Example ipf.rules in OpenBSD

HTMLized from /usr/share/ipf/

#
#  This is an example of a very light firewall used to guard against
#  some of the most easily exploited common security holes.
#
#  The example assumes it is running on a gateway with interface ppp0
#  attached to the outside world, and interface ed0 attached to
#  network 192.168.4.0 which needs to be protected.
#
#
#  Pass any packets not explicitly mentioned by subsequent rules
#
pass out from any to any
pass in from any to any
#
#  Block any inherently bad packets coming in from the outside world.
#  These include ICMP redirect packets and IP fragments so short the
#  filtering rules won't be able to examine the whole UDP/TCP header.
#
block in log quick on ppp0 proto icmp from any to any icmp-type redir
block in log quick on ppp0 proto tcp/udp all with short
#
#  Block any IP spoofing atempts.  (Packets "from" our network
#  shouldn't be coming in from outside).
#
block in log quick on ppp0 from 192.168.4.0/24 to any
block in log quick on ppp0 from localhost to any
block in log quick on ppp0 from 0.0.0.0/32 to any
block in log quick on ppp0 from 255.255.255.255/32 to any
#
#  Block any incoming traffic to NFS ports, to the RPC portmapper, and
#  to X servers.
#
block in log on ppp0 proto tcp/udp from any to any port = sunrpc
block in log on ppp0 proto tcp/udp from any to any port = 2049
block in log on ppp0 proto tcp from any to any port = 6000

/usr/share/ipf/firewall.2

#
#  This is an example of a fairly heavy firewall used to keep everyone
#  out of a particular network while still allowing people within that
#  network to get outside.
#
#  The example assumes it is running on a gateway with interface ppp0
#  attached to the outside world, and interface ed0 attached to
#  network 192.168.4.0 which needs to be protected.
#
#
#  Pass any packets not explicitly mentioned by subsequent rules
#
pass out from any to any
pass in from any to any
#
#  Block any inherently bad packets coming in from the outside world.
#  These include ICMP redirect packets, IP fragments so short the
#  filtering rules won't be able to examine the whole UDP/TCP header,
#  and anything with IP options.
#
block in log quick on ppp0 proto icmp from any to any icmp-type redir
block in log quick on ppp0 proto tcp/udp all with short
block in log quick on ppp0 from any to any with ipopts
#
#  Block any IP spoofing atempts.  (Packets "from" our network
#  shouldn't be coming in from outside).
#
block in log quick on ppp0 from 192.168.4.0/24 to any
block in log quick on ppp0 from localhost to any
block in log quick on ppp0 from 0.0.0.0/32 to any
block in log quick on ppp0 from 255.255.255.255/32 to any
#
#  Block all incoming UDP traffic except talk and DNS traffic.  NFS
#  and portmap are special-cased and logged.
#
block in on ppp0 proto udp from any to any
block in log on ppp0 proto udp from any to any port = sunrpc
block in log on ppp0 proto udp from any to any port = 2049
pass in on ppp0 proto udp from any to any port = domain
pass in on ppp0 proto udp from any to any port = talk
pass in on ppp0 proto udp from any to any port = ntalk
#
#  Block all incoming TCP traffic connections to known services,
#  returning a connection reset so things like ident don't take
#  forever timing out.  Don't log ident (auth port) as it's so common.
#
block return-rst in log on ppp0 proto tcp from any to any flags S/SA
block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA
#
#  Allow incoming TCP connections to ports between 1024 and 5000, as
#  these don't have daemons listening but are used by outgoing
#  services like ftp and talk.  For slightly more obscurity (though
#  not much more security), the second commented out rule can chosen
#  instead.
#
pass in on ppp0 proto tcp from any to any port 1024 >< 5000
#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
#
#  Now allow various incoming TCP connections to particular hosts, TCP
#  to the main nameserver so secondaries can do zone transfers, SMTP
#  to the mail host, www to the web server (which really should be
#  outside the firewall if you care about security), and ssh to a
#  hypothetical machine caled 'gatekeeper' that can be used to gain
#  access to the protected network from the outside world.
#
pass in on ppp0 proto tcp from any to ns1 port = domain
pass in on ppp0 proto tcp from any to mail port = smtp
pass in on ppp0 proto tcp from any to www port = www
pass in on ppp0 proto tcp from any to gatekeeper port = ssh

/usr/share/ipf/firewall.3

#!/sbin/ipf -f -
#
# SAMPLE: RESTRICTIVE FILTER RULES
#
# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
#
# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
#
# ed0 - (internal) network interface, address w.x.y.z/32
#
# This file contains the basic rules needed to construct a firewall for the
# above situation.
#
#-------------------------------------------------------
# *Nasty* packets we don't want to allow near us at all!
# short packets which are packets fragmented too short to be real.
block in log quick all with short
#-------------------------------------------------------
# Group setup.
# ============
# By default, block and log everything.  This maybe too much logging
# (especially for ed0) and needs to be further refined.
#
block in log on ppp0 all head 100
block in log proto tcp all flags S/SA head 101 group 100 
block out log on ppp0 all head 150
block in log on ed0 from w.x.y.z/24 to any head 200
block in log proto tcp all flags S/SA head 201 group 200 
block in log proto udp all head 202 group 200
block out log on ed0 all head 250
#-------------------------------------------------------
# Localhost packets.
# ==================
# packets going in/out of network interfaces that aren't on the loopback
# interface should *NOT* exist.
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from any to 127.0.0.0/8 group 100
block in log quick from 127.0.0.0/8 to any group 200
block in log quick from any to 127.0.0.0/8 group 200
# And of course, make sure the loopback allows packets to traverse it.
pass in quick on lo0 all
pass out quick on lo0 all
#-------------------------------------------------------
# Invalid Internet packets.
# =========================
#
# Deny reserved addresses.
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
block in log quick from a.b.c.d/24 to any group 100
#
#-------------------------------------------------------
# Allow outgoing DNS requests (no named on firewall)
#
pass in quick proto udp from any to any port = 53 keep state group 202
#
# If we were running named on the firewall and all internal hosts talked to
# it, we'd use the following:
#
#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
#
# Allow outgoing FTP from any internal host to any external FTP server.
#
pass in quick proto tcp from any to any port = ftp keep state group 201
pass in quick proto tcp from any to any port = ftp-data keep state group 201
pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
#
# Allow NTP from any internal host to any external NTP server.
#
pass in quick proto udp from any to any port = ntp keep state group 202
#
# Allow outgoing connections: SSH, TELNET, WWW
#
pass in quick proto tcp from any to any port = 22 keep state group 201
pass in quick proto tcp from any to any port = telnet keep state group 201
pass in quick proto tcp from any to any port = www keep state group 201
#
#-------------------------------------------------------
block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
#
# Allow incoming to the external firewall interface: mail, WWW, DNS
#
pass in log quick proto tcp from any to any port = smtp keep state group 110
pass in log quick proto tcp from any to any port = www keep state group 110
pass in log quick proto tcp from any to any port = 53 keep state group 110
pass in log quick proto udp from any to any port = 53 keep state group 100
#-------------------------------------------------------
# Log these:
# ==========
# * return RST packets for invalid SYN packets to help the other end close
block return-rst in log proto tcp from any to any flags S/SA group 100
# * return ICMP error packets for invalid UDP packets
block return-icmp(net-unr) in proto udp all group 100

/usr/share/ipf/firewall.4

#!/sbin/ipf -f -
#
# SAMPLE: PERMISSIVE FILTER RULES
#
# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
#
# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
#
# ed0 - (internal) network interface, address w.x.y.z/32
#
# This file contains the basic rules needed to construct a firewall for the
# above situation.
#
#-------------------------------------------------------
# *Nasty* packets we don't want to allow near us at all!
# short packets which are packets fragmented too short to be real.
block in log quick all with short
#-------------------------------------------------------
# Group setup.
# ============
# By default, block and log everything.  This maybe too much logging
# (especially for ed0) and needs to be further refined.
#
block in log on ppp0 all head 100
block out log on ppp0 all head 150
block in log on ed0 from w.x.y.z/24 to any head 200
block out log on ed0 all head 250
#-------------------------------------------------------
# Invalid Internet packets.
# =========================
#
# Deny reserved addresses.
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#
block in log quick from a.b.c.d/24 to any group 100
#
#-------------------------------------------------------
# Localhost packets.
# ==================
# packets going in/out of network interfaces that aren't on the loopback
# interface should *NOT* exist.
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from any to 127.0.0.0/8 group 100
block in log quick from 127.0.0.0/8 to any group 200
block in log quick from any to 127.0.0.0/8 group 200
# And of course, make sure the loopback allows packets to traverse it.
pass in quick on lo0 all
pass out quick on lo0 all
#-------------------------------------------------------
# Allow any communication between the inside network and the outside only.
#
# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
#
pass in log quick proto tcp all flags S/SA keep state group 200 
#
# Support all UDP `connections' initiated from inside.
#
# Allow ping out
#
pass in log quick proto icmp all keep state group 200
#-------------------------------------------------------
# Log these:
# ==========
# * return RST packets for invalid SYN packets to help the other end close
block return-rst in log proto tcp from any to any flags S/SA group 100
# * return ICMP error packets for invalid UDP packets
block return-icmp(net-unr) in proto udp all group 100