#!/sbin/ipf -f - #
# ex0 - (internal) network interface
#	192.168.2.254/24
# hme0 - (external) connection to Two Sigma
#	74.66.0.142/24
# *Nasty* packets we don't want to allow near us at all!
# short packets which are packets fragmented too short to be real.
block in log quick all with short

# Loopback interface should allows packets to traverse it.
pass in quick on lo0 all
pass out quick on lo0 all

#
# OpenVPN greek server
#
pass in quick on hme0 proto tcp from 176.67.84.178 port = 1448 to any
pass in quick on hme0 proto udp from 176.67.84.178 port = 1448 to any
#
# Allow DHCP requests (even to reserved addresses).
#
pass out quick on hme0 proto udp from any port = bootpc to any port = bootps
pass in quick on hme0 proto udp from any port = bootps to any port = bootpc
pass in quick on hme0 proto udp from any port = bootps to 255.255.255.255 port = bootpc
#
# Allow DNS queries
#
pass out quick proto udp from any to any port = domain keep state

# Pass everything to internal networks, should be ok, because we are nat'ed.
pass in quick on ex0 all
pass out quick on ex0 all

#
# Problem sites.
#
block in quick from 208.184.164.200 to any
block in quick from 216.64.2.55 to any
block in quick from 216.64.18.11 to any
block in quick from 64.209.234.0/24 to any
block in quick from 212.55.159.0/24 to any
block in quick from 211.47.128.128/27 to any
block in quick from 165.220.0.0/16 to any
#block in quick from 209.167.79.0/24 to any
#
# Block IANA-reserved addresses from entering or exiting
#
block in log quick on hme0 from 10.0.0.0/8 to any
block in log quick on hme0 from 172.16.0.0/12 to any
block in log quick on hme0 from 192.168.0.0/16 to any
#
block out log quick on hme0 from any to 10.0.0.0/8
block out log quick on hme0 from any to 172.16.0.0/12
block out log quick on hme0 from any to 192.168.0.0/16
#
pass out quick on hme0 proto tcp from any to any keep state
pass out quick on hme0 proto udp from any to any keep state
pass out quick on hme0 proto icmp from any to any keep state
#
# Prevent IP spoofing attacks on the firewall.
#
block in log quick from 127.0.0.1 to any
# bogus, this rule depends on a dynamic address
#block in log quick from 74.66.0.142 to any
#
# Block traffic to broadcast addresses
#
#block in log quick on hme0 proto tcp from any to 68.37.184.255
block in log quick on hme0 proto tcp from any to 192.168.2.255
#
# Tunnels.
#
#pass in quick proto udp from 208.77.212.5 to any port = isakmp
#pass in quick proto ipv4 from 208.77.212.5 to any
#pass in quick proto esp from 208.77.212.5 to any
#pass in quick proto ah from 208.77.212.5 to any
block in quick from 208.77.212.5 to any

pass in quick proto udp from 208.77.212.8 to any port = isakmp
pass in quick proto ipv4 from 208.77.212.8 to any
pass in quick proto esp from 208.77.212.8 to any
pass in quick proto ah from 208.77.212.8 to any

# PPTP
#pass in quick proto ipv4 from 71.190.35.80 to any port = 1723
#pass in quick proto tcp from 71.190.35.80 to any port = 1723
#pass in quick proto udp from 71.190.35.80 to any port = 1723
#pass in quick proto gre from 71.190.35.80 to any
#
# Pass multicast.
# IGMP uses 224.0.0.1.
#
pass in quick proto igmp all
pass in quick from any to 224.0.0.0/4
#
# Block packets with options (e.g. source route) and short TCP fragments.
#
block return-icmp(net-prohib) in log quick all with ipopts
#
# Pass established connections.
#
pass in quick proto tcp all flags A/A
pass in quick proto tcp all flags R/R
#
# VNC
#
pass in quick proto tcp from any to any port = 5500
#
# Web servers
#
#pass in quick proto tcp from any to <A>/<M> port = http
#
# Services on gw1.
#
pass in quick proto udp from any to any port = ntp
pass in quick proto tcp/udp from any to any port = imap
pass in quick proto tcp/udp from any to any port = domain
pass in quick proto tcp from any to any port = smtp
pass in quick proto tcp from any to any port = auth
# pass in quick proto tcp from any to any port = http
pass in quick proto tcp from any to any port = ssh
pass in quick proto tcp from any to any port = bgp
pass in quick proto tcp from any to any port = ftp
pass in quick proto tcp from any to any port = ftp-data
pass in quick proto udp from any to any port = isakmp
pass in quick proto udp from any to any port = 8001
pass in quick proto tcp from any to 192.168.2.9 port = www

#
# Handle traceroute gracefully for up-to 30 hops away.
#
block return-icmp(port-unr) in quick proto udp from any to any port 33433 >< 33524
#
# Only allow selected ICMP types.
#
pass in quick proto icmp all icmp-type echo
pass in quick proto icmp all icmp-type timex
pass in quick proto icmp all icmp-type unreach
pass in quick proto icmp all icmp-type echorep
pass in quick proto icmp all icmp-type squench
pass in quick proto icmp all icmp-type paramprob
#
# Send back a reset for new connections on tcp.
#
block return-rst in log quick proto tcp all flags S/SA
#
# Block everything by default.
#
block in log quick all