To configure IPFilter for effective security, use several
techniques and building blocks together.
For example, you can configure rules to allow rsh, rlogin,
and telnet to run only on your internal network. Your internal network
subnet is 20.20.20.0/24. All three services use specific TCP ports
(513, 514, and 23). Configure the following rules in the following
order:
pass in quick on lan0 proto icmp from any to 20.20.20.0/24 icmp-type 0
pass in quick on lan0 proto icmp from any to 20.20.20.0/24 icmp-type 11
block in log quick on lan0 proto icmp from any to any
block in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 513
block in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 514
block in log quick on lan0 proto tcp from any to 20.20.20.0/24 port = 23
pass in all |
Be sure the rules for the services are placed before the pass in all rule to close them off to systems outside your network.
To block UDP instead of TCP, replace proto tcp with proto udp. The rule for syslog would then be:
block in log quick on lan0 proto udp from any to 20.20.20.0/24 port = 514 |
Several services allow you to block by port number for security:
portmap on TCP port 111 and
UDP port 111
NFS on TCP port 2049 and
UDP port 2049
To get a complete listing of ports being listed on, use netstat -a, or check /etc/services.
Printable version
