# Local Network group g-local { entry ACCEPT; } # Outside Network group g-net { entry g-ban; entry g-tripwire; entry g-lan; entry g-ntp; entry g-trust; entry g-gen; } # Detect odd behavior and temporarily ban traffic group g-tripwire { # Make a secure shell limit (20/hr, burst of 5) entry RETURN -d 0/0 ssh -p tcp -m state --state NEW \ --match hashlimit --hashlimit 25/hour --hashlimit-burst 5 \ --hashlimit-htable-expire 1200000 --hashlimit-mode srcip \ --hashlimit-name ssh; entry a-tripwire -d 0/0 ssh -p tcp -m state --state NEW; # Use some lower number ports as tripwires entry a-tripwire -d 0/0 tftp -p tcp; entry a-tripwire -d 0/0 tftp -p udp; entry a-tripwire -d 0/0 whoami -p tcp; entry a-tripwire -d 0/0 whoami -p udp; # Use port scanning to trigger #entry a-tripwire -m psd; } # Log the occurance and set the tripwire (enable the ban) group a-tripwire { entry LOG --log-prefix '**Tripwire engaged** '; entry REJECT -m recent --name tripwire --set; } # Banned Networks group g-ban { # Spam mailings galore #entry a-ban -s 66.109.16.0/20; # Ban any servers that caused a tripwire entry a-ban -m recent --name tripwire --rcheck --seconds 600; } # Banned Network Actions group a-ban { entry DROP; } # Local Area Network group g-lan { # Put your real IPs of a LAN here entry a-lan -s 192.168.1.1/255.255.255.0; } # Local Area Network Actions group a-lan { entry ACCEPT; } # Trusted Networks group g-trust { # Remote network entry a-trust -s 1.2.3.4/255.255.255.0; } # Trusted Network Actions group a-trust { entry REJECT -d 0/0 linuxconf -p tcp; entry REJECT -d 0/0 swat -p tcp; entry ACCEPT; } # NTP servers group g-ntp { # ntp1.stsn.net #entry a-ntp -s 72.254.0.254; } # Allow access to the NTP ports from the ntp servers group a-ntp { entry ACCEPT -d 0/0 ntp -p udp; entry ACCEPT -d 0/0 ntp -p tcp; } # General Public group g-gen { entry a-gen; } # General Public Actions group a-gen { entry ACCEPT -p icmp; entry REJECT -d 0/0 cfinger -p tcp; entry REJECT -d 0/0 mysql -p tcp; entry REJECT -d 0/0 mysql -p udp; entry REJECT -d 0/0 5800:5816 -p tcp; entry REJECT -d 0/0 5900:5916 -p tcp; entry REJECT -d 0/0 6000:6016 -p tcp; entry REJECT -d 0/0 8000 -p tcp; entry REJECT -d 0/0 squid -p tcp; entry ACCEPT -d 0/0 1024: -p udp; entry ACCEPT -d 0/0 1024: -p tcp; # entry ACCEPT -d 0/0 telnet -p tcp; entry ACCEPT -d 0/0 ssh -p udp; entry ACCEPT -d 0/0 ssh -p tcp; entry ACCEPT -d 0/0 smtp -p tcp; entry ACCEPT -d 0/0 smtp -p udp; entry ACCEPT -d 0/0 time -p tcp; entry ACCEPT -d 0/0 time -p udp; entry ACCEPT -d 0/0 domain -p udp; entry ACCEPT -d 0/0 domain -p tcp; entry ACCEPT -d 0/0 nameserver -p tcp; entry ACCEPT -d 0/0 www -p tcp; entry ACCEPT -d 0/0 www -p udp; entry ACCEPT -d 0/0 https -p tcp; entry ACCEPT -d 0/0 https -p udp; entry ACCEPT -d 0/0 kerberos -p tcp; entry ACCEPT -d 0/0 kerberos -p udp; entry REJECT; } # NOTE: Keep the top level rules here so we don't # accidentally reject any packets we shouldn't etc... # Incoming Packets group INPUT { # Don't distinguish now that I have DHCP entry g-local -s 127.0.0.1/24; entry g-net; entry REJECT; } group g-forward { entry ACCEPT; } # Incoming Packets to Forward group FORWARD { entry g-ban; entry g-tripwire; entry DROP; } # Prerouteing group PREROUTING { } # Outgoing Packets group OUTPUT { option MinDelay -d 0/0 telnet -p tcp; option MinDelay -s 0/0 3333 -p tcp; option MinDelay -s 0/0 ssh -p tcp; option MinDelay -d 0/0 ssh -p tcp; option MinDelay -d 0/0 ftp -p tcp; option MaxThrough -s 0/0 ftp-data -p tcp; # option MaxRely -d 0/0 snmp -p tcp; option MinCost -d 0/0 nntp -p tcp; option MinCost -s 0/0 http -p tcp; entry ACCEPT; }