Created
August 26, 2012 18:27
-
-
Save fcicq/3482349 to your computer and use it in GitHub Desktop.
Ferm config file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IPv6 | |
| domain ip6 table filter { | |
| chain INPUT { | |
| proto ipv6-icmp ACCEPT; | |
| } | |
| } | |
| domain (ip ip6) table filter { | |
| # fcicq: temporary disable log... | |
| chain logdrop { | |
| # LOG log-level warning log-prefix "dropped "; | |
| DROP; | |
| } | |
| chain INPUT { | |
| # fcicq: DO NOT EDIT HERE ... see blow | |
| policy DROP; | |
| # connection tracking | |
| mod state state INVALID DROP; | |
| mod state state (ESTABLISHED RELATED) ACCEPT; | |
| # allow local packet | |
| interface lo ACCEPT; | |
| # respond to ping | |
| proto icmp icmp-type echo-request mod limit limit 2/sec ACCEPT; | |
| # allow IPsec | |
| proto udp dport 500 ACCEPT; | |
| # proto (esp ah) ACCEPT; | |
| # allow SSH connections | |
| proto tcp dport ssh ACCEPT; | |
| # fcicq: BEGIN MODIFY HERE... | |
| # my services. | |
| proto tcp { | |
| dport (80 443) ACCEPT; | |
| } | |
| proto udp { | |
| dport 1024:65535 ACCEPT; | |
| } | |
| # deny here | |
| # IP Based Filtering | |
| # saddr 192.168.0.0/16 DROP; | |
| # tcp-flags [!] MASK COMP: CHECK all the flags in MASK, and flags in COMP must be set (to be matched). | |
| # optional ! to inverse | |
| # nmap port scanning / stealth scan | |
| proto tcp { | |
| tcp-flags ALL NONE jump logdrop; | |
| tcp-flags ALL ALL jump logdrop; | |
| tcp-flags ALL FIN jump logdrop; | |
| tcp-flags ALL (FIN URG PSH) jump logdrop; | |
| tcp-flags ALL (SYN FIN URG PSH) jump logdrop; | |
| tcp-flags ALL (SYN RST ACK FIN) jump logdrop; | |
| tcp-flags ALL (SYN RST ACK FIN URG) jump logdrop; | |
| tcp-flags (SYN RST) (SYN RST) jump logdrop; | |
| tcp-flags (SYN FIN) (SYN FIN) jump logdrop; | |
| tcp-flags (FIN RST) (FIN RST) jump logdrop; | |
| tcp-flags (ACK FIN) FIN jump logdrop; | |
| tcp-flags (ACK PSH) PSH jump logdrop; | |
| tcp-flags (ACK URG) URG jump logdrop; | |
| } | |
| proto tcp tcp-flags (SYN ACK FIN RST) RST @subchain "port-scan" { | |
| mod limit limit 1/sec RETURN; | |
| jump logdrop; | |
| } | |
| # syn flood, 5 connections per sec | |
| proto tcp syn @subchain "syn-flood" { | |
| mod limit limit 1/sec limit-burst 5 RETURN; | |
| jump logdrop; | |
| } | |
| } | |
| chain OUTPUT { | |
| policy ACCEPT; | |
| # connection tracking | |
| #mod state state INVALID DROP; | |
| mod state state (ESTABLISHED RELATED) ACCEPT; | |
| } | |
| chain FORWARD { | |
| policy DROP; | |
| # connection tracking | |
| mod state state INVALID DROP; | |
| mod state state (ESTABLISHED RELATED) ACCEPT; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment