View Single Post
  #3   (View Single Post)  
Old 13th January 2010
lumiwa lumiwa is offline
Package Pilot
Join Date: May 2008
Posts: 145


I hope that I did what you suggested me:
# macro name for external interface.
ext_if = sk0
# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in all
# match in log on $ext_if scrub (no-df)
# set a default deny everything policy.
block log all
block log quick inet6 all
# exercise antispoofing on the external interface, but add the local
# loopback interface as an exception, to prevent services utilizing the
# local loop from being blocked accidentally
set skip on lo
antispoof quick for $ext_if
antispoof log quick for { lo $ext_if } inet
# block anything coming from sources that we have no back routes for.
block in from no-route to any
# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any
# drop broadcast requests quietly.
block in quick on $ext_if from any to
# block packets claiming to come from reserved internal address blocks, as
# they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from {,,, } to any
pass out log on $ext_if proto tcp from any modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp} from any
And I forgot to wrote before that I have a standalone computer.

Thanks for your help.
Reply With Quote