1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
# Rules files for fwctl
#
# As usual # starts a comments to the end of the line and
# blank lines are ignored.
#
# Format is
#
# Action service src dst options
#
# Action is usually ACCEPT or DENY or REJECT.
#
# Service is one of the firewall service defined.
#
# src and dst are one IP/Netmask or an ALIAS.
#
# Standard options:
#
# masq : use masquerade for this service.
# log : log packet to syslog (default for DENY and REJECT)
# nolog: do not log packet to syslog (default for ACCEPT)
## Local traffic is OK
accept all -src LOCAL_IP -dst LOCAL_IP
## Count traffic that goes on the Internet
#account all -src INT_NET -dst INTERNET -name internet
##################################################################
## TRAFFIC CONTROL
#accept traffic_control -src INT_NET
#accept traffic_control -src INTERNET -account -name tf_internet
##################################################################
## NETWORK TROUBLESHOUTING
## Accept pings and traceroute from the Internet
## but logs it.
#accept ping -src INTERNET -dst EXT_IP -log -account -name monitoring
#accept traceroute -src INTERNET -dst EXT_IP -log -account -name monitoring
#accept ping -src INT_NET -dst INT_IP
#accept traceroute -src INT_NET -dst INT_IP
#accept ping -src EXT_IP -dst INTERNET
#accept traceroute -src EXT_IP -dst INTERNET
#accept ping -src INT_IP -dst INT_NET
#accept traceroute -src INT_IP -dst INT_NET
## Internal users wants to test Internet connectivity
#accept ping -src INT_NET -dst INTERNET -masq
#accept traceroute -src INT_NET -dst INTERNET -masq
##################################################################
## DOMAIN NAME SERVICE
## A DNS server is installed on the machine.
#accept name_service -src INT_NET -dst INT_IP
#accept name_service -src EXT_IP -dst INTERNET -query-port 5353
#accept name_service -src INTERNET -dst EXT_IP
##################################################################
## EMAIL SERVICE
#accept smtp -src INT_NET -dst INT_IP
#accept smtp -src EXT_IP -dst INTERNET
#accept smtp -src INTERNET -dst EXT_IP
## We accept ident, since most sendmail installation will query
## back our main server. Since we don't run ident, they will get
## a prompt service unavailable message.
#accept ident -src INTERNET -dst EXT_IP
##################################################################
## POP AND IMAP
#accept imap -src INT_NET -dst INT_IP
#accept pop_3 -src INT_NET -dst INT_IP
## Remote email taking -> very insecure
#accept imap -src INTERNET -dst EXT_IP
#accept pop_3 -src INTERNET -dst EXT_IP
## Better
#accept simap -src INT_NET -dst INT_IP
#accept simap -src INTERNET -dst EXT_IP
#accept spop3 -src INT_NET -dst INT_IP
#accept spop3 -src INTERNET -dst EXT_IP
##################################################################
## PROXY SERVICES
#accept webcache -src INT_NET -dst INT_IP
#accept http -src EXT_IP -dst INTERNET -port 80,443
#accept ftp -src EXT_IP -dst INTERNET -noport
##################################################################
## TIME SYNCHRONIZATION
#accept ntp -src EXT_IP -dst NTP_SERVERS
#accept ntp -src EXT_IP -dst NTP_SERVERS -client
##################################################################
## FAX SERVICES
#accept hylafax -src INT_NET -dst INT_IP
##################################################################
## INMANAGE
#accept tcp_service -src INT_NET -dst INT_IP -port 737
##################################################################
## REMOTE SUPPORT
#accept telnet -src EXT_IP -dst ROUTER
#accept telnet -src INT_NET -dst INT_IP
#accept telnet -src REMOTE_SUPPORT -dst EXT_IP
#accept ftp -src INT_NET -dst INT_IP -noport -pasv_ports 40000:45000
##################################################################
## DIRECT SERVICES
#accept telnet -src INT_NET -dst REMOTE_TELNET -masq
#accept ftp -src INT_NET -dst REMOTE_FTP -masq -noport
##################################################################
## DHCP
#accept dhcp -src INT_NET -dst INT_IP
## Prevents logs clutter
#deny netbios -src INT_NET -nolog
|
