#
# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
#
# Master Rules File
#
# This file is organised into 4 main sections:
#   1.	Rules that need to transcend the more general WARN/BAN rules.  The
#	reason for this is typically system administration and
#	troubleshooting.  This section should be kept as small as possible.
#   2.	WARN/BAN rules to put restrictions on which rules contravening
#	policies may be created.  This section should be as large as
#	possible, if you take a traditional (i.e. paranoid) approach to
#	firewall design.
#   3.	Noise-reducing rules for illegitimate traffic.  This is typically
#	small, but may grow as time goes on.
#   4.	Normal rules which define the holes in your firewall.  Again, this
#	should include only the rules you need and no more.  However, even
#	on a simple home network like mine, this section tends to get
#	large!
#

#
# Order by port, protocol, dest zone (in->out order), src zone (in->out
# order).
#

#ACTION		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS

#
# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
#
# Nearly all of these rules should be limited to system administration
# terminals.  These would be better put in a separate zone.
#

# ping (more below)
ACCEPT		lan	og		icmp	8

# ssh (more below)
ACCEPT		lan	og		tcp	22
ACCEPT		ig	og		tcp	22

# SNMP (more below) - for MRTG stats run from LAN
ACCEPT		lan	og		udp	161	

# syslog (more below)
ACCEPT		ig	lan		udp	514

# Squid - this wouldn't be necessary except that a lot of OS updates are
# rather large...
ACCEPT		mail	proxy		tcp	3128

#
# Section 2: WARN/BAN rule directives
#

BAN		ig	lan
BAN		mail	proxy
BAN		lan	og
BAN		ig	og

#
# Section 3: Drop noisy junk
#

# auth - reverse of the SMTP rules below
REJECT		mail	lan		tcp	113
REJECT		mail	guest		tcp	113
REJECT		mail	ig		tcp	113
REJECT		mail	proxy		tcp	113
REJECT		mail	og		tcp	113
REJECT		net	og		tcp	113
REJECT		mail	net		tcp	113

# KaZaA file sharing
DROP		net	og		tcp	1214

# Gnutella server
REJECT		net	og		tcp	6346,6347

# Half-Life
REJECT		net	og		udp	27015,27016


#
# Section 4: Normal traffic
#

# ping (more above)
ACCEPT		lan	ig		icmp	8
ACCEPT		lan	proxy		icmp	8
ACCEPT		lan	mail		icmp	8
ACCEPT		ig	proxy		icmp	8
ACCEPT		ig	mail		icmp	8
ACCEPT		og	proxy		icmp	8
ACCEPT		og	mail		icmp	8
ACCEPT		og	net		icmp	8

# FTP
ACCEPT		proxy	net		tcp	21

# ssh (more above)
ACCEPT		lan	ig		tcp	22
ACCEPT		lan	proxy		tcp	22
ACCEPT		lan	mail		tcp	22
ACCEPT		lan	net		tcp	22
ACCEPT		ig	proxy		tcp	22
ACCEPT		ig	mail		tcp	22
ACCEPT		proxy	mail		tcp	22
ACCEPT		proxy	net		tcp	22

# SMTP
ACCEPT		lan	mail		tcp	25
ACCEPT		guest	mail		tcp	25
ACCEPT		ig	mail		tcp	25
ACCEPT		proxy	mail		tcp	25
ACCEPT		og	mail		tcp	25
DNAT		net	mail:$MAIL	tcp	25
ACCEPT		mail	net		tcp	25

# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
# proxy, and mail independent of the rest (proxy & mail should run their
# own caches).
ACCEPT		lan	proxy		tcp	53
ACCEPT		lan	proxy		udp	53
ACCEPT		guest	proxy		tcp	53
ACCEPT		guest	proxy		udp	53
ACCEPT		ig	proxy		tcp	53
ACCEPT		ig	proxy		udp	53
ACCEPT		og	proxy		tcp	53
ACCEPT		og	proxy		udp	53
ACCEPT		proxy	net		tcp	53
ACCEPT		proxy	net		udp	53
ACCEPT		mail	net		tcp	53
ACCEPT		mail	net		udp	53

# HTTP
ACCEPT		proxy	net		tcp	80

# POP3 - must be proxied through mail
ACCEPT		mail	net		tcp	110
ACCEPT		lan	mail		tcp	110

# NNTP - application layer proxy (e.g. leafnode) on proxy
ACCEPT		lan	proxy		tcp	119
ACCEPT		proxy	net		tcp	119

# NTP - we really need more than 2 servers, but this is only an example.  :-)
ACCEPT		lan	proxy		udp	123
ACCEPT		lan	mail		udp	123
ACCEPT		ig	proxy		udp	123
ACCEPT		ig	mail		udp	123
ACCEPT		proxy	net		udp	123
ACCEPT		mail	net		udp	123
ACCEPT		og	proxy		udp	123
ACCEPT		og	mail		udp	123

# IMAP
ACCEPT		lan	mail		tcp	143
ACCEPT		guest	mail		tcp	143

# SNMP (more above) - for MRTG stats
ACCEPT		lan	ig		udp	161
ACCEPT		lan	proxy		udp	161
ACCEPT		lan	mail		udp	161

# HTTPS
ACCEPT		proxy	net		tcp	443

# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
ACCEPT		og	mail		udp	514
ACCEPT		proxy	mail		udp	514

# Squid
ACCEPT		lan	proxy		tcp	3128
ACCEPT		guest	proxy		tcp	3128
ACCEPT		ig	proxy		tcp	3128
ACCEPT		og	proxy		tcp	3128

# Webmin
ACCEPT		lan	proxy		tcp	10000
ACCEPT		guest	proxy		tcp	10000
ACCEPT		ig	proxy		tcp	10000
ACCEPT		og	proxy		tcp	10000


#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE