# Sample firewall policy file # # This is for the simplest case: # a home user, one system, dialup PPP connectivity to the Internet with a # dynamic IP address. # # No real policy beyond "I want to be able to access everything" is # explicitly specified. # # The implementation tool uses its built-in "DEFAULT DENY" and an awareness # of things like anti-spoofing, RFC1918, etc., to actually make things # secure - the policy implementation tool is therefore pretty smart, and # there is "implied policy". # # Question: is that a bad idea? Should things like anti-spoofing, RFC1918, # et. al. be explicitly defined as policy? It seems more "proper", and is # more flexible should standards change, but adds complexity is more prone # to misconfiguration. # # Perhaps that should be dependent on the implementation back end. A "fully # scriptable" version that requires all of that be specified, and a "smart" # version where it's hardcoded with some implied policies. Or maybe the # implied policies can be disabled with options. # # Include a standard protocols and services definitions file... include "/usr/lib/fwpolicy/standard-definitions.fwp"; # Some implementation options... options { log_deny = yes; static-firewall-file = "/etc/rc.d/rc.firewall"; dynamic-firewall-file = "/etc/ppp/firewall"; } # This network only has one interface... interface { name = ppp0; system = "mysytem"; ip = DYNAMIC; networks = INTERNET; } allow_policy { destination = INTERNET; services = ANY; }