| Current File : //etc/svc/volatile/ipf/ipf.conf |
##################################################
# IP Filter for Standard Hosting Server
#
# Trusted IP:
# 210.6.118.182 : Office
# 203.124.9.99 : VPN (DLink)
# 203.124.10.6 : OpenVPN (vpn.setssl.com)
# 203.124.11.186: Hehe
# 203.124.10.18 : Cammy
# 203.124.9.11 : DNS1
# 61.93.96.245 : Chea
# 203.124.10.19 : Earth
# 203.124.11.100: China Staff VPN
#
# pool/100 : Trust_IP
# pool/200 : Rsync Backup Server
# pool/300 : Monitor IP
# pool/400 : All our IP
# pool/500 : SSH 1022 IP
##################################################
interface = "net0";
#-------------------------------------------------
# Block any packets which are too short to be real
#-------------------------------------------------
block in log quick all with short
#-------------------------------------------------
# drop any IP packets with options set in them.
#-------------------------------------------------
block in log all with ipopts
#-------------------------------------------------
# Allow all traffic on loopback.
#-------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
#-------------------------------------------------
# Public Network. Block everything.
#-------------------------------------------------
block in on $interface all
#block out on $interface all
#-------------------------------------------------
# Allow ICMP (ping)
#-------------------------------------------------
#pass out quick on $interface proto icmp all keep state
pass out quick proto icmp all keep state
pass in quick proto icmp all keep state
#-------------------------------------------------
# Allow outbound state related packets.
#-------------------------------------------------
pass out quick on $interface proto tcp/udp from any to any keep state
#-----------
# Allow SSH
#-----------
pass in log quick on $interface proto tcp from any to any port = 22 keep state
#-----------
# Allow SSH 1022
#-----------
pass in log quick on $interface proto tcp from pool/500 to any port = 1022 keep state
# ----------
# Allow Rsync
# ----------
pass in log quick on $interface proto tcp from pool/200 to any port = 873
#-----------
# Blacklist
#-----------
block in quick log first on $interface from pool/600 to any
block out quick log first from any to pool/600
#-----------
# Allow HTTP
#-----------
block in quick on $interface proto tcp from pool/600 to any port = 80
pass in log quick on $interface proto tcp from any to any port = 80
pass in log quick on $interface proto tcp from any to any port = 443
#-----------
# Allow FTP
#-----------
#GLOBAL
pass in log quick on $interface proto tcp from any to any port = 20
pass in log quick on $interface proto tcp from any to any port = 21
pass in quick proto tcp from any to any port 49151 >< 65535 flags S keep state
#-----------
# Allow SMTP
#-----------
pass in log quick on $interface proto tcp from any to any port = 25
pass in log quick on $interface proto tcp from any to any port = 465
pass in log quick on $interface proto tcp from any to any port = 587
pass in log quick on $interface proto tcp from any to any port = 2025
pass in log quick on $interface proto tcp from any to any port = 2620
#-----------
# Allow POP3
#-----------
pass in log quick on $interface proto tcp from any to any port = 110
pass in log quick on $interface proto tcp from any to any port = 995
#-----------
# Allow IMAP
#-----------
pass in log quick on $interface proto tcp from any to any port = 143
pass in log quick on $interface proto tcp from any to any port = 585
pass in log quick on $interface proto tcp from any to any port = 993
#-----------
# Allow mySQL
#-----------
pass in log quick on $interface proto tcp from any to any port = 3306
#-----------
# Allow NetPrint (Whoeat.co.uk)
#-----------
pass in log quick on $interface proto tcp from any to any port = 56230
pass in log quick on $interface proto udp from any to any port = 56230
#-----------
# Blacklist
#-----------
block in quick on $interface from pool/600 to any
block out quick from any to pool/600