#
# note: eth0 is extern, eth1 is intern
#
# IMPORTANT NOTE: 'any' = any remote destination
#                 use 'local' for any local destination
#
#
# From			To			Service		Dir	Log	Action	Options

# account all incoming traffic per incoming interface
any@eth0		any			any		>	no	account
any@eth0		any			any		<	no	account
any@eth1		any			any		>	no	account
any@eth1		any			any		<	no	account
any@eth0		local		any		>	no	account
any@eth0		local		any		<	no	account
any@eth1		local		any		>	no	account
any@eth1		local		any		<	no	account

# Accept everything on eth1 to the internet + backconnections
any@eth1		any@eth0	any			<>	no	accept
# Reject idents from the internet
any@eth0		local@eth0	tcp:*:113	>	no	reject

# Allow icmp ping from the fw to the world
local			any			icmp:ping	>	no	accept
local			any			icmp:pong	<	no	accept
# allow ntp traffic from the fw to the world
local			any@eth0	tcp:*:123	<>	no	accept
# allow dnsqueries from the fw to the world
local			any@eth0	udp:*:53,tcp:*:53	<>	no	accept
# allow ftp & http traffic from the fw to the world
local			any@eth0	tcp:*:80,tcp:*:21	<> no accept
# also allow ftp-data to get back in
any@eth0		local		tcp-rel:20:*	<>	no	accept
# and then allow data connections for passive ftp
local			any@eth0	tcp-rel:1024-:1024-	<>	no	accept
# allow smtp from the fw to the world
local			any@eth0	tcp:*:25	<> no accept

# allow internal dnsqueries to the fw
any@eth1		local		udp:*:53,tcp:*:53	<>	no	accept
# allow internal ftp/http queries to the proxy
any@eth1		local		tcp:*:80,tcp:*:8080,tcp:*:3128	<>	no accept
# allow internal smtp traffic to the proxy
any@eth1		local		tcp:*:25	<>	no accept
# allow internal ssh traffic to the proxy
any@eth1		local		tcp:*:22	<>	no accept

# Don't forward unknown connections coming in on eth0
any@eth0		any			any			>	yes	drop

# Do not accept connections from the outsite world to the fw
any@eth0		local		any			>	no	drop
# Do not accept connections from the inside directly to the fw
any@eth1		local		any			>	no	drop
# Do not accept connections from the fw to the outsite world
local			any@eth0	any			>	no	drop

# allow connections on the loopback interface
any				127.0.0.1@lo	any		<>	no	accept

# all other stuff should still be logged
any				any			any			>	yes	log

# We masquerade all forwarded traffic that goes out eth0
any				any@eth0	any			>	no	masquerade