#
# Ferm example: Cable network + Masking firewall
#
# This file is an actual example of a running
# ferm firewall configuration (anonimized)
#
# (C) Auke Kok <auke.kok at planet.nl>
#

# note: this examples works with iptchains only (unmodified)
option ipchains

# fixed firewall setup: clear all rules before beginning
option clearall

# and create all needed rules
option createchains


# protocol specific rules
chain fw_tcp proto tcp
{
    # new connections (syn) allowed only to port ssh from 1024-
    dport ssh sport 1024: ACCEPT;
    syn DENY log;
    # never to other local ports outward...
    dport :1023 DENY log;
}

chain fw_udp proto udp
{
    # dns return packets allowed...
    sport domain saddr ( ns1.mydomain.org ns2.mydomain.org ) ACCEPT;
    # no logging for UDP broadcast lo flooding!
    DENY;
}

chain fw_icmp proto icmp
{
    # only basic ICMP allowed for 'our' convenience only
    icmptype (
        pong destination-unreachable time-exceeded
    ) ACCEPT;
    # track down who's scanning you
    DENY log;
}

chain tosqueue
{
    # simple traffic control: fair queueing (TOS)
    # reverse rules to match any connection
    protocol tcp reverse ACCEPT
    {
	# set tos bits according to traffic type
        dport (ssh,ftp) settos min-delay;
        dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability;
        dport (ftp-data,8888,6699) settos max-throughput;
    }
    # reset the rest for low cost! (beware!)
    settos min-cost ACCEPT;
}

# chain goodguys
# {
    # trusted hosts:
    # saddr (
    #    # put your friends IP here ONLY if you really trust em!
    # ) ACCEPT;
# }

# chain badguys
# {
    # put ip's or names here, like:
    # saddr 12.34.56.78 DROP;
    # saddr evil.hacker.org DROP;
# }

# built-in chains:

chain input policy ACCEPT
{
    # our eth0 is connected to the ISP
    interface eth0
    {
        goto goodguys;
        goto badguys;
        protocol tcp goto fw_tcp;
        protocol udp goto fw_udp;
        protocol icmp goto fw_icmp;
    }
}

chain forward policy ACCEPT
{
    # masq our local network that is outgoing
    interface eth0 saddr 192.168.0.0/24 MASQ;
}

chain output policy ACCEPT
{
    # simple TC for all outgoing traffic
    proto tcp if eth0 goto tosqueue;
}

