#
# a rather complex firewall setup
# example for ferm, by Auke Kok
#

# this example works with ipchains only (unmodified)
option ipchains
option clearall
option createchains

chain fw_tcp proto tcp
# tcp is rather open when running servers
{
    # deny scanning via dns port
    sport dns {
	dport dns ACCEPT;
    	syn DENY log;
    }

    dport (
	ssh
	ftp
	ftp-data
	pop3
	smtp
	http
    ) sport 1024: ACCEPT;
    # don't allow from suid ports!

    # special case to allow active ftp transfers to our machine!
    sport ftp-data dport 1024: ACCEPT;
    
    # awkward incoming connections
    syn DENY log;

    # lock suid ports
    sport :1023 DENY log;
    
    # want to deny inside-out fake stuff? uncomment this:
    # (see /proc/sys/net/ipv4/ip_local_port_range )
    # dport 5000: DENY log;
}

chain fw_udp proto udp
# udp protocol, denied mostly
{
    # again no dns fumbling around
    sport dns dport dns ACCEPT;
    DENY log;
}

chain fw_icmp proto icmp
# icmp acceptance rules
{
    icmptype (
	ping # remove if you do not want to be 'seen'
	pong # removing this will cause you not being able
	     # to ping someone else, since the response will
	     # will be blocked...
	destination-unreachable
	time-exceeded
    ) ACCEPT;
    # never seen hits on this one:
    DENY log;
}

chain tosqueue
# queueing for tcp-traffic, quite good for response on
# a ppp-line (modem), maybe a bad idea for eth...
{
    protocol tcp # yes, required by the kernel... it also
	         # only works for tcp.
    # this next line creates mirroring rules for the sport:
    reverse
    {
        # rapid response protocols
	dport (ssh,ftp) settos min-delay ACCEPT;
        # keep these from timing out
	dport (http,nntp,smtp,dns) settos max-reliability ACCEPT;
        # bulk stuff
	dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
    }

    # remove any bits set by clients for different
    # protocols, since they might be tricking their
    # packets into a unfair priority... It wouldn't
    # surprise me if IE uses this... :-O
    settos min-cost ACCEPT;
}

# built-in chains:

chain input policy ACCEPT
{
    #incoming traffic, seperate by interface
    interface (eth0,ppp0)
    {
	# our outside interfaces: go through the right way...
	goto badguys;
	protocol tcp goto fw_tcp;
	protocol udp goto fw_udp;
	protocol icmp goto fw_icmp;
    }
}

chain forward policy ACCEPT
{
    # masquerading support for private subnets
    interface (eth0,ppp0) saddr 192.168.0.0/24 MASQ;
}

chain output policy ACCEPT
{
    # queueing goes here, maybe some special fw rules as well
    proto tcp if (eth0,ppp0) goto tosqueue;

    # again uncomment for trojan horses protection and inside out
    # violations....
    # sport 5000: DENY log;
}

#chain badguys
#{
    # list notorious portscanners here without the 'log'
    # keyword, so they don't flood logs.
    # saddr spammer.net.com DROP; # you may specify computer names as well
    # saddr 10/8 DROP; # or network addresses like this impossible one
    # daddr 10/8 DROP; # maybe even from guys fooling you around
    # saddr 123.45.6.78 DROP; # a single machine, very bad
    # saddr 123.45.6/24 DROP; # better to include the entire subnet
#}

# end
