# Minimum firewall script - 6/7/01
# For DSL router
# Allow no incoming connections, all outgoing, and
# specified UDP ports for SNTP, DNS, L2TP, DHCP, traceroute,
# IPSec, IKE, and ICMP.

# Flush all existing filters 
remote ipfilter flush input internet 
remote ipfilter flush output internet 
remote ipfilter flush transmit internet
remote ipfilter flush receive internet
eth ip filter flush input 0
eth ip filter flush output 0
eth ip filter flush transmit 0
eth ip filter flush receive 0

# No incoming connections, allow all other TCP
remote ipfilter append input drop -p tcp -tcp syn internet
remote ipfilter append input accept -p tcp internet
remote ipfilter append output accept -p tcp internet

# SNTP
# - allow requests and responses to the router only
#
remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet
remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet
remote ipfilter append input accept -p udp -sp 123 internet
remote ipfilter append output accept -p udp -dp 123 internet
eth ip filter append output drop -p udp -sp 123 0
eth ip filter append output drop -p udp -dp 123 0

# DNS 
remote ipfilter append input accept -p udp -sp 53 internet
remote ipfilter append output accept -p udp -dp 53 internet

# L2TP
remote ipfilter append input accept -p udp -sp 1701 internet
remote ipfilter append output accept -p udp -dp 1701 internet

# DHCP
remote ipfilter append input accept -p udp -sp 67 internet
remote ipfilter append output accept -p udp -dp 67 internet

# Allow ICMP Echo Reply, Dest Unreachable, Echo Requests,
# and Time Exceeded from the WAN
remote ipfilter append input accept -p icmp -sp 0 internet
remote ipfilter append input accept -p icmp -sp 3 internet
remote ipfilter append input accept -p icmp -sp 8 internet
remote ipfilter append input accept -p icmp -sp 11 internet

# Allow ICMP Echo Reply, Echo Request to the WAN
remote ipfilter append output accept -p icmp -sp 0 internet
remote ipfilter append output accept -p icmp -sp 8 internet

# Allow traceroute
remote ipfilter append output accept -p udp -dp 33434:33500 -sp 1024:65535 internet

# Allow IPSec, IKE packets
remote ipfilter append input accept -p udp -sp 500 -dp 500 internet
remote ipfilter append input accept -p 50 internet
remote ipfilter append input accept -p 51 internet
remote ipfilter append output accept -p udp -sp 500 -dp 500 internet
remote ipfilter append output accept -p 50 internet
remote ipfilter append output accept -p 51 internet

# Drop all other traffic not listed above
remote ipfilter append input drop internet
remote ipfilter append output drop internet

# Turn on ip filter watch for debugging
remote ipfilter watch on internet

save