Internet

24 Oct 2000

Home
Contact Support
Search
Quick Index

Certified Hardware and Software

Morning Star Express

 

Morning Star Packet Filters

Routing with the Morning Star for LAN-Dial and Leased Line

The following are sample filter sets for varying degrees of protection:

Save the file you create with the filename: Filter

#This filter is for allowing dns,snmp,mail (both ways) and ftp,www,
#gopher, and telnets. Incoming it denies ftp (except from a specified
#host), www, telnet (except from a specific host), and gopher.
#It also denies packets coming in with our address as the source.
#At the end it denies all and logs any rejected packets.

default pass 
#do not pass incoming traffic with our network as source
#do not pass outgoing traffic with our network as a destination
	!204.7.136.0/recv/src/
	!204.7.136.0/send/dst
	!204.7.136.0/recv/src/
	!204.7.136.0/send/dst
#snmp data and dns data
	snmp/udp/recv/dst/204.7.136.0
	domain/udp
	domain/tcp
#other tcp services
#smtp (both ways)
	smtp
#ftp	(you can specify the source addresss)
	ftp/syn/recv/srcaddr=<ip address>
	!ftp/syn/recv
	ftp
#ftp-data       
        ftp-data/dst/204.7.136.0
#http
#Make sure to replace the x with the proper host number.
#The first two lines below are for if you have a www server
#on your site and want to allow people to connect to that.

#www/udp/syn/recv/204.7.136.x/dst
#www/tcp/syn/recv/204.7.136.x/dst
	!www/syn/recv www
#telnets
	telnet/syn/recv/srcaddr=<ip address>
	!telnet/tcp/syn/recv telnet	
#gopher
	!gopher/syn/recv gopher
!all
log rejected

# tight security
#
# permit routing info to router only
# permit icmp, DNS queries, smtp, and nntp to firewall host only
# nothing else
#
# log all rejected packets

default pass    routed/<router IP>
                icmp/<host IP>
                domain/udp/<host IP>
                smtp/<host IP> nntp/<host IP>
                !all

        log     rejected

# moderate security
#
# permit routing info to router only
# permit icmp and DNS requests anywhere in network
# permit time sync ports, nntp and smtp out from firewall
# disallow incoming telnet and ftp's.
#
# log all rejected packets

default pass    routed/<router IP>
                icmp domain
                smtp/<host IP> nntp/<host IP>
                time/<host IP> ntp/<host IP>
                !telnet/syn/recv telnet
                !ftp/syn/recv ftp ftp-data
                !all

        log     rejected

# light security
#
# disallow incoming ftp's and telnets
# disallow other well-known hackable ports 
#(berkeley style r* programs, # biff, lpd, etc) 
#but NOT sun rpc or nfs.
# everything else pass
#
# log all rejected packets

default pass    !telnet/syn/recv telnet
                !ftp/syn/recv ftp ftp-data
                !exec/syn/recv exec
                !login/syn/recv login
                !shell/syn/recv shell
                !biff !printer
                all

        log     rejected

# very light security
#
# disallow incoming ftp's and telnets only
# everything else ok
#
# log all rejected packets

default pass    !telnet/syn/recv telnet
                !ftp/syn/recv ftp ftp-data
                all

        log     rejected

TopHomeContact SupportSearchQuick Index