OpenBSD and DNS
cj
plug-discuss@lists.PLUG.phoenix.az.us
Sat, 30 Jun 2001 22:32:08 -0700
I didn't see anything glaringly wrong, but I probably don't know what I'm
looking for either. Here's my entire ipf.rules
#########################################################
# Firewalling rules
#########################################################
# set our default policies
block in log all
pass out all
# accept packets coming from the internal interface
pass in on ep1 all
pass in on lo all
# deny any coming from outside which are illegal
# first take care of standard unroutables
block in log quick on ep0 from 0.0.0.0/32 to any
block in log quick on ep0 from 255.255.255.255/32 to any
block in log quick on ep0 from 127.0.0.0/8 to any
block in log quick on ep0 from any to 0.0.0.0/32
block in log quick on ep0 from any to 255.255.255.255/32
block in log quick on ep0 from any to 127.0.0.0/8
# now let's deal with the internal networks
block in log quick on ep0 from 192.168.0.0/16 to any
block in log quick on ep0 from 172.16.0.0/12 to any
block in log quick on ep0 from 10.0.0.0/8 to any
block in log quick on ep0 from any to 192.168.0.0/16
block in log quick on ep0 from any to 172.16.0.0/12
block in log quick on ep0 from any to 10.0.0.0/8
# allow certain classes of ICMP
pass in quick on ep0 proto icmp all icmp-type 0
pass in quick on ep0 proto icmp all icmp-type 3
pass in quick on ep0 proto icmp all icmp-type 11
# allow inbound ssh and mail connections
pass in quick on ep0 proto tcp from any to any port = 22 flags S keep
state
pass in quick on ep0 proto tcp from any to any port = 25 flags S keep
state
# allow return packets from connections we initiated
pass out on ep0 proto tcp all keep state
# REJECT auth connections for fast SMTP handshake
block return-rst in on ep0 proto tcp from any to any port = 113
# allow udp DNS replies from DNS 1 & 2
pass in on ep0 proto udp from 24.1.240.33 port = 53 to any
pass in on ep0 proto udp from 24.1.240.34 port = 53 to any
# allow NTP replies from 1.3.4.5
# pass in on ep0 proto udp from 1.3.4.5 port 123 to any
# Prevent outside machines from initiating TCP connections to machines
# within our network
block in quick on ep0 proto tcp all flags S/SA
block out quick on ep0 proto tcp all flags SA/SA
# END OF ipf.rules
and ipnat.rules:
# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
# map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
map ep0 10.0.1.0/24 -> ep0/32 portmap tcp/udp 1025:65000
#
# End of ipnat.rules
Again, thanks for your time.
CJ
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com