Contents of file "rc.firewall"

#!/bin/sh
# basic linux workstation firewall
# first, flush the rules so on reload you don't get new rules after old
ipchains -F input
# it's possible to spoof 127/8 connections from outside, so make sure to
# allow only from interface lo; TCP would be fairly safe anyway, since
# routing of 127/8 would not allow the TCP connection to complete;
# but UDP could be very dangerous
ipchains -A input -i lo -p TCP -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A input -i lo -p UDP -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
# need to allow ident lookups to IRC servers, but log to see who's using it
ipchains -A input -p TCP -d any/0 auth -l -j ACCEPT
# I run my own DNS, so I also need to allow DNS communication all around
ipchains -A input -p UDP -d any/0 domain -j ACCEPT
ipchains -A input -p UDP -s any/0 domain -d any/0 1024:65535 -j ACCEPT
# everybody else can't connect - log all attempts
ipchains -A input -p TCP -d any/0 -y -l -j REJECT
# block all UDP except leave higher ports for traceroutes - log in any case
ipchains -A input -p UDP -d any/0 0:1023 -l -j REJECT
ipchains -A input -p UDP -d any/0 1024:65535 -l -j ACCEPT