-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathrules.conf.standalone
44 lines (39 loc) · 1.45 KB
/
rules.conf.standalone
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#
# These rules are an example for a stand-alone system (eg, a desktop or web
# server) rather than a box that is functioning as a router with multiple
# network cards.
#
include helpers/icmp.conf
include helpers/icmpv6.conf
define rules SSH_ALLOWED
accept ip 4 source address home.example.com # Only IPv4 from home.example.com
accept ip both source address work.example.com # IPv4 and IPv6 from work.example.com
accept ip 6 source address 2001:55cc:4141::2652:9338 # IPv6 Host
accept ip 6 source address 2001:55cc:4141:d1d4::/64 # IPv6 Subnet
reject ip both all
end define
define rules NET to ME
accept ip both protocol udp ports ntp,domain
accept ip both protocol tcp ports smtp,domain
accept ip both protocol tcp ports http,https
SSH_ALLOWED ip both protocol tcp port ssh
end define
define rules OUTPUT
accept ip both
end define
define rules INPUT
ICMP ip 4 protocol icmp
ICMP6 ip 6 protocol icmpv6
#
drop ip both protocol tcp ports 135,137,138,139,445 # ignore annoying windows traffic
drop ip both protocol udp ports 135,137,138,139,445 # ignore annoying windows traffic
end define
# Standard stuff
common loopback
# "common bogon" is disabled by default because it is too easy to lock yourself
# out. enable it after you have read the documentation, understand it and are
# sure it won't lock you out of your system remotely.
#common bogon NET # disabled by default because it is too easy to lock yourself out
common xmas NET
common syn NET
common portscan NET