Previously posted on blog.labrat.info on April 22, 2010
I’ve been looking all over the internet for a simple example of an IP Filter configuration but all I keep finding is some high end stuff. I have a web server I want to protect and that is it. Ok, yes, it runs SSH as well so there’s that as well but, basically, all I want is all outside ports to be blocked except port 22 and 80. Seems most people do way more but I just don’t need that kind of complexity.
After much search and trimming this is the content of my /etc/ipf/ipf.conf file:
block in log quick all with short block in from any to any pass out quick all keep state pass in quick log port tcp from any to any port = 22 keep state pass in quick log port tcp from any to any port = 80 keep state block in quick from any to any
Very simple but lets go though it anyway.
- The first block line blocks in-coming coming packets that are strange. You’ll see “inherently bad” in the documentation that described the packets blocked by this. They keywords used here are with short. That is what blocks them. The quick keyword means IP Filter will jump out and not evaluate any more rules. These packets are bad, right? Why bother?
- The second block line will block any packet coming into the machine but continue to evaluate other rules just in case there is a match.
- The first pass line will let all packets originating from the machine out. I’m sure there are some hard-core security people yelling and screaming at this moment about this. I figure, I have control of the machine and sometimes I want to do stuff from it, I should be let out no matter where I want to leave from. If you have a good reason why this is very wrong please leave a comment.
- The second and third pass lines open the firewall to accept packets from anyone on ports 22 and 80. The log keyword is optional. I usually leave it when I’m testing and turn it off on the production machine because it will create very large log files. As for the quick keyword, this is the port we are looking for, so IP Filter should stop trying to find another rule match.
- The last block line blocks anything that didn’t match any of the rules and escapes. That should keep the baddies out.