############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect logmartians,routefilter,nosmurfs lan eth1 detect dhcp,logmartians,routefilter,nosmurfs WAN_IP=x.x.x.x RFC1918="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall vpn ipv4 net ipv4 lan ipv4 ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW all ACCEPT vpn lan ACCEPT lan vpn ACCEPT net all DROP info all all DROP info ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP DROP:info net:${RFC1918} all # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. ACCEPT all $FW:${WAN_IP} icmp 0 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 3 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 4 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 11 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 12 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 30 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 8 - - 3/sec ACCEPT all $FW:${WAN_IP} udp 33434:33523 32769:65535 - 3/sec ## # ACCEPT ## ACCEPT net:${MYNETWORK} $FW:${WAN_IP} tcp 22,80,443 ... #TYPE ZONE GATEWAY GATEWAY ZONE ipsec net