#### Input rules #### input default deny # accept all on inside input accept interface inside nolog # accept all on loopback input accept interface localhost nolog # Ignore packets from broadcast input deny from 0.0.0.0 log input deny from 255.255.255.255 log # reject X11 on outside (X11 is unsafe) #input reject protocol tcp interface outside to outside/28 port 6000 log input reject protocol tcp interface outside to outside/28 port socks log # Allow high (>950) ports input accept protocol tcp interface outside to outside/28 port 950..65535 nolog input accept protocol udp interface outside to outside/28 port 950..65535 nolog # Allow smtp for mail transfer #input accept protocol tcp interface outside to outside/28 port smtp nolog # Allow named input accept protocol tcp interface outside to outside/28 port domain nolog input accept protocol udp interface outside to outside/28 port domain nolog # Allos talk input accept protocol udp interface outside to outside/28 port ntalk nolog input accept protocol udp interface outside to outside/28 port talk nolog # ignore ICMP redirect on outside (static routing) input deny protocol icmp interface outside from any icmp_redirect log # Allow ICMP input accept protocol icmp nolog # Ignore "bad" broadcasts from outside input deny interface outside to outside-broadcast nolog # Allow ident.. (nothing listens anyway...) input accept protocol tcp from any to outside/28 port auth # Reject everythingelse input reject log #### Output rules #### output default accept nolog #### Forwarding rules #### forward default deny nolog # masqurade packets going out to outside masquerade interface outside nolog forward to 193.13.248.0/24 interface inside nolog forward to 193.13.247.32/28 interface inside nolog forward to 193.13.247.64/28 interface inside nolog #### Back channels #### # Diablo backchannel control tcp 116 ports udp 6112 6112 backchannel control tcp 118 ports udp 6112 6112 #### Support modules #### helper cuseeme helper ftp helper irc helper quake helper raudio helper vdolive #### Masquerade timeouts #### timeout tcp 1800 timeout tcp_fin 15 timeout udp 320