# help with firewall rules .. ipfilter<-->iptables

## playahater

I have Efficient Networks 5861 DSL Router with, as far as i know, IP Filter. I say "as far as i know" cuz i have read the iptables and ipfilter howto`s and the syntax doesn`t match to neither of them. I`m trying to configure only the firewall on that router and protect 3 computers in lan connected to it .. i have gentoo on all machines in lan and my plan is not to setup any fw on them since the router has ipfilter.

I want as little as possible trafick in and out. Beside standard/basic ports, I need P2P, chat, ssh, nfs, samba, but nfs and samba only in lan.

I found a little fw script which ipfilter uses as default one and i have changed it to suite my needs.

Now .. i`m not sure if I did it right, so PLEASE, if anyone knows how to setup this or has any idea help .. cuz this editing is pure logic .. 

if there is any "faster"/"better" way for this script to function .. please share ..   :Laughing: 

```

# Maxsec Firewall script - 6/7/01

# For DSL router

# Allow protocols: HTTP, HTTPS, SMTP, POP3, SNTP, Telnet,

#                  DNS, FTP (passive), L2TP, IPSec, IKE

# Flush all existing filters 

remote ipfilter flush input internet 

remote ipfilter flush output internet 

remote ipfilter flush transmit internet

remote ipfilter flush receive internet

eth ip filter flush input 0

eth ip filter flush output 0

eth ip filter flush transmit 0

eth ip filter flush receive 0

# No incoming connections

remote ipfilter append input drop -p tcp -tcp syn internet

# SSH

remote ipfilter append input accept -p tcp -sp 22 internet

remote ipfilter append output accept -p tcp -dp 22 internet 

# TORRENT / DONKEY / OVERNET / KADEMLIA / FASTTRACK / 

# GNUTELLA / GNUTELLA2 /

remote ipfilter append input accept -p tcp -sp 6881 internet

remote ipfilter append output accept -p tcp -dp 6881 internet 

remote ipfilter append input accept -p tcp -sp 6882 internet

remote ipfilter append output accept -p tcp -dp 6882 internet 

remote ipfilter append input accept -p tcp -sp 6883 internet

remote ipfilter append output accept -p tcp -dp 6883 internet 

remote ipfilter append input accept -p tcp -sp 6884 internet

remote ipfilter append output accept -p tcp -dp 6884 internet 

remote ipfilter append input accept -p tcp -sp 6885 internet

remote ipfilter append output accept -p tcp -dp 6885 internet 

remote ipfilter append input accept -p tcp -sp 6886 internet

remote ipfilter append output accept -p tcp -dp 6886 internet

remote ipfilter append input accept -p tcp -sp 6887 internet

remote ipfilter append output accept -p tcp -dp 6887 internet 

remote ipfilter append input accept -p tcp -sp 6888 internet

remote ipfilter append output accept -p tcp -dp 6888 internet 

remote ipfilter append input accept -p tcp -sp 6889 internet

remote ipfilter append output accept -p tcp -dp 6889 internet

remote ipfilter append input accept -p tcp -sp 4662 internet

remote ipfilter append output accept -p tcp -dp 4662 internet

remote ipfilter append input accept -p tcp -sp 10124 internet

remote ipfilter append output accept -p tcp -dp 10124 internet 

remote ipfilter append input accept -p tcp -sp 17626 internet

remote ipfilter append output accept -p tcp -dp 17626 internet 

remote ipfilter append input accept -p tcp -sp 1214 internet

remote ipfilter append output accept -p tcp -dp 1214 internet

remote ipfilter append input accept -p tcp -sp 6346 internet

remote ipfilter append output accept -p tcp -dp 6346 internet

remote ipfilter append input accept -p tcp -sp 6347 internet

remote ipfilter append output accept -p tcp -dp 6347 internet

# Windows / Samba / NFS / PORTMAP 

remote ipfilter append input accept -p tcp -sp 445 internet

remote ipfilter append output accept -p tcp -dp 445 internet 

remote ipfilter append input accept -p tcp -sp 426 internet

remote ipfilter append output accept -p tcp -dp 426 internet 

remote ipfilter append input accept -p tcp -sp 137 internet

remote ipfilter append output accept -p tcp -dp 137 internet 

remote ipfilter append input accept -p tcp -sp 138 internet

remote ipfilter append output accept -p tcp -dp 138 internet 

remote ipfilter append input accept -p tcp -sp 139 internet

remote ipfilter append output accept -p tcp -dp 139 internet 

remote ipfilter append input accept -p tcp -sp 2049 internet

remote ipfilter append output accept -p tcp -dp 2049 internet

# ICQ / YAHOO / MSN / JABBER

remote ipfilter append input accept -p tcp -sp 5190 internet

remote ipfilter append output accept -p tcp -dp 5190 internet 

remote ipfilter append input accept -p tcp -sp 5050 internet

remote ipfilter append output accept -p tcp -dp 5050 internet 

remote ipfilter append input accept -p tcp -sp 1863 internet

remote ipfilter append output accept -p tcp -dp 1863 internet 

remote ipfilter append input accept -p tcp -sp 5222 internet

remote ipfilter append output accept -p tcp -dp 5222 internet

# HTTP 

remote ipfilter append input accept -p tcp -sp 80 internet

remote ipfilter append output accept -p tcp -dp 80 internet 

# HTTPS (SSL)

remote ipfilter append input accept -p tcp -sp 443 internet

remote ipfilter append output accept -p tcp -dp 443 internet

# SMTP

remote ipfilter append input accept -p tcp -sp 25 internet

remote ipfilter append output accept -p tcp -dp 25 internet

# POP3

remote ipfilter append input accept -p tcp -sp 110 internet

remote ipfilter append output accept -p tcp -dp 110 internet

# SNTP

# - allow requests and responses to the router only

#

remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet

remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet

remote ipfilter append input accept -p udp -sp 123 internet

remote ipfilter append output accept -p udp -dp 123 internet

eth ip filter append output drop -p udp -sp 123 0

eth ip filter append output drop -p udp -dp 123 0

# Telnet

remote ipfilter append input accept -p tcp -sp 23 internet

remote ipfilter append output accept -p tcp -dp 23 internet

# DNS 

remote ipfilter append input accept -p udp -sp 53 internet

remote ipfilter append output accept -p udp -dp 53 internet

# FTP

remote ipfilter append input accept -p tcp -sp 20:21 internet

remote ipfilter append output accept -p tcp -dp 20:21 internet

# L2TP

# - allow requests and responses to the router only

#

remote ipfilter append input accept -p udp -sp 1701 internet

remote ipfilter append output accept -p udp -dp 1701 internet

eth ip filter append output drop -p udp -sp 1701 0

eth ip filter append output drop -p udp -dp 1701 0

# Allow IPSec, IKE packets

remote ipfilter append input accept -p udp -sp 500 -dp 500 internet

remote ipfilter append input accept -p 50 internet

remote ipfilter append input accept -p 51 internet

remote ipfilter append output accept -p udp -sp 500 -dp 500 internet

remote ipfilter append output accept -p 50 internet

remote ipfilter append output accept -p 51 internet

# Drop all other traffic not listed above

remote ipfilter append input drop internet

remote ipfilter append output drop internet

# Watch the results

remote ipfilter watch on internet

save

```

10x in advance

Cheers

----------

## playahater

no idea .. thought .. advice ??   :Rolling Eyes: 

----------

## srm

DISREGARD:

 *Quote:*   

> Why would you allow incoming server ports like in:
> 
>  *Quote:*   # HTTP
> 
> remote ipfilter append input accept -p tcp -sp 80 internet
> ...

 

Its been awhile that i have comp'ted with iptables but i think that was the general way (i'd like to say: as you did)

Flush

DENY evryth.

ALLOW SPECIAL

DENY rst.

I've seen a some iptables code-snippets for nice little gimmicks like flood protection, been around the web

--besides this incomming-issue,--

erm, i would have nothing more to say.

regards

----------

## playahater

well .. the problem is that i`m still a heavy newbie concerning iptable/ipfilter configuration .. 

 *Quote:*   

> I've seen a some iptables code-snippets for nice little gimmicks like flood protection, been around the web 

 

i can`t put that kind of script into my router ..  :Smile: 

but i have, kind of, made a script but i`m not sure if it is working . . :Sad: 

the script below says that all ports that are not explicitely mentioned are closed, right ??

but i have tried to connect to irc server (6666,6667,6668 port) and it worked, even though those ports suppose to be closed ???

now, i`m not sure if this script is working   :Crying or Very sad: 

so, i was wondering if anyone can point me to right direction .. 

10x in advance

```

# Flush all existing filters 

remote ipfilter flush input internet 

remote ipfilter flush output internet 

remote ipfilter flush transmit internet 

remote ipfilter flush receive internet 

eth ip filter flush input 0 

eth ip filter flush output 0 

eth ip filter flush transmit 0 

eth ip filter flush receive 0 

# Kill tcpmux 

remote ipfilter append input drop -p tcp -dp 1 internet 

remote ipfilter append input drop -p udp -dp 1 internet 

 

#Allow ssh, smtp, web, ssl, pop3 

remote ipfilter append input accept -dp 22 -p tcp internet 

remote ipfilter append input accept -dp 25 -p tcp internet 

remote ipfilter append input accept -dp 80 -p tcp internet 

remote ipfilter append input accept -dp 443 -p tcp internet

remote ipfilter append input accept -dp 465 -p tcp internet 

remote ipfilter append input accept -dp 995 -p tcp internet

#Allow chat protocols

remote ipfilter append input accept -dp 5190 -p tcp internet

remote ipfilter append input accept -dp 5050 -p tcp internet

remote ipfilter append input accept -dp 1863 -p tcp internet

remote ipfilter append input accept -dp 5222 -p tcp internet

 

# Amule 

remote ipfilter append input accept -dp 4662 -p tcp internet 

 

# Amule UDP 

# remote ipfilter append input accept -dp 4665 -p udp internet 

# remote ipfilter append input accept -dp 4672 -p udp internet 

 

# Gnutella 

remote ipfilter append input accept -dp 6346 -p tcp internet 

 

# Gnutella UDP 

# remote ipfilter append input accept -dp 6346 -p udp internet 

# remote ipfilter append output accept -sp 6346 -p udp internet 

 

# Allow Azureus (Bittorent) 

remote ipfilter append input accept -dp 6881 -p tcp internet 

remote ipfilter append input accept -dp 6881 -p udp internet 

remote ipfilter append output accept -dp 6881 -p udp internet 

remote ipfilter append output accept -sp 6881 -p udp internet 

 

# No incoming connections, allow all other TCP 

remote ipfilter append input drop -p tcp -tcp syn internet 

remote ipfilter append input accept -p tcp internet 

remote ipfilter append output accept -p tcp internet 

 

# SNTP 

# - allow requests and responses to the router only 

remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet 

remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet 

remote ipfilter append input accept -p udp -sp 123 internet 

remote ipfilter append output accept -p udp -dp 123 internet 

eth ip filter append output drop -p udp -sp 123 0 

eth ip filter append output drop -p udp -dp 123 0 

 

# DNS 

remote ipfilter append input accept -p udp -sp 53 internet 

remote ipfilter append output accept -p udp -dp 53 internet 

 

# L2TP 

#remote ipfilter append input accept -p udp -sp 1701 internet 

#remote ipfilter append output accept -p udp -dp 1701 internet 

 

# DHCP 

remote ipfilter append input accept -p udp -sp 67 internet 

remote ipfilter append output accept -p udp -dp 67 internet 

 

# Allow ICMP Echo Reply, Dest Unreachable, Echo Requests, 

# and Time Exceeded from the WAN 

remote ipfilter append input accept -p icmp -sp 0 internet 

remote ipfilter append input accept -p icmp -sp 3 internet 

remote ipfilter append input accept -p icmp -sp 8 internet 

remote ipfilter append input accept -p icmp -sp 11 internet 

 

# Allow ICMP Echo Reply, Dest Unreachable, Echo Request to the WAN 

remote ipfilter append output accept -p icmp -sp 0 internet 

remote ipfilter append output accept -p icmp -sp 3 internet 

remote ipfilter append output accept -p icmp -sp 8 internet 

 

# Allow traceroute 

remote ipfilter append output accept -p udp -dp 33434:33500 -sp 1024:6 

5535 internet 

 

# Allow IPSec, IKE packets 

#remote ipfilter append input accept -p udp -sp 500 -dp 500 internet 

#remote ipfilter append input accept -p 50 internet 

#remote ipfilter append input accept -p 51 internet 

#remote ipfilter append output accept -p udp -sp 500 -dp 500 internet 

#remote ipfilter append output accept -p 50 internet 

#remote ipfilter append output accept -p 51 internet 

 

# Drop all other traffic not listed above 

remote ipfilter append input drop internet 

remote ipfilter append output drop internet 

 

# Turn on ip filter watch for debugging 

remote ipfilter watch on internet 

 

save 

```

Cheers

----------

## xante

For anyone using iptables, Id suggest shoreline firewall or shorewall for short, it takes some time to get used to, but the options it provides are very useful.

----------

## playahater

 *xante wrote:*   

> For anyone using iptables, Id suggest shoreline firewall or shorewall for short, it takes some time to get used to, but the options it provides are very useful.

 

this is not configuration for iptables for linux .. this is fw script for my router .. i can`t configure router`s fw that way

the syntax is something between iptables and ipfilter ..  :Smile:  .. as far as i know ..  :Smile: 

----------

## srm

to get a general understanding of how iptables work, and so you might derive commands used by your router-language

check

http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html

Translations available.

 *Quote:*   

> Quote:
> 
> I've seen a some iptables code-snippets for nice little gimmicks like flood protection, been around the web
> 
> i can`t put that kind of script into my router .. 

 

 This is not about adding 3rd party code stuff.

It's about using iptables --limit option, quite nifty  :Smile: 

playahater: have you checked out: http://kb.efficient.com/display/1n/index.asp?c=&cpc=&cid=&r=0.6192896

espacially, check http://kb.efficient.com/display/1n/kb/article.asp?aid=28481

----------

## playahater

 *srm wrote:*   

> to get a general understanding of how iptables work, and so you might derive commands used by your router-language
> 
> check
> 
> http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
> ...

 

ok .. i`ve been playing with this fw thing in last couple of days  :Smile: 

well .. yes .. i did kind of read iptables and ipfilter howto .. 

i`ll take a look at that iptables code-snippets again  :Smile:  .. and packet-filtering, too

those linkz are "session expired"  :Sad: 

but i have downloaded routers configuration pdf handbook .. and there are a LOT of stuff there .. and i have read it .. and .. according to that handbook, i have made the below script but .. i`m not sure if it is working  :Sad: , so i thought to get some advices and thoughts about it here ..  :Smile: 

I have started the router`s sys log and i saw that a lot of packets are being dropped, especially at port 6882, which is definitely closed, but the weird thing is that according to the below fw script, port 6666,6667 and 6668 are closed, but i can still log in to irc servers   :Rolling Eyes: 

and i went to grc.com .. smtp and pop ports are closed, 22(ssh) port is open and the rest port are stealth .. and i think that 22 has to be open ( i have enabled nat settings and forwarded port 22) since i have to be able to log on to my computer over ssh from work

here is the newest version of the fw script

```

# Flush all existing filters 

remote ipfilter flush input internet 

remote ipfilter flush output internet 

remote ipfilter flush transmit internet 

remote ipfilter flush receive internet 

eth ip filter flush input 0 

eth ip filter flush output 0 

eth ip filter flush transmit 0 

eth ip filter flush receive 0 

# Kill tcpmux 

#port 1, router is listening that port by default. 

remote ipfilter append input drop -p tcp -dp 1 internet 

remote ipfilter append input drop -p udp -dp 1 internet 

 

#Allow ssh, smtp, web, ssl, pop3 

remote ipfilter append input accept -dp 22 -p tcp internet 

remote ipfilter append input accept -dp 25 -p tcp internet 

remote ipfilter append input accept -dp 80 -p tcp internet 

remote ipfilter append input accept -dp 443 -p tcp internet

remote ipfilter append input accept -dp 465 -p tcp internet 

remote ipfilter append input accept -dp 995 -p tcp internet

#Allow chat protocols

remote ipfilter append input accept -dp 5190 -p tcp internet

remote ipfilter append input accept -dp 5050 -p tcp internet

remote ipfilter append input accept -dp 1863 -p tcp internet

remote ipfilter append input accept -dp 5222 -p tcp internet

 

# Amule 

remote ipfilter append input accept -dp 4662 -p tcp internet 

 

# Amule UDP 

# remote ipfilter append input accept -dp 4665 -p udp internet 

# remote ipfilter append input accept -dp 4672 -p udp internet 

 

# Gnutella 

remote ipfilter append input accept -dp 6346 -p tcp internet 

 

# Gnutella UDP 

# remote ipfilter append input accept -dp 6346 -p udp internet 

# remote ipfilter append output accept -sp 6346 -p udp internet 

 

# Allow Azureus (Bittorent) 

remote ipfilter append input accept -dp 6881 -p tcp internet 

remote ipfilter append input accept -dp 6881 -p udp internet 

remote ipfilter append output accept -dp 6881 -p udp internet 

remote ipfilter append output accept -sp 6881 -p udp internet 

 

#Iz gorenavedenog vidis sta i kako koristim za p2p, s tim da sam 

#ukinuo udp svima osim azureusu, a i ostale sam limitirao na 

#minimum porotova. Ispostavilo se da je sasvim dovoljno. 

 

# No incoming connections, allow all other TCP 

remote ipfilter append input drop -p tcp -tcp syn internet 

remote ipfilter append input accept -p tcp internet 

remote ipfilter append output accept -p tcp internet 

 

# SNTP 

# - allow requests and responses to the router only 

remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet 

remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet 

remote ipfilter append input accept -p udp -sp 123 internet 

remote ipfilter append output accept -p udp -dp 123 internet 

eth ip filter append output drop -p udp -sp 123 0 

eth ip filter append output drop -p udp -dp 123 0 

 

# DNS 

remote ipfilter append input accept -p udp -sp 53 internet 

remote ipfilter append output accept -p udp -dp 53 internet 

 

# L2TP 

#remote ipfilter append input accept -p udp -sp 1701 internet 

#remote ipfilter append output accept -p udp -dp 1701 internet 

 

# DHCP 

remote ipfilter append input accept -p udp -sp 67 internet 

remote ipfilter append output accept -p udp -dp 67 internet 

 

# Allow ICMP Echo Reply, Dest Unreachable, Echo Requests, 

# and Time Exceeded from the WAN 

#Seci sta ti se sece ili dozvoljavaj neki drugi ICMP ako ti treba 

remote ipfilter append input accept -p icmp -sp 0 internet 

remote ipfilter append input accept -p icmp -sp 3 internet 

remote ipfilter append input accept -p icmp -sp 8 internet 

remote ipfilter append input accept -p icmp -sp 11 internet 

 

# Allow ICMP Echo Reply, Dest Unreachable, Echo Request to the WAN 

#Isto kao gore :) 

remote ipfilter append output accept -p icmp -sp 0 internet 

remote ipfilter append output accept -p icmp -sp 3 internet 

remote ipfilter append output accept -p icmp -sp 8 internet 

 

# Allow traceroute 

remote ipfilter append output accept -p udp -dp 33434:33500 -sp 1024:6 

5535 internet 

 

# Allow IPSec, IKE packets 

#remote ipfilter append input accept -p udp -sp 500 -dp 500 internet 

#remote ipfilter append input accept -p 50 internet 

#remote ipfilter append input accept -p 51 internet 

#remote ipfilter append output accept -p udp -sp 500 -dp 500 internet 

#remote ipfilter append output accept -p 50 internet 

#remote ipfilter append output accept -p 51 internet 

 

# Drop all other traffic not listed above 

remote ipfilter append input drop internet 

remote ipfilter append output drop internet 

 

# Turn on ip filter watch for debugging 

remote ipfilter watch on internet 

 

save 

```

10x in advance

Cheers

----------

## srm

sry bout the session  :Smile: 

http://kb.efficient.com

what about this one?

remote ipfilter append input accept -p tcp internet

remote ipfilter append output accept -p tcp internet 

that will make your following tcp rules obsolete i think

???

----------

## playahater

 *srm wrote:*   

> sry bout the session 
> 
> http://kb.efficient.com
> 
> what about this one?
> ...

 

yes .. but that will alow all traffic through tcp ports .. tcp woud be completely open .. right ?

that`s not the point ?

i need smoehow .. to tell "him" to drop all that is not mentioned .. and i told him that (last line .. drop internet) .. but he ain`t listening ...  :Smile: 

according to regular fw rules .. 

first rule .. flush .. second .. drop all .. third .. allow specific .. 

but that doesn`t work here ..   :Rolling Eyes: 

when i tried to put drop all right after flush .. i had no conection at all ..   :Crying or Very sad: 

and when i put this

```

# Kill irc

remote ipfilter append input drop -p tcp -dp 6666:6668 internet 

remote ipfilter append input drop -p udp -dp 6666:6668 internet 

remote ipfilter append output drop -p tcp -dp 6666:6668 internet 

remote ipfilter append output drop -p udp -dp 6666:6668 internet
```

irc was gone .. but how come i had to specifically point that ??

hmmm ...   :Rolling Eyes: 

----------

## pteppic

I've noticed that iptables ( I assume that is what these scripts link to eventually) can have problems with drop as the default policy, set it to accept all and put a drop all rule after all the accept rules.

----------

## srm

I would never advice to set ACCEPT as default rule!!!!

After checking the man, i would suggest the following:

FLUSH

create Accept rules

DROP ALL (all protos)

I believe, thats also better than 

FLUSH

DROP ALL

ALLOW SPECIFIC

DROP ALL 

(how comes that there are still packets to be processed by allow when there is a DROP ALL in the beginning? as you could see, that makes no sense and will block your connection completely)

 *Quote:*   

> 
> 
> I need smoehow .. to tell "him" to drop all that is not mentioned .. and i told him that (last line .. drop internet) .. but he ain`t listening ... 
> 
> 

 

see above, again:

FLUSH

create Accept rules

DROP ALL (all protos)

should solve this one.

 *Quote:*   

> 
> 
> yes .. but that will alow all traffic through tcp ports .. tcp woud be completely open .. right ?
> 
> that`s not the point ? 
> ...

 

regarding the input/output accept -p tcp; right, even if you have sepcified several ports before,

these rules will open your tcp completely

EDIT:

So, i think you just have to remove these TCP allow rules from your 2nd version and you should be fine

kind regards

----------

## playahater

Well .. first of all .. 10x to all of you ..

I have been trying to setup this thing and in the end i got to two solutions:

1. 

FLUSH

create Accept rules

DROP ALL (all protos) 

srm has suggested this .. but .. i tried this solution and it is great .. but some things doesn`t work and that`s not so big problem .. i`ll fill the holles in the run .. and that`s the best solution ..  :Smile: 

in the mean time i`ll use the second solution

2. 

FLUSH

create Accept rules

Accept all outgoing

DROP ALL (all protos) 

that way .. my ports are not opened for someone behind the router, but i can use whatever I want ( example why irc worked ) .. 

as i said .. i will finish the first solution and make it default cuz that`s just the best solution ..

here`s current script

```

# Flush all existing filters 

remote ipfilter flush input internet 

remote ipfilter flush output internet 

remote ipfilter flush transmit internet 

remote ipfilter flush receive internet 

eth ip filter flush input 0 

eth ip filter flush output 0 

eth ip filter flush transmit 0 

eth ip filter flush receive 0 

# Kill tcpmux 

remote ipfilter append input drop -p tcp -dp 1 internet 

remote ipfilter append input drop -p udp -dp 1 internet 

 

#Allow ssh

remote ipfilter append input accept -dp 22 -p tcp internet 

 

# Amule 

remote ipfilter append input accept -dp 4662 -p tcp internet 

 

# Gnutella 

remote ipfilter append input accept -dp 6346 -p tcp internet 

 

# Allow Azureus (Bittorent) 

remote ipfilter append input accept -dp 6881 -p tcp internet 

remote ipfilter append input accept -dp 6881 -p udp internet 

remote ipfilter append output accept -dp 6881 -p udp internet 

remote ipfilter append output accept -sp 6881 -p udp internet 

 

# No incoming connections, allow all other TCP 

remote ipfilter append input drop -p tcp -tcp syn internet 

remote ipfilter append input accept -p tcp internet 

remote ipfilter append output accept -p tcp internet 

 

# SNTP 

# - allow requests and responses to the router only 

remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet 

remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet 

remote ipfilter append input accept -p udp -sp 123 internet 

remote ipfilter append output accept -p udp -dp 123 internet 

eth ip filter append output drop -p udp -sp 123 0 

eth ip filter append output drop -p udp -dp 123 0 

 

# DNS 

remote ipfilter append input accept -p udp -sp 53 internet 

remote ipfilter append output accept -p udp -dp 53 internet 

 

# DHCP 

remote ipfilter append input accept -p udp -sp 67 internet 

remote ipfilter append output accept -p udp -dp 67 internet 

 

# Allow ICMP Echo Reply, Dest Unreachable, Echo Requests, 

# and Time Exceeded from the WAN 

remote ipfilter append input accept -p icmp -sp 0 internet 

remote ipfilter append input accept -p icmp -sp 3 internet 

remote ipfilter append input accept -p icmp -sp 8 internet 

remote ipfilter append input accept -p icmp -sp 11 internet 

 

# Allow ICMP Echo Reply, Dest Unreachable, Echo Request to the WAN 

remote ipfilter append output accept -p icmp -sp 0 internet 

remote ipfilter append output accept -p icmp -sp 3 internet 

remote ipfilter append output accept -p icmp -sp 8 internet 

 

# Allow traceroute 

remote ipfilter append output accept -p udp -dp 33434:33500 -sp 1024:65535 internet 

 

# Drop all other traffic not listed above 

remote ipfilter append input drop internet 

remote ipfilter append output drop internet 

 

# Turn on ip filter watch for debugging 

remote ipfilter watch on internet 

 

save 

```

10x again to all of you ..  :Smile:  .. 

Cheers

----------

