* Richard Ibbotson <richard@sheflug.co.uk> [1033 14:33]:
 
> The rules that you can see below are the rough hack that I've been 
> able to put together so far. I don't think it does what I want it to 
> do but some of it works probably.  I've got a dialup ISDN line to my 
> ISP which downloads e-mail and web pages as well as ftp (yes, I know 
> it stinks as a protocol) sometimes.  So, I need to send and receive 
> e-mail, web pages, and do some ftp with a bit of SSH sometimes for 
> remote servers that I run.  I need a paranoid approach to this. Past 
> attempts at being liberal resulted in hacked firewalls.   
 
It might be an idea to block everything by default: you seem to be
only blocking things here. 

So why not set a default block? 

a) it makes your rules much simpler
b) it 'fails safe' : i.e. if you are forgetful the bad guys stay out
c) anything you allow (see ssh below) is easy to spot, so you
can remember to secure

[ strictly speaking you can lose the first line if you set a
default block when you build your kernels, but I found that I would
lock myself out when I mistyped something that way... ]

Due to the good mojo of 'keep state', you should only need to
specify servers explicitly . See the FAQ again for more detail.

> Can anyone help to improve the rules below.  As I say, it's work in 
> progress which needs to improve.  

Will this do?

<snip 80-odd lines>

-----------------------------------

# assumes that ippp0 is frontend

# POLICY
block in log all

# lo0: LOOPBACK POLICY completely open
pass in quick on lo0 all
pass out quick on lo0 all

# state rules - last one is ping
pass out on ippp0 proto tcp/udp from any to any keep state
pass out on ippp0 proto icmp from any to any
pass out on ippp0 proto icmp from any to any icmp-type 8 keep state

# servers

# ssh
pass in on ippp0 proto tcp from any to any port = ssh flags S keep state keep frags

-----------------------------------

-- 
We can predict everything, except the future.
Rasputin :: Jack of All Trades - Master of Nuns