# le1 is connected to CCS ($IP_OF_WIRELESS_GATEWAY) # de0 is connected to the wireless, private LAN (10.0.0.1) # drop any packets with funky options block in log quick all with short block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick all with ipopts block in log quick all with frags # lo is cool. pass in quick on lo0 all pass out quick on lo0 all # AppleTalk pass in log quick proto ddp all pass out log quick proto ddp all # non-routable sucks # if we ever see it coming in from CCS, drop it. block in quick on le1 from 255.255.255.255/32 to any block in quick on le1 from 192.168.0.0/16 to any block in quick on le1 from 172.16.0.0/12 to any block in quick on le1 from 127.0.0.0/8 to any block in quick on le1 from 10.0.0.0/8 to any block in quick on le1 from 0.0.0.0/32 to any # if we ever try to send non-routable out to CCS, also drop it. block out quick on le1 from any to 255.255.255.255/32 block out quick on le1 from any to 192.168.0.0/16 block out quick on le1 from any to 172.16.0.0/12 block out quick on le1 from any to 127.0.0.0/8 block out quick on le1 from any to 0.0.0.0/32 # if we ever see wireless clients using an non 10.0.0.x address, well just drop it #block in quick on de0 from 255.255.255.255/32 to any block in quick on de0 from 192.168.0.0/16 to any block in quick on de0 from 172.16.0.0/12 to any block in quick on de0 from 127.0.0.0/8 to any block in quick on de0 from 0.0.0.0/32 to any # allow ssh in for admin purposes pass in quick on le1 from $IP_OF_ADMIN_HOST to $IP_OF_WIRELESS_GATEWAY port = 22 # allow dhcp pass in quick on de0 proto udp from any to any port = 67 pass in quick on de0 proto udp from 10.0.0.2 to 10.0.0.1 port = 514 pass in quick on de0 proto udp from 10.0.0.3 to 10.0.0.1 port = 514 pass in quick on le1 proto icmp from $IP_OF_MON_HOST to any icmp-type 8 block return-rst in quick on le1 proto tcp from any to $IP_OF_WIRELESS_GATEWAY port = 113 # some ICMP debug messages we need to see on both interfaces # echo reply, destination unreachable, and ttl exceeded pass in quick on le1 proto icmp from any to $IP_OF_WIRELESS_GATEWAY icmp-type 0 pass in quick on le1 proto icmp from any to $IP_OF_WIRELESS_GATEWAY icmp-type 3 pass in quick on le1 proto icmp from any to $IP_OF_WIRELESS_GATEWAY icmp-type 11 pass in quick on de0 proto icmp from 10.0.0.0/24 to any icmp-type 0 pass in quick on de0 proto icmp from 10.0.0.0/24 to any icmp-type 3 pass in quick on de0 proto icmp from 10.0.0.0/24 to any icmp-type 11 # block and and don't log this garbage block in quick on le1 from any port = 520 to any block in quick on le1 proto tcp/udp from any to any port = 137 block in quick on le1 proto tcp/udp from any to any port = 138 block in quick on le1 proto tcp/udp from any to any port 67 >< 68 block in quick on de0 proto tcp/udp from any to any port = 137 block in quick on de0 proto tcp/udp from any to any port = 138 # anything that didn't make it here was either obviously bad or was # explicitly allowed for some reason. Now setup some rules on each # interace with logging as needed. block in log level local0.crit on le1 from any to any head 1 block in log level local1.crit on de0 from any to any head 2 # since all the wireless clients will be NAT'd, the addresses going over # le1 will be using $IP_OF_WIRELESS_GATEWAY IP, not their own. # So, let everything out and just keep state to let it back in later. pass out quick on le1 proto tcp from any to any flags S keep state pass out quick on le1 proto udp from any to any keep state pass out quick on le1 proto icmp from any to any keep state # now group by port block in on de0 proto tcp from any to any port = 22 head 22 group 2 block in on de0 proto tcp/udp from any to any port = 53 head 53 group 2 block in on de0 proto tcp from any to any port = 80 head 80 group 2 block in on de0 proto tcp from any to any port = 443 head 443 group 2 block in on de0 proto tcp from any to any port = 515 head 515 group 2 block in on de0 proto tcp from any to any port = 3128 head 3128 group 2 block in on de0 proto tcp from any to any port = 8080 head 8080 group 2