###################### lists relating to interfaces #################### # # list of all interfaces list interfaces eth0 eth1 eth2 sync0 sync1 cipcb12 cipcb+ # internal interface list intdevs eth0 eth2 cipcb+ # interfaces we want to filter inward local traffic on list filterdevs eth1 sync0 sync1 # internet facing / alphyra border devices list extdevs sync0 # DMZ interface list dmzdevs eth1 # interfaces that can carry both internal and external traffic - need to # special case traffic on these unfortunately list transitdevs sync1 cipcb12 # ######################################################################## ################ lists relating to networks ############################ # # all alphyra networks list alphyranets 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 193.111.82.0/24 # alphyra public networks # NB: the ISP PA nets should always come in via appropriate ISP list publicnets 193.111.82.0/24 193.120.224.168/29 212.17.37.232/29 # private internal list privatenets 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 # ######################################################################## ###### lists relating to ports/protocols we might or might not accept ###### # # list of tcp ports to allow internet access to list inet-tcp-in smtp auth ssh ntp ftp ftp-data imaps pop3s http https \ icpv2 webcache domain # list of udp dest ports to allow internet access to list inet-udp-in domain syslog 6060:6070 isakmp # list of protocols to accept from internet ifaces list inet-proto-in ipv6 ipv6-route ipv6-frag ospf icmp ipv6-icmp \ ipv6-opts ipv6-nonxt pim ipv6-auth ipv6-crypt # list of protocols to forward list inet-proto-fwd ipv6 ipv6-route ipv6-frag ospf icmp ipv6-icmp \ ipv6-opts ipv6-nonxt pim ipv6-auth ipv6-crypt # list of tcp ports to forward list inet-tcp-fwd # list of udp ports to forward # list of tcp dest ports we probably want to DROP if they came from external/dmz list inet-tcp-drop mysql postgres snmp telnet pop3 pop2 imap printer \ exec shell ms-sql-s ms-sql-m rtelnet wins sunrpc smux socks amanda \ rndc netbios-ns netbios-dgm netbios-ssn # same but udp list inet-udp-drop nfs smux snmp ntp netbios-ns netbios-dgm netbios-ssn # ######################################################################## ################################## NAT ################################# # # lists list natdevs sync0 eth1 list tcp-port-no-nat 80 1755 netbios-ns netbios-dgm netbios-ssn list udp-port-no-nat netbios-ns netbios-dgm netbios-ssn list prefix-no-nat 192.168.3.0/24 list prefix-nat 192.168.11.0/24 192.168.1.0/24 10.4.5.0/24 \ kinsey.dub.ie.alphyra.com doohan.dub.ie.alphyra.com list nat-addr 193.111.82.66 # #########################################################################