xref: /titanic_44/usr/src/cmd/ipf/examples/firewall (revision 99ba4d70906e5f67853c25ade6ebf4da3e5be4d6)
1Configuring IP Filter for firewall usage.
2=========================================
3
4Step 1 - Block out "bad" IP packets.
5------------------------------------
6
7Run the perl script "mkfilters".  This will generate a list of blocking
8rules which:
9	a) blocks all packets which might belong to an IP Spoofing attack;
10	b) blocks all packets with IP options;
11	c) blocks all packets which have a length which is too short for
12	   any legal packet;
13
14Step 2 - Convert Network Security Policy to filter rules.
15---------------------------------------------------------
16
17Draw up a list of which services you want to allow users to use on the
18Internet (e.g. WWW, ftp, etc).  Draw up a separate list for what you
19want each host that is part of your firewall to be allowed to do, including
20communication with internal hosts.
21
22Step 3 - Create TCP "keep state" rules.
23---------------------------------------
24
25For each service that uses TCP, create a rule as follows:
26
27pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
28
29where
30* "int-a" is the internal interface of the firewall.  That is, it is the
31  closest to your internal network in terms of network hops.
32
33* "int-net" is the internal network IP# subnet address range.  This might
34   be something like 10.1.0.0/16, or 128.33.1.0/24
35
36* "ext-service" is the service to which you wish to connect or if it doesn't
37  have a proper name, a number can be used.  The translation of "ext-service"
38  as a name to a number is controlled with the /etc/services file.
39
40