# In IP Filter block source routed packets by # uncommenting the last two lines in this group. # For Packet Filter leave the last two lines in this # group as they will cause syntax errors. These # packets are blocked by default in Packet Filter even # if the general default is to pass all packets. # IPF only### block in log quick on dc0 all with opt lsrr # IPF only### block in log quick on dc0 all with opt ssrr # Allow loopback packets pass in quick on lo0 all pass out quick on lo0 all # On an arbitrary network segment 145.58.94.0/24, # .107 is a managment workstation, .75 is the local machine # and a public web server on which these rules will be # used, and .23 is an ftp server that accepts files # transfered from the web server. # Start by allowing the normal remote management access. # Port 22 for SSH. pass in quick on dc0 proto tcp from 145.58.94.107/32 \ to 145.58.94.75/32 port = 23 flags S keep state # Allow local NTP (port 123) and ping (ICMP) traffic in # both directions. pass in quick on dc0 proto udp from 145.58.94.0/24 port = 123 \ to 145.58.94.0/24 port = 123 pass out quick on dc0 proto udp from 145.58.94.0/24 port = 123 \ to 145.58.94.0/24 port = 123 pass in quick on dc0 proto icmp from 145.58.94.0/24 \ to 145.58.94.0/24 pass out quick on dc0 proto icmp from 145.58.94.0/24 \ to any keep state # Allow ftp transfers to ftp server. pass out quick on dc0 proto tcp from 145.58.94.75/32 port > 1024 \ to 145.58.94.23/32 port = 21 flags S keep state pass in quick on dc0 proto tcp from 145.58.94.23 port = 20 \ to 145.58.94.75/32 port > 1024 flags S keep state pass out quick on dc0 proto tcp from 145.58.94.75/32 port > 1024 \ to 145.58.94.23/32 port > 1024 flags S keep state # Allow ftp transfers from managment/development workstation. pass in quick on dc0 proto tcp from 145.58.94.107/32 port > 1024 \ to 145.58.94.75/32 port = 21 flags S keep state pass out quick on dc0 proto tcp from 145.58.94.75 port = 20 \ to 145.58.94.107/32 port > 1024 flags S keep state # Allow all web traffic. pass in quick on dc0 proto tcp from any \ to 145.58.94.75/32 port = 80 flags S keep state # Block everything else. block in log all block out log all