server is on 192.168.0.6
$cmd allow tcp from any to 192.168.0.6 443 in recv $pif setup
#Secure POP server is on 192.168.0.5
$cmd allow tcp from any to 192.168.0.5 pop3s in recv $pif setup
#Secure IMAPs server is on 192.168.0.5
$cmd allow tcp from any to 192.168.0.5 imaps in recv $pif setup
#Secure IMAP server is on 192.168.0.3
$cmd allow tcp from any to 192.168.0.5 imap in recv $pif setup
##Servlet/Tomcat
#$cmd allow tcp from any to 192.168.0.5 8080 in recv $pif setup
#$cmd allow tcp from any to 192.168.0.5 80 in recv $pif setup
#$cmd allow tcp from any to 192.168.0.5 8443 in recv $pif setup
#$cmd allow tcp from any to 192.168.0.5 8180 in recv $pif setup
#Allow CISCO VPN connection
$cmd allow udp from any to 192.168.0.1/23 500,10000,20001
$cmd $skip udp from 192.168.0.1/23 to any 500,10000,20001
$cmd allow esp from any to any
$cmd divert 8669 ip from any to any in recv $pifvpn
#Only allow ssh to TI-CVS so far
$cmd $skipvpn tcp from me to any 22 setup via $pifvpn keep-state
$cmd $skipvpn tcp from 192.168.0.0/23 to any 22 setup via $pifvpn keep-state
#Also allow DNS query
$cmd allow udp from any 53 to 192.168.0.1/23 in recv $pifvpn
$cmd $skipvpn udp 192.168.0.0/23 to any 53 out xmit $pifvpn
$cmd $skipvpn tcp from 192.168.0.0/23 to any 53 setup via $pifvpn keep-state
#deny all other traffic
$cmd deny log ip from any to any via $pifvpn
#Open port for vnc on JYAPC
$cmd allow tcp from any to 192.168.0.2 5900 setup
$cmd allow tcp from any to 192.168.0.2 5800 setup
$cmd allow tcp from any to 192.168.0.61 5900 setup
$cmd allow tcp from any to 192.168.0.61 5800 setup
$cmd allow tcp from any to 192.168.0.2 3389 setup
$cmd allow tcp from any to 192.168.0.2 80 setup
#open port for limewire on powerbook
$cmd allow tcp from any to 192.168.0.59 6346 setup
$cmd allow tcp from any to 192.168.0.2 4661 setup
$cmd allow tcp from any to 192.168.0.2 4662 setup
$cmd allow udp from any to 192.168.0.2 4665
$cmd $skip udp from 192.168.0.2 to any 4665
$cmd $skip udp from 202.59.106.233 to any 4665
$cmd allow tcp from any to 192.168.0.61 4661 setup
$cmd allow tcp from any to 192.168.0.61 4662 setup
$cmd allow udp from any to 192.168.0.61 4665
$cmd $skip udp from 192.168.0.61 to any 4665
$cmd $skip udp from 58.6.68.93 to any 4665
$cmd allow udp from any to 192.168.0.61 4666
$cmd $skip udp from 192.168.0.61 to any 4666
$cmd $skip udp from 58.6.68.93 to any 4666
#Kazaa
$cmd allow tcp from any to 192.168.0.61 1214 setup
$cmd allow udp from any to 192.168.0.61 1214
#BitTorrent
$cmd allow tcp from any to 192.168.0.61 6881 setup
$cmd allow udp from any to 192.168.0.61 6881
# Allow query to/from local DNS server from outside
$cmd allow tcp from any to me 53 in recv $pif
$cmd allow udp from any to me 53 in recv $pif
$cmd $skip tcp from me to any 53 out xmit $pif setup
$cmd $skip udp from me to any 53 out xmit $pif
#Allow DNS query from ns1 and ns4
$cmd $skip udp from 203.217.31.225 53 to any out xmit $pif
$cmd $skip udp from 58.6.68.93 53 to any out xmit $pif
#Allow DNS query and answer from server2
$cmd $skip udp from 192.168.0.5 to any 53 out xmit $pif
$cmd allow udp from any 53 to 192.168.0.5 in recv $pif
# Deny all inbound traffic from non-routable reserved address spaces
$cmd deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's
$cmd deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd deny tcp from any to any 134 in via $pif
$cmd deny udp from any to any 134 in via $pif
$cmd deny tcp from any to any 135 in via $pif
$cmd deny udp from any to any 135 in via $pif
$cmd deny tcp from any to any 137 in via $pif
$cmd deny udp from any to any 137 in via $pif
$cmd deny tcp from any to any 138 in via $pif
$cmd deny udp from any to any 138 in via $pif
$cmd deny tcp from any to any 139 in via $pif
$cmd deny udp from any to any 139 in via $pif
$cmd deny tcp from any to any 81 in via $pif
$cmd deny udp from any to any 81 in via $pif
# Deny MS shit
$cmd deny tcp from any to any 445 in via $pif
$cmd deny udp from any to any 445 in via $pif
# Deny any late arriving packets
$cmd deny all from any to any frag in via $pif
# This sends a RESET to all ident packets.
$cmd reset log tcp from any to any 113 in recv $pif
#allow connection in and out to Internode NTP server
$cmd allow udp from 203.16.214.199 123 to me in recv $pif
$cmd $skip udp from me to 203.16.214.199 123 out xmit $pif
#allow connection in and out to ntp.cs.mu.OZ.AU NTP server (it has 2 IP addresses)
$cmd allow udp from 128.250.37.1 123 to me in recv $pif
$cmd $skip udp from me to 128.250.37.1 123 out xmit $pif
$cmd allow udp from 128.250.36.2 123 to me in recv $pif
$cmd $skip udp from me to 128.250.36.2 123 out xmit $pif
#Allow connection in and out to ntp.mel.nml.CSIRO.AU
$cmd allow udp from 138.194.21.154 to me in recv $pif
$cmd $skip udp from me to 138.194.21.154 123 out xmit $pif
# Allow ICMP (for ping and traceroute to work).
$cmd $skip icmp from any to any out xmit $pif
# Allow in icmp responces (such as ping)
$cmd allow icmp from any to any in recv $pif
# Rules for DCC
$cmd allow udp from any 6277 to 192.168.0.5 in recv $pif
$cmd $skip udp from 192.168.0.5 to any 6277 out xmit $pif
$cmd allow udp from any 1023 to 192.168.0.5 in recv $pif
$cmd $skip udp from 192.168.0.5 to any 1023 out xmit $pif
#Rules for Pyzor
$cmd allow udp from any 24441 to 192.168.0.5 in recv $pif
$cmd $skip udp from 192.168.0.5 to any 24441 out xmit $pif
#Allow UDP from localhost
$cmd $skip udp from me to any
$cmd allow udp from any to me
# Deny all the rest.
$cmd deny log ip from any to any
$cmd deny log all from any to any
$cmd 30000 divert natd ip from any to any out xmit $pif
$cmd allow ip from any to any
#Authorised traffic on my DSL interface
$cmd 30000 divert natd ip from any to any out xmit $pif
$cmd allow ip from any to any
#Authorised traffic on VPN
$cmd 40000 divert 8669 ip from any to any out xmit $pifvpn
$cmd allow ip from any to any via $pifvpn |
Всего записей: 2458 | Зарегистр. 08-11-2003 | Отправлено: 06:00 25-09-2006 | Исправлено: dariusii, 07:26 25-09-2006 |
|
