If you know that your system will send and receive packets
only from specific IP addresses and interfaces, configure your IPFilter
rules to only allow traffic from those addresses and interfaces.
Also, there are addresses and subnets used for specific purposes
on specific interfaces. The following examples show rulesets that
block packets coming to or from places that should not have traffic.
For example, to block private address space to keep it from
entering lan0:
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to any
pass in all |
It is common for software to communicate with itself on 127.0.0.1. Therefore,
it is good practice to block any packets coming from this address
from outside. Also, no packets from 10.0.0.0/8 should come in on lan0 because such packets cannot have a reply.
If you have an internal network, you can be sure that traffic
destined for the network should only be coming from addresses within
that network. If a packet that comes from an address on the internal
network arrives on a dialup interface, it should be blocked by IPFilter.
For example, if your internal network subnet is 20.20.20.0/24,
use the following rules to keep traffic from this subnet from passing
through on the external lan0 interface:
block in quick on lan0 from 192.168.0.0/16 to any
block in quick on lan0 from 172.16.0.0/12 to any
block in quick on lan0 from 10.0.0.0/8 to any
block in quick on lan0 from 127.0.0.0/8 to an
block in quick on lan0 from 20.20.20.0/24 to any
pass in all |
Printable version
