Example IP Filter firewall

Here is an example IP Filter firewall for an FTP server (allowing passive and active incoming and outgoing FTP transfers). The firewall also allows incoming ssh connections from one IP address (192.168.1.100 in this example), active FTP sessions initiated from the firewall, and all outbound traffic initiated from the server.

# Allow all loopback (local) traffic
pass in quick on lo0
pass out quick on lo0

# Cleanup rule; log all incoming traffic not allowed by one of the rules
block in log all

# Cleanup rule for outbound connections; should not be matched because of stateful inspection
block out all

# Let in FTP (21, control) from anywhere for active FTP
pass in quick proto tcp from any to any port = 21 flags S keep state

# Allow SSH traffic from LAN
pass in quick proto tcp from 192.168.1.100/32 to any port = 22 flags S keep state

# Allow passive FTP transfers from ports 49152 to 65534, the IANA-registered ephemeral port range
pass in quick proto tcp from any to any port 49151 >< 65535 flags S keep state

# For outgoing FTP transfers
pass in quick proto tcp from any port = 20 to any port 8192 <> 16384 flags S keep state
pass in quick proto tcp from any port = 20 to any port 32768 <> 40000 flags S keep state

# Stateful outbound rules
pass out quick proto icmp from any to any keep state
pass out quick proto tcp/udp from any to any keep state keep frags

Back to brandonhutchinson.com.

Last modified: 02/03/2006