#!/bin/sh # pmfirewall.rules.local # ver.PM1 (do not remove this line) ### BEGIN SYSTEM DEFAULTS ### # Block Nonroutable IP's from entering on the External Interface $IPCHAINS -A input -j DENY -s 10.0.0.0/8 -d $OUTERNET -i $OUTERIF $IPCHAINS -A input -j DENY -s 127.0.0.0/8 -d $OUTERNET -i $OUTERIF $IPCHAINS -A input -j DENY -s 172.16.0.0/12 -d $OUTERNET -i $OUTERIF $IPCHAINS -A input -j DENY -s 192.168.0.0/16 -d $OUTERNET -i $OUTERIF # - Specific port blocks on the external interface - # This section blocks off ports/services to the outside that have # vulnerabilities. This will not affect the ability to use these services # within your network. # # Back Orifice (logged) $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l # NetBus (logged) $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l # Trin00 (logged) $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY -l $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 27665 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 27444 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31335 -j DENY -l # Multicast $IPCHAINS -A input -s 224.0.0.0/8 -d $REMOTENET -j DENY $IPCHAINS -A input -s $REMOTENET -d 224.0.0.0/8 -j DENY ### END SYSTEM DEFAULTS ### #### EXAMPLES ### ### ALLOWED NETWORKS # Add in any rules to specifically allow connections from hosts/nets that # would otherwise be blocked. #$IPCHAINS -A input -s [trusted host/net] -d $OUTERNET -j ACCEPT ### BLOCKED NETWORKS # Add in any rules to specifically block connections from hosts/nets that # have been known to cause problems. These packets are logged. #$IPCHAINS -A input -s [banned host/net] -d $OUTERNET -j DENY -l #### END OF EXAMPLES ### ### AUTOMATICALLY GENERATED BY THE INSTALL SCRIPT ### #UNRESTRICTED ACCESS $IPCHAINS -A input -s 192.168.0.1/24 -d $REMOTENET -j ACCEPT # ### BLOCK ICMP ATTACKS # #-----INCOMING------- # #echo reply (pong) $IPCHAINS -A input -p icmp --icmp-type 0 -j ACCEPT #destination unreachable $IPCHAINS -A input -p icmp --icmp-type 3 -j ACCEPT #source quench $IPCHAINS -A input -p icmp --icmp-type 4 -j ACCEPT #time to live (TTL) for traceroute $IPCHAINS -A input -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT #now deny all other INCOMING icmp packets $IPCHAINS -A input -p icmp -j DENY -l # #-----OUTGOING------ # #echo reply (pong) $IPCHAINS -A output -p icmp --icmp-type 0 -j ACCEPT #destination unreachable $IPCHAINS -A output -p icmp --icmp-type 3 -j ACCEPT #source quench $IPCHAINS -A output -p icmp --icmp-type 4 -j ACCEPT #echo request (ping) $IPCHAINS -A output -p icmp --icmp-type 8 -j ACCEPT #time to live (TTL) for traceroute $IPCHAINS -A output -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT #now deny all other OUTGOING icmp packets $IPCHAINS -A output -p icmp -j DENY -l # #BLOCKED $IPCHAINS -A input -s 244.244.244.244/24 -d $REMOTENET -j DENY -l #DHCP CLIENT BLOCK $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 67:68 -i $OUTERIF -j DENY -l #FTP $IPCHAINS -A input -p tcp -s 150.176.0.0/16 -d $OUTERNET 21 -j ACCEPT $IPCHAINS -A input -p tcp -s 128.227.0.0/16 -d $OUTERNET 21 -j ACCEPT $IPCHAINS -A output -p tcp -s 192.168.0.0/24 -d $OUTERNET 21 -j ACCEPT $IPCHAINS -A input -p tcp -s 205.218.0.0/16 -d $OUTERNET 21 -j ACCEPT #SSH $IPCHAINS -A input -p tcp -s 150.176.0.0/16 -d $OUTERNET 22 -j ACCEPT $IPCHAINS -A input -p tcp -s 63.97.188.5/24 -d $OUTERNET 22 -j ACCEPT $IPCHAINS -A input -p tcp -s 128.227.0.0/16 -d $OUTERNET 22 -j ACCEPT #TELNET $IPCHAINS -A input -p tcp -s 63.97.188.5/24 -d $OUTERNET 23 -j ACCEPT $IPCHAINS -A input -p tcp -s 150.176.0.0/16 -d $OUTERNET 23 -j ACCEPT $IPCHAINS -A input -p tcp -s 128.227.0.0/16 -d $OUTERNET 23 -j ACCEPT $IPCHAINS -A output -p tcp -s 192.168.0.0/24 -d $OUTERNET 23 -j ACCEPT $IPCHAINS -A input -p tcp -s 205.218.0.0/16 -d $OUTERNET 23 -j ACCEPT #DNS $IPCHAINS -A input -p udp -i $OUTERIF -s 209.212.128.33 53 -d $OUTERIP 1024:65535 -j ACCEPT $IPCHAINS -A input -p tcp -i $OUTERIF -s 209.212.128.33 53 -d $OUTERIP 1024:65535 -j ACCEPT $IPCHAINS -A input -p udp -i $OUTERIF -s 209.212.128.32 53 -d $OUTERIP 1024:65535 -j ACCEPT $IPCHAINS -A input -p tcp -i $OUTERIF -s 209.212.128.32 53 -d $OUTERIP 1024:65535 -j ACCEPT $IPCHAINS -A output -p udp -i $INTERNALIF -s $REMOTENET 1024:65535 -d $OUTERNET 53 -j ACCEPT $IPCHAINS -A output -p tcp -i $INTERNALIF -s $REMOTENET 1024:65535 -d $OUTERNET 53 -j ACCEPT #HTTPD $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT #IDENTD $IPCHAINS -A input -p tcp -s luminous.host888.com -d $OUTERNET 113 -j ACCEPT $IPCHAINS -A input -p udp -s luminous.host888.com -d $OUTERNET 113 -j ACCEPT #NETBIOS $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j DENY -l #deny nessusd from outside $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 3001 -i $OUTERIF -j DENY -l #printer $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 515 -i $OUTERIF -j DENY -l #RIP $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 520 -i $OUTERIF -j DENY -l #NFS $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY -l #XSERVER / VNCSERVER #now we deny x server from anyone else. $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j DENY -l $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 5800:5902 -i $OUTERIF -j DENY -l #DCHP SERVER $IPCHAINS -A input -p udp -s $REMOTENET 67 -i $INTERNALIF -j ACCEPT $IPCHAINS -A input -p udp -s $REMOTENET 68 -i $INTERNALIF -j ACCEPT #ICQ $IPCHAINS -A input -p UDP -s icq.mirabilis.com 1024:65535 -j ACCEPT $IPCHAINS -A input -i ppp3 -p TCP -s any/0 1024:65535 -d 192.168.0.1/24 50 -j ACCEPT $IPCHAINS -A output -i ppp3 -p TCP -s 192.168.0.1/24 1024:65535 -d any/0 1 -j ACCEPT # Napster # NOTE: You must specify a different -R address for every client # If anyone knows how to simplify this, PLEASE email me! #$IPCHAINS -A input -i $OUTERIF -p tcp -s any/0 1024:65535 -d $OUTERIP #6699 -j ACCEPT #$IPCHAINS -A output -i $OUTERIF -p tcp -s $OUTERIP 1024:65535 -d any/0 #1024:65535 -j ACCEPT IPMASQADM=/usr/sbin/ipmasqadm #$IPMASQADM portfw -a -P tcp -L $OUTERIP 6699 -R 192.168.0.0 6699 #Only allowing local connections for my proxies $IPCHAINS -A input -p tcp -i ! lo -s 0/0 3128 -d 0/0 3128 -j DENY -l $IPCHAINS -A input -p tcp -i ! lo -s 0/0 8000 -d 0/0 8000 -j DENY -l $IPCHAINS -A input -p tcp -i ! lo -s 0/0 3130 -d 0/0 3130 -j DENY -l #Log @Home port scans $IPCHAINS -A input -p udp -s 24.0.0.0/8 1:65000 -d $REMOTENET 1:65000 -j DENY -l $IPCHAINS -A input -p tcp -s 24.0.0.0/8 1:65000 -d $REMOTENET 1:65000 -j DENY -l #Drop all fragments $IPCHAINS -A output -f -i $OUTERIF -d $OUTERNET -j DENY -l # weird port client block #sendmail $IPCHAINS -A input -p tcp -i $OUTERIF -s $REMOTENET 25 -d $REMOTENET 25 -j DENY -l #sunrpc udp/tcp $IPCHAINS -A input -p tcp -i $OUTERIF -s $REMOTENET 111 -d $REMOTENET 111 -j DENY -l $IPCHAINS -A input -p udp -i $OUTERIF -s $REMOTENET 111 -d $REMOTENET 111 -j DENY -l #block napster $IPCHAINS -A output -p tcp -i $OUTERIF -s $REMOTENET 1024:65535 -d 208.184.216.0/24 -j DENY -l $IPCHAINS -A output -p tcp -i $OUTERIF -s $REMOTENET 1024:65535 -d 64.124.41.0/24 -j DENY -l