shorewall_code/contrib/shoregen/samples/rules

188 lines
4.3 KiB
Plaintext
Raw Normal View History

#
# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
#
# Master Rules File
#
# This file is organised into 4 main sections:
# 1. Rules that need to transcend the more general WARN/BAN rules. The
# reason for this is typically system administration and
# troubleshooting. This section should be kept as small as possible.
# 2. WARN/BAN rules to put restrictions on which rules contravening
# policies may be created. This section should be as large as
# possible, if you take a traditional (i.e. paranoid) approach to
# firewall design.
# 3. Noise-reducing rules for illegitimate traffic. This is typically
# small, but may grow as time goes on.
# 4. Normal rules which define the holes in your firewall. Again, this
# should include only the rules you need and no more. However, even
# on a simple home network like mine, this section tends to get
# large!
#
#
# Order by port, protocol, dest zone (in->out order), src zone (in->out
# order).
#
#ACTION CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
#
# Nearly all of these rules should be limited to system administration
# terminals. These would be better put in a separate zone.
#
# ping (more below)
ACCEPT lan og icmp 8
# ssh (more below)
ACCEPT lan og tcp 22
ACCEPT ig og tcp 22
# SNMP (more below) - for MRTG stats run from LAN
ACCEPT lan og udp 161
# syslog (more below)
ACCEPT ig lan udp 514
# Squid - this wouldn't be necessary except that a lot of OS updates are
# rather large...
ACCEPT mail proxy tcp 3128
#
# Section 2: WARN/BAN rule directives
#
BAN ig lan
BAN mail proxy
BAN lan og
BAN ig og
#
# Section 3: Drop noisy junk
#
# auth - reverse of the SMTP rules below
REJECT mail lan tcp 113
REJECT mail guest tcp 113
REJECT mail ig tcp 113
REJECT mail proxy tcp 113
REJECT mail og tcp 113
REJECT net og tcp 113
REJECT mail net tcp 113
# KaZaA file sharing
DROP net og tcp 1214
# Gnutella server
REJECT net og tcp 6346,6347
# Half-Life
REJECT net og udp 27015,27016
#
# Section 4: Normal traffic
#
# ping (more above)
ACCEPT lan ig icmp 8
ACCEPT lan proxy icmp 8
ACCEPT lan mail icmp 8
ACCEPT ig proxy icmp 8
ACCEPT ig mail icmp 8
ACCEPT og proxy icmp 8
ACCEPT og mail icmp 8
ACCEPT og net icmp 8
# FTP
ACCEPT proxy net tcp 21
# ssh (more above)
ACCEPT lan ig tcp 22
ACCEPT lan proxy tcp 22
ACCEPT lan mail tcp 22
ACCEPT lan net tcp 22
ACCEPT ig proxy tcp 22
ACCEPT ig mail tcp 22
ACCEPT proxy mail tcp 22
ACCEPT proxy net tcp 22
# SMTP
ACCEPT lan mail tcp 25
ACCEPT guest mail tcp 25
ACCEPT ig mail tcp 25
ACCEPT proxy mail tcp 25
ACCEPT og mail tcp 25
DNAT net mail:$MAIL tcp 25
ACCEPT mail net tcp 25
# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
# proxy, and mail independent of the rest (proxy & mail should run their
# own caches).
ACCEPT lan proxy tcp 53
ACCEPT lan proxy udp 53
ACCEPT guest proxy tcp 53
ACCEPT guest proxy udp 53
ACCEPT ig proxy tcp 53
ACCEPT ig proxy udp 53
ACCEPT og proxy tcp 53
ACCEPT og proxy udp 53
ACCEPT proxy net tcp 53
ACCEPT proxy net udp 53
ACCEPT mail net tcp 53
ACCEPT mail net udp 53
# HTTP
ACCEPT proxy net tcp 80
# POP3 - must be proxied through mail
ACCEPT mail net tcp 110
ACCEPT lan mail tcp 110
# NNTP - application layer proxy (e.g. leafnode) on proxy
ACCEPT lan proxy tcp 119
ACCEPT proxy net tcp 119
# NTP - we really need more than 2 servers, but this is only an example. :-)
ACCEPT lan proxy udp 123
ACCEPT lan mail udp 123
ACCEPT ig proxy udp 123
ACCEPT ig mail udp 123
ACCEPT proxy net udp 123
ACCEPT mail net udp 123
ACCEPT og proxy udp 123
ACCEPT og mail udp 123
# IMAP
ACCEPT lan mail tcp 143
ACCEPT guest mail tcp 143
# SNMP (more above) - for MRTG stats
ACCEPT lan ig udp 161
ACCEPT lan proxy udp 161
ACCEPT lan mail udp 161
# HTTPS
ACCEPT proxy net tcp 443
# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
ACCEPT og mail udp 514
ACCEPT proxy mail udp 514
# Squid
ACCEPT lan proxy tcp 3128
ACCEPT guest proxy tcp 3128
ACCEPT ig proxy tcp 3128
ACCEPT og proxy tcp 3128
# Webmin
ACCEPT lan proxy tcp 10000
ACCEPT guest proxy tcp 10000
ACCEPT ig proxy tcp 10000
ACCEPT og proxy tcp 10000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE