forked from extern/shorewall_code
b7d2e8c684
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3999 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
188 lines
4.3 KiB
Plaintext
188 lines
4.3 KiB
Plaintext
#
|
|
# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
|
|
#
|
|
# Master Rules File
|
|
#
|
|
# This file is organised into 4 main sections:
|
|
# 1. Rules that need to transcend the more general WARN/BAN rules. The
|
|
# reason for this is typically system administration and
|
|
# troubleshooting. This section should be kept as small as possible.
|
|
# 2. WARN/BAN rules to put restrictions on which rules contravening
|
|
# policies may be created. This section should be as large as
|
|
# possible, if you take a traditional (i.e. paranoid) approach to
|
|
# firewall design.
|
|
# 3. Noise-reducing rules for illegitimate traffic. This is typically
|
|
# small, but may grow as time goes on.
|
|
# 4. Normal rules which define the holes in your firewall. Again, this
|
|
# should include only the rules you need and no more. However, even
|
|
# on a simple home network like mine, this section tends to get
|
|
# large!
|
|
#
|
|
|
|
#
|
|
# Order by port, protocol, dest zone (in->out order), src zone (in->out
|
|
# order).
|
|
#
|
|
|
|
#ACTION CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
|
|
|
#
|
|
# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
|
|
#
|
|
# Nearly all of these rules should be limited to system administration
|
|
# terminals. These would be better put in a separate zone.
|
|
#
|
|
|
|
# ping (more below)
|
|
ACCEPT lan og icmp 8
|
|
|
|
# ssh (more below)
|
|
ACCEPT lan og tcp 22
|
|
ACCEPT ig og tcp 22
|
|
|
|
# SNMP (more below) - for MRTG stats run from LAN
|
|
ACCEPT lan og udp 161
|
|
|
|
# syslog (more below)
|
|
ACCEPT ig lan udp 514
|
|
|
|
# Squid - this wouldn't be necessary except that a lot of OS updates are
|
|
# rather large...
|
|
ACCEPT mail proxy tcp 3128
|
|
|
|
#
|
|
# Section 2: WARN/BAN rule directives
|
|
#
|
|
|
|
BAN ig lan
|
|
BAN mail proxy
|
|
BAN lan og
|
|
BAN ig og
|
|
|
|
#
|
|
# Section 3: Drop noisy junk
|
|
#
|
|
|
|
# auth - reverse of the SMTP rules below
|
|
REJECT mail lan tcp 113
|
|
REJECT mail guest tcp 113
|
|
REJECT mail ig tcp 113
|
|
REJECT mail proxy tcp 113
|
|
REJECT mail og tcp 113
|
|
REJECT net og tcp 113
|
|
REJECT mail net tcp 113
|
|
|
|
# KaZaA file sharing
|
|
DROP net og tcp 1214
|
|
|
|
# Gnutella server
|
|
REJECT net og tcp 6346,6347
|
|
|
|
# Half-Life
|
|
REJECT net og udp 27015,27016
|
|
|
|
|
|
#
|
|
# Section 4: Normal traffic
|
|
#
|
|
|
|
# ping (more above)
|
|
ACCEPT lan ig icmp 8
|
|
ACCEPT lan proxy icmp 8
|
|
ACCEPT lan mail icmp 8
|
|
ACCEPT ig proxy icmp 8
|
|
ACCEPT ig mail icmp 8
|
|
ACCEPT og proxy icmp 8
|
|
ACCEPT og mail icmp 8
|
|
ACCEPT og net icmp 8
|
|
|
|
# FTP
|
|
ACCEPT proxy net tcp 21
|
|
|
|
# ssh (more above)
|
|
ACCEPT lan ig tcp 22
|
|
ACCEPT lan proxy tcp 22
|
|
ACCEPT lan mail tcp 22
|
|
ACCEPT lan net tcp 22
|
|
ACCEPT ig proxy tcp 22
|
|
ACCEPT ig mail tcp 22
|
|
ACCEPT proxy mail tcp 22
|
|
ACCEPT proxy net tcp 22
|
|
|
|
# SMTP
|
|
ACCEPT lan mail tcp 25
|
|
ACCEPT guest mail tcp 25
|
|
ACCEPT ig mail tcp 25
|
|
ACCEPT proxy mail tcp 25
|
|
ACCEPT og mail tcp 25
|
|
DNAT net mail:$MAIL tcp 25
|
|
ACCEPT mail net tcp 25
|
|
|
|
# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
|
|
# proxy, and mail independent of the rest (proxy & mail should run their
|
|
# own caches).
|
|
ACCEPT lan proxy tcp 53
|
|
ACCEPT lan proxy udp 53
|
|
ACCEPT guest proxy tcp 53
|
|
ACCEPT guest proxy udp 53
|
|
ACCEPT ig proxy tcp 53
|
|
ACCEPT ig proxy udp 53
|
|
ACCEPT og proxy tcp 53
|
|
ACCEPT og proxy udp 53
|
|
ACCEPT proxy net tcp 53
|
|
ACCEPT proxy net udp 53
|
|
ACCEPT mail net tcp 53
|
|
ACCEPT mail net udp 53
|
|
|
|
# HTTP
|
|
ACCEPT proxy net tcp 80
|
|
|
|
# POP3 - must be proxied through mail
|
|
ACCEPT mail net tcp 110
|
|
ACCEPT lan mail tcp 110
|
|
|
|
# NNTP - application layer proxy (e.g. leafnode) on proxy
|
|
ACCEPT lan proxy tcp 119
|
|
ACCEPT proxy net tcp 119
|
|
|
|
# NTP - we really need more than 2 servers, but this is only an example. :-)
|
|
ACCEPT lan proxy udp 123
|
|
ACCEPT lan mail udp 123
|
|
ACCEPT ig proxy udp 123
|
|
ACCEPT ig mail udp 123
|
|
ACCEPT proxy net udp 123
|
|
ACCEPT mail net udp 123
|
|
ACCEPT og proxy udp 123
|
|
ACCEPT og mail udp 123
|
|
|
|
# IMAP
|
|
ACCEPT lan mail tcp 143
|
|
ACCEPT guest mail tcp 143
|
|
|
|
# SNMP (more above) - for MRTG stats
|
|
ACCEPT lan ig udp 161
|
|
ACCEPT lan proxy udp 161
|
|
ACCEPT lan mail udp 161
|
|
|
|
# HTTPS
|
|
ACCEPT proxy net tcp 443
|
|
|
|
# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
|
|
ACCEPT og mail udp 514
|
|
ACCEPT proxy mail udp 514
|
|
|
|
# Squid
|
|
ACCEPT lan proxy tcp 3128
|
|
ACCEPT guest proxy tcp 3128
|
|
ACCEPT ig proxy tcp 3128
|
|
ACCEPT og proxy tcp 3128
|
|
|
|
# Webmin
|
|
ACCEPT lan proxy tcp 10000
|
|
ACCEPT guest proxy tcp 10000
|
|
ACCEPT ig proxy tcp 10000
|
|
ACCEPT og proxy tcp 10000
|
|
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|