################################################## # IP Filter for Standard Hosting Server # # Trusted IP: # 210.6.118.182 : Office # 203.124.9.99 : VPN (DLink) # 203.124.10.6 : OpenVPN (vpn.setssl.com) # 203.124.11.186: Hehe # 203.124.10.18 : Cammy # 203.124.9.11 : DNS1 # 61.93.96.245 : Chea # 203.124.10.19 : Earth # 203.124.11.100: China Staff VPN # # pool/100 : Trust_IP # pool/200 : Rsync Backup Server # pool/300 : Monitor IP # pool/400 : All our IP # pool/500 : SSH 1022 IP ################################################## interface = "net0"; #------------------------------------------------- # Block any packets which are too short to be real #------------------------------------------------- block in log quick all with short #------------------------------------------------- # drop any IP packets with options set in them. #------------------------------------------------- block in log all with ipopts #------------------------------------------------- # Allow all traffic on loopback. #------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all #------------------------------------------------- # Public Network. Block everything. #------------------------------------------------- block in on $interface all #block out on $interface all #------------------------------------------------- # Allow ICMP (ping) #------------------------------------------------- #pass out quick on $interface proto icmp all keep state pass out quick proto icmp all keep state pass in quick proto icmp all keep state #------------------------------------------------- # Allow outbound state related packets. #------------------------------------------------- pass out quick on $interface proto tcp/udp from any to any keep state #----------- # Allow SSH #----------- pass in log quick on $interface proto tcp from any to any port = 22 keep state #----------- # Allow SSH 1022 #----------- pass in log quick on $interface proto tcp from pool/500 to any port = 1022 keep state # ---------- # Allow Rsync # ---------- pass in log quick on $interface proto tcp from pool/200 to any port = 873 #----------- # Blacklist #----------- block in quick log first on $interface from pool/600 to any block out quick log first from any to pool/600 #----------- # Allow HTTP #----------- block in quick on $interface proto tcp from pool/600 to any port = 80 pass in log quick on $interface proto tcp from any to any port = 80 pass in log quick on $interface proto tcp from any to any port = 443 #----------- # Allow FTP #----------- #GLOBAL pass in log quick on $interface proto tcp from any to any port = 20 pass in log quick on $interface proto tcp from any to any port = 21 pass in quick proto tcp from any to any port 49151 >< 65535 flags S keep state #----------- # Allow SMTP #----------- pass in log quick on $interface proto tcp from any to any port = 25 pass in log quick on $interface proto tcp from any to any port = 465 pass in log quick on $interface proto tcp from any to any port = 587 pass in log quick on $interface proto tcp from any to any port = 2025 pass in log quick on $interface proto tcp from any to any port = 2620 #----------- # Allow POP3 #----------- pass in log quick on $interface proto tcp from any to any port = 110 pass in log quick on $interface proto tcp from any to any port = 995 #----------- # Allow IMAP #----------- pass in log quick on $interface proto tcp from any to any port = 143 pass in log quick on $interface proto tcp from any to any port = 585 pass in log quick on $interface proto tcp from any to any port = 993 #----------- # Allow mySQL #----------- pass in log quick on $interface proto tcp from any to any port = 3306 #----------- # Allow NetPrint (Whoeat.co.uk) #----------- pass in log quick on $interface proto tcp from any to any port = 56230 pass in log quick on $interface proto udp from any to any port = 56230 #----------- # Blacklist #----------- block in quick on $interface from pool/600 to any block out quick from any to pool/600