<firewall>
#
# Global configuration and access classes
#
<global>
# Modules we need to load
<modules>
<load name="ip_queue"/>
<load name="ip_conntrack_ftp"/>
<load name="ip_nat_ftp"/>
</modules>
#
# BEGIN - STANDARD CLASSES
#
<class name="local_iface">
<address src-iface="lo"/>
</class>
<class name="valid_connections">
<address cmd-line="-m state --state ESTABLISHED,RELATED"/>
</class>
<class name="syn_packets">
<address proto="tcp" cmd-line="--syn -m state --state NEW"/>
</class>
<class name="udp_packets">
<address proto="udp"/>
</class>
<class name="icmp_packets">
<address proto="icmp"/>
</class>
<class name="rsvp_packets">
<address proto="2"/>
</class>
<class name="invalid_tcp_packets">
<address proto="tcp" cmd-line="--tcp-flags ALL FIN,URG,PSH"/>
<address proto="tcp" cmd-line="--tcp-flags ALL ALL"/>
<address proto="tcp" cmd-line="--tcp-flags ALL SYN,RST,ACK,FIN,URG"/>
<address proto="tcp" cmd-line="--tcp-flags ALL NONE"/>
<address proto="tcp" cmd-line="--tcp-flags SYN,RST SYN,RST"/>
<address proto="tcp" cmd-line="--tcp-flags SYN,FIN SYN,FIN"/>
</class>
<class name="valid_icmp_packets">
<address proto="icmp" cmd-line="--icmp-type 0"/>
<address proto="icmp" cmd-line="--icmp-type 3"/>
<address proto="icmp" cmd-line="--icmp-type 8"/>
<address proto="icmp" cmd-line="--icmp-type 11"/>
</class>
<class name="traceroute_packets">
<address proto="udp" dst-port="33434:33465"/>
</class>
<class name="service_ftp">
<address proto="tcp" dst-port="21"/>
</class>
<class name="service_ssh">
<address proto="tcp" dst-port="22"/>
</class>
<class name="service_smtp">
<address proto="tcp" dst-port="25"/>
</class>
<class name="service_dns">
<address proto="tcp" dst-port="53"/>
<address proto="udp" dst-port="53"/>
</class>
<class name="service_http">
<address proto="tcp" dst-port="80"/>
</class>
<class name="service_https">
<address proto="tcp" dst-port="443"/>
</class>
<class name="service_pop3">
<address proto="tcp" dst-port="110"/>
</class>
<class name="service_tinc">
<address proto="udp" dst-port="655"/>
<address proto="tcp" dst-port="655"/>
</class>
<class name="service_ident">
<address proto="tcp" dst-port="113"/>
</class>
<class name="service_imap">
<address proto="tcp" dst-port="143"/>
</class>
<class name="service_pserver">
<address proto="tcp" dst-port="2401"/>
</class>
<class name="service_httpproxy">
<address proto="tcp" dst-port="3128"/>
<address proto="tcp" dst-port="8080"/>
</class>
<class name="service_postgresql">
<address proto="tcp" dst-port="5432"/>
</class>
<class name="service_time">
<address proto="udp" dst-port="123" src-port="123"/>
</class>
<class name="service_rip">
<address proto="udp" dst-port="520" src-port="520"/>
</class>
<class name="service_datametrics">
<address proto="udp" dst-port="1645"/>
<address proto="udp" dst-port="1646"/>
</class>
<class name="service_radius">
<address proto="udp" dst-port="1812"/>
<address proto="udp" dst-port="1813"/>
</class>
<class name="service_dhcp">
<address proto="udp" dst-port="67:68"/>
</class>
<class name="30_per_min">
<address cmd-line="-m limit --limit 30/min --limit-burst 10"/>
</class>
<class name="blank">
<address />
</class>
#
# END - STANDARD CLASSES
#
<class name="valid_internal_traffic">
<address src-iface="eth1" src="192.168.101.0/26" dst-iface="eth0"/>
</class>
<class name="nat_internal_traffic">
<address src="192.168.101.0/26" dst="! 192.168.101.0/24"/>
</class>
<class name="internal_traffic">
<address src-iface="eth1" dst-iface="eth0"/>
</class>
<class name="proxy_redirect">
<address src="192.168.101.0/24" proto="tcp" dst="! 192.168.101.0/24"
dst-port="80"/>
</class>
<class name="internal_local">
<address src="192.168.101.0/24" />
</class>
# eth0 loop is normally used when doing strange NAT stuff
<class name="eth0_loop">
<address src-iface="eth0" dst-iface="eth0"/>
</class>
</global>
#
# Access control lists
#
<acl>
<table name="filter">
#
# CUSTOM RULES
#
<chain name="accept_input_all">
</chain>
<chain name="accept_input_tcp">
<rule target="accept_traffic">
service_smtp;
service_pop3;
</rule>
</chain>
<chain name="accept_input_udp">
</chain>
<chain name="accept_input_icmp">
</chain>
<chain name="invalid_forwarding">
<rule target="REJECT">
service_smtp;
</rule>
</chain>
<chain name="accept_forward_all">
<rule target="invalid_forwarding">
internal_traffic;
</rule>
</chain>
<chain name="accept_forward_tcp">
<rule target="accept_traffic">
valid_internal_traffic;
</rule>
</chain>
<chain name="accept_forward_udp">
<rule target="accept_traffic">
valid_internal_traffic;
</rule>
</chain>
<chain name="accept_forward_icmp">
<rule target="accept_traffic">
valid_internal_traffic;
</rule>
</chain>
<chain name="accept_output_all">
<rule target="accept_traffic">
blank;
</rule>
</chain>
<chain name="accept_output_tcp">
</chain>
<chain name="accept_output_udp">
</chain>
<chain name="accept_output_icmp">
</chain>
#
# SYSTEM INPUT RULES - CUSTOMIZE ABOVE
#
<chain name="accept_input_all">
<rule target="accept_traffic">
local_iface;
</rule>
</chain>
<chain name="accept_input_tcp">
<rule target="accept_traffic">
service_ssh;
</rule>
</chain>
<chain name="accept_input_udp">
</chain>
<chain name="accept_input_icmp">
<rule target="accept_traffic">
valid_icmp_packets;
traceroute_packets;
</rule>
</chain>
#
# SYSTEM FORWARD RULES - CUSTOMIZE ABOVE
#
<chain name="accept_forward_all">
</chain>
<chain name="accept_forward_tcp">
</chain>
<chain name="accept_forward_udp">
</chain>
<chain name="accept_forward_icmp">
</chain>
#
# SYSTEM LOGGING RULES
#
<chain name="log_input">
<rule target='LOG --log-prefix "FW:filter:INPUT "'>
30_per_min;
</rule>
</chain>
<chain name="log_forward">
<rule target='LOG --log-prefix "FW:filter:FORWARD "'>
30_per_min;
</rule>
</chain>
<chain name="log_output">
<rule target='LOG --log-prefix "FW:filter:OUTPUT "'>
30_per_min;
</rule>
</chain>
<chain name="log_drop_packets">
<rule target='LOG --log-prefix "FW:filter:check_packets "'>
30_per_min;
</rule>
<rule target="DROP">
blank;
</rule>
</chain>
#
# MAIN SYSTEM RULES
#
# Remove bwmd rule if you not using it
<chain name="accept_traffic">
<rule target="ACCEPT">
blank;
</rule>
</chain>
<chain name="accept_state">
<rule target="accept_traffic">
valid_connections;
</rule>
</chain>
<chain name="check_packets">
<rule target="log_drop_packets">
invalid_tcp_packets;
</rule>
</chain>
#
# MAIN SYSTEM CHAINS
#
<chain name="INPUT" default="DROP">
<rule target="check_packets">
blank;
</rule>
<rule target="accept_state">
blank;
</rule>
<rule target="accept_input_all">
blank;
</rule>
<rule target="accept_input_tcp">
syn_packets;
</rule>
<rule target="accept_input_udp">
udp_packets;
</rule>
<rule target="accept_input_icmp">
icmp_packets;
</rule>
<rule target="log_input">
blank;
</rule>
</chain>
<chain name="FORWARD" default="DROP">
<rule target="check_packets">
blank;
</rule>
<rule target="accept_state">
blank;
</rule>
<rule target="accept_forward_all">
blank;
</rule>
<rule target="accept_forward_tcp">
syn_packets;
</rule>
<rule target="accept_forward_udp">
udp_packets;
</rule>
<rule target="accept_forward_icmp">
icmp_packets;
</rule>
<rule target="log_forward">
blank;
</rule>
</chain>
<chain name="OUTPUT" default="DROP">
<rule target="check_packets">
blank;
</rule>
<rule target="accept_state">
blank;
</rule>
<rule target="accept_output_all">
blank;
</rule>
<rule target="accept_output_tcp">
syn_packets;
</rule>
<rule target="accept_output_udp">
udp_packets;
</rule>
<rule target="accept_output_icmp">
icmp_packets;
</rule>
<rule target="log_output">
blank;
</rule>
</chain>
</table>
</acl>
<nat>
<snat>
<rule to-src="your.external.ip.here">
nat_internal_traffic;
</rule>
</snat>
</nat>
</firewall>