## ipf.conf - config file for ipfilter
##
## This is a very simple set of rulesets for a single machine's
## firewall.  It will only drop packets, not actively respond to
## probes.  Uncomment out the services you wish to use.
##
## Last revised 15 Feb 2002 - m-woo
##
## pass all local traffic
pass in quick on lo0 all
pass out quick on lo0 all
##
## block inbound traffic from a particular IP on a particular port
#block in quick on hme0 from <IP #> to any port = <port #>
##
## block all inbound/outbound traffic that doesn't comply with rules below
## the first rule logs to the daemon.notice syslog event level
#block in log level daemon.notice all
block in all
block out all
##
## pass all inbound tcp, udp, icmp traffic from x.x.x.x with state
## substitute host address for x.x.x.x
#pass in quick on hme0 proto tcp from x.x.x.x to any keep state
#pass in quick on hme0 proto udp from x.x.x.x to any keep state
#pass in quick on hme0 proto icmp from x.x.x.x to any keep state
##
## pass inbound echo request
#pass in quick on hme0 proto icmp from any to any icmp-type 8
##
## pass inbound identd requests
#pass in quick on hme0 proto tcp from any to any port = 113 flags S keep state
##
## pass inbound smtp
#pass in quick on hme0 proto tcp from any to any port = 25 flags S keep state
##
## pass inbound ssh
#pass in quick on hme0 proto tcp from any to any port = 22 flags S keep state
##
## pass inbound http and https
#pass in quick on hme0 proto tcp from any to any port = 80 flags S keep state
#pass in quick on hme0 proto tcp from any to any port = 443 flags S keep state
##
## pass inbound active ftp
#pass in quick on hme0 proto tcp from any to any port = 21 flags S keep state
##
## pass inbound passive ftp using unprivileged ports in range 15000-16000 only 
## this requires that the ftp daemon be configured to use that range only
#pass in quick proto tcp from any to any port 15000 >< 16000 flags S keep state
##
## pass inbound telnet
#pass in quick on hme0 proto tcp from any to any port = 23 flags S keep state
##
## pass inbound NFS requests
## you will have to determine how to allow connection to mountd
#pass in quick on hme0 proto tcp from any to any port = 2049 flags S keep state
#pass in quick on hme0 proto udp from any to any port = 2049 keep state
##
## pass inbound lpd requests
#pass in quick on hme0 proto tcp from any to any port = 515 flags S keep state
##
## pass all outbound tcp, udp, icmp traffic with state
pass out quick on hme0 proto tcp from any to any keep state keep frags
pass out quick on hme0 proto udp from any to any keep state keep frags
pass out quick on hme0 proto icmp from any to any keep state
##
## end of ipfilter ruleset