# vengono fatte passare le connessioni aperte da prima add check-state # RFC 1918 ed altri subnet illegali add drop all from 0.0.0.0/8 to any add drop all from 10.0.0.0/8 to any add drop all from 169.254.0.0/16 to any # MS dhcp default address add drop all from 172.16.0.0/12 to any add drop all from 192.0.2.0/24 to any # reserved for docs add drop all from 192.168.0.0/16 to any add drop all from 204.152.64.0/23 to any # SUN cluster interconnect add drop all from 240.0.0.0/4 to any # Blocchi dello IANA e reti non utilizzate # # consenti a questo host di connettersi ovunque add allow all from 127.0.0.1 to any add allow all from 192.168.0.10 to 192.168.0.10 add pass tcp from 192.168.0.10 to any out setup keep-state add pass udp from 192.168.0.10 to any out keep-state add pass ip from 192.168.0.10 to any out add deny all from 192.168.0.10 to any # Blocca routing illegale add deny ip from any to any ipoptions rr add deny ip from any to any ipoptions ts add deny ip from any to any ipoptions lsrr add deny ip from any to any ipoptions ssrr # Blocca version da ports scanner tipo Nmap add deny tcp from any to any tcpflags syn,fin add deny tcp from any to any tcpflags syn,rst # Altro.. add deny tcp from any 0 to any add deny tcp from any to any 0 add deny udp from any 0 to any add deny udp from any to any 0 # clausola di frag per la gestione dei frammenti IP add allow all from any to any frag # (TCP) permette alla WAN di accedere ai servizi add pass tcp from any to 192.168.0.10 25 in # smtp #add pass tcp from any to 192.168.0.10 80 in # web add pass tcp from any to 192.168.0.10 110 in # pop3 #add pass tcp from any to 192.168.0.10 443 in # web SSL # (TCP) macchine privilegiate accesso ssh add pass tcp from 192.168.0.5 to 192.168.0.10 22 in # ssh add pass tcp from 192.168.0.5 to 192.168.0.10 80 in # web add pass udp from 192.168.0.5 to 192.168.0.10 161 in # snmp #add pass tcp from 192.168.0.5 to 192.168.0.10 3128 in # squid #add pass tcp from 10.10.75.3 to 192.168.0.10 22 in # ssh # permette alla WAN di accedere ad alcuni servizi UDP #add pass udp from any to 192.168.0.10 1024-65535 in # (ICMP) troubleshooting di rete, gestione e controllo # 0=Echo Replay # 3=destination unrechable # 8=Echo Request # 11=TTL Execeeded add pass icmp from any to 192.168.0.10 icmptypes 0,3,8,11 # blocca tutto il resto add deny all from any to any # EOF -DjSpider8 04212003