These are the rules that I am using. You should review them and make any changes to suit you own network layout.
Reject inbound with these source addresses
These three items will prevent any packets covered by RFC1918. Applied to the the PP (wan) interface
ip filter 1000 reject 10.0.0.0/8 * * * * ip filter 1001 reject 172.16.0.0/12 * * * * ip filter 1002 reject 192.168.0.0/16 * * * *
Reject outbound with these destination addresses
ip filter 1010 reject * 10.0.0.0/8 * * * ip filter 1011 reject * 172.16.0.0/12 * * * ip filter 1012 reject * 192.168.0.0/16 * * *
Block telnet and ssh from outside
These two rules could be applied to the PP interface again on the inbound direction
ip filter 1013 reject * * tcp * telnet ip filter 1014 reject * * tcp * 22
These are some standard ports which are known to create network security issues. There are probably more. These rules should be applied to the PP interface with direction in. They could also be applied to the same interface with direction out
ip filter 1020 reject * * udp,tcp 135 * ip filter 1021 reject * * udp,tcp * 135 ip filter 1022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 1023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 1024 reject * * udp,tcp 445 * ip filter 1025 reject * * udp,tcp * 445
I am at this time only use rules 3000 and 3001. 3000 allows ping and traceroute. While 3001 allows any in bound traffic that is created as part of an inital outbound packet.
ip filter 1030 pass * * ah,esp ip filter 1031 pass * * udp 500 * ip filter 1032 pass * * udp * 500 ip filter 3000 pass 192.168.0.0/16 icmp * * ip filter 3001 pass * * established
ip filter 4000 reject * * * * ip filter 5000 pass * * * *
These filter are applied to the pp in the out direction and allow packets to also come back into the network when initialised from within the routers network.
ip filter dynamic 100 * * ftp ip filter dynamic 101 * * www ip filter dynamic 102 * * domain ip filter dynamic 103 * * smtp ip filter dynamic 104 * * pop3 ip filter dynamic 105 * * tcp ip filter dynamic 106 * * udp
Apply in bound filters for pp
pp select 1 # Apply inbound filters for pp ip pp secure filter in 1000 1001 1002 1013 1014 1020 1021 1022 1023 1024 1025 3000 3001 # Apply out bound filters for pp ip pp secure filter out 1010 1011 1012 1020 1021 1022 1023 1024 1025 5000 dynamic 100 101 102 103 104 105 106
Port forwarding to internal
nat descriptor masquerade static 1000 1 192.168.xx.xx tcp 32400 nat descriptor masquerade static 1000 2 192.168.xx.xx tcp 80,443