[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf rules for dial-up system



Charles Calthrop wrote:
> 
> Hi there,
> 
> I'd like to implement some filtering rules in my OpenBSD system at home,
> which has dial-up access to the net. Basically, I would like to
> deny access to all incoming connections while not interfering with
> outgoing ones.
> 
> Anyone cares to share some ipf rules suitable for this task?

replace ppp0 with your interface name if it's different. Replace
192.168.0.0/24 with your internal netblock

block in log quick on ppp0 from any to any head 01

block out log on ppp0 from any to any head 02
pass out quick on ppp0 from 192.168.0.0/24 to any proto tcp keep state
group 02
pass out quick on ppp0 from 192.168.0.0/24 to any proto udp keep state
group 02
pass out quick on ppp0 from 192.168.0.0/24 to any proto icmp keep state
group 02

This should work, provided you don't want to use active ftp
(passive-mode will work fine though).

Rather than follow this, read:
http://www.obfuscation.org/ipf/ipf-howto.html

- Aidan

-- 
Aidan Skinner
Programmer
Reality Group Ltd
tel: +44 (0)141 810 2500 
fax: +44 (0)141 810 3262 
email: aidan_(_at_)_reality_(_dot_)_co_(_dot_)_uk
http://www.reality.co.uk

"Bother", said Pooh, as Piglet ran off with his wife and kids.

===============================================
The content of this email is intended solely for the person(s)
to which the message is addressed above, and should be treated
as confidential.  Access by or disclosure to anyone other than
the intended recipient for any reason other than the business
purpose for which the message is intended, is unauthorised. 
All reasonable precautions have been taken to ensure no viruses
are present in this e-mail. Reality Group Ltd cannot accept
responsibility for loss or damage arising from the use of this
e-mail.
===============================================
Should you receive this message in error, please notify
webmaster_(_at_)_reality_(_dot_)_co_(_dot_)_uk immediately, and delete the message
from your operating system.
===============================================




Visit your host, monkey.org