1Configuring IP Filter for firewall usage. 2========================================= 3 4Step 1 - Block out "bad" IP packets. 5------------------------------------ 6 7Run the perl script "mkfilters". This will generate a list of blocking 8rules which: 9 a) blocks all packets which might belong to an IP Spoofing attack; 10 b) blocks all packets with IP options; 11 c) blocks all packets which have a length which is too short for 12 any legal packet; 13 14Step 2 - Convert Network Security Policy to filter rules. 15--------------------------------------------------------- 16 17Draw up a list of which services you want to allow users to use on the 18Internet (e.g. WWW, ftp, etc). Draw up a separate list for what you 19want each host that is part of your firewall to be allowed to do, including 20communication with internal hosts. 21 22Step 3 - Create TCP "keep state" rules. 23--------------------------------------- 24 25For each service that uses TCP, create a rule as follows: 26 27pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state 28 29where 30* "int-a" is the internal interface of the firewall. That is, it is the 31 closest to your internal network in terms of network hops. 32 33* "int-net" is the internal network IP# subnet address range. This might 34 be something like 10.1.0.0/16, or 128.33.1.0/24 35 36* "ext-service" is the service to which you wish to connect or if it doesn't 37 have a proper name, a number can be used. The translation of "ext-service" 38 as a name to a number is controlled with the /etc/services file. 39 40