# Allow everything from our DNS servers in
pass in quick from 128.222.228.235/32 to any keep state
pass in quick from 128.222.228.236/32 to any keep state
pass in quick from 128.222.12.10/32 to any keep state
pass in quick from 10.5.140.176/32 to any keep state

# Let our iscsi traffic in
pass in quick from any to any port = 3260 keep state
pass in quick from 10.5.140.151/32 to any keep state

# Allow SSH access in
pass in quick proto tcp from any to any port = 22 keep state

# Allow and log icmp packets
pass in log quick proto icmp all keep state

# Allow access to the rest of the world
pass out quick from any to any keep state

# Explicitly block telnet and everything else
block in quick proto tcp from any to any port = 23
block in quick from any to any

Yep, pretty basic. I have to say, I think I might actually like ipfilter better than iptables. Maybe that’s only because I’ve only done basic stuff with it so far.

# Generated by iptables-save v1.2.11 on Thu May 17 14:52:04 2007
*filter
:INPUT DROP [13164:946396]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.222.228.235 -p tcp -j ACCEPT
-A INPUT -s 128.222.228.235 -p udp -j ACCEPT
-A INPUT -s 128.222.228.236 -p tcp -j ACCEPT
-A INPUT -s 128.222.228.236 -p udp -j ACCEPT
-A INPUT -s 128.222.12.10 -p tcp -j ACCEPT
-A INPUT -s 128.222.12.10 -p udp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT
# Completed on Thu May 17 14:52:04 2007

(128.222.228.235/236 and 128.221.12.10 are our DNS servers, I also accept pings too because I’m nice like that and people around here tend to freak out if they can’t ping their machine. I also let anything out, easy to comment out to deny outbound traffic.)