############# Port/protocol combinations we allow in and out
set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
-set TCP_OUT "1:65535"
+set TCP_OUT_DELAY "ssh,ftp"
+set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
+set TCP_OUT_THROUGHPUT "ftp-data,napster,napserv"
+set TCP_OUT_COST ""
+
set UDP_IN "ntp"
set UDP_OUT "1:65535"
+
set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
if lo goto UNUSUAL DROP;
- if ppp0 ACCEPT;
-
#incoming traffic, seperate by interface
if %IFS {
goto badguys;
of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
of lo goto UNUSUAL DENY;
- of ppp0 ACCEPT;
-
saddr !%IPSPEC goto UNUSUAL DENY;
# again uncomment for trojan horses protection and inside out
}
# again no dns fumbling around
- #sport domain dport domain saddr (**DNS IPS**) {
- # ACCEPT;
- #}
+ sport domain dport domain saddr %NSIP {
+ ACCEPT;
+ }
goto LDENY;
}
protocol tcp reverse {
# rapid response protocols
- dport (ssh,ftp) settos min-delay ACCEPT;
+ dport %TCP_OUT_DELAY settos min-delay ACCEPT;
# keep these from timing out
- dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
+ dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
# bulk stuff
- dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
+ dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
}
- # remove any bits set by clients for different
- # protocols, since they might be tricking their
- # packets into a unfair priority... It wouldn't
- # surprise me if IE uses this... :-O
- settos min-cost ACCEPT;
+ proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
}
#####################################################################