-A ufw-after-input -p udp --dport 68 -j RETURN
# catchall for logging
--A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: "
--A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: "
+-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err
+-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# connection tracking rules
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets
# uncomment to log INVALID packets
-#-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
+-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
+## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>)
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP
+
+## DROP CIFS(Samba) access from/to WAN(eth1)
+-A ufw-before-input -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-input -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+
+## Access from LAN
+-A ufw-before-input -i eth0 -j ACCEPT
+-A ufw-before-forward -i eth0 -j ACCEPT
+
# connection tracking for outbound
-A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
--A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
+-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err
# all other non-local packets are dropped
-A ufw-not-local -j DROP
--- /dev/null
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in raw table.
+# These are mainly used to filter evil or wrong packets.
+
+
+*raw
+:LOG_ICMP - [0:0]
+:LOG_SPOOF - [0:0]
+
+## LOG and DROP fragmented packets (not head fragments)
+-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A PREROUTING --fragment -j DROP
+
+## LOG and DROP strange icmp packets
+-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_ICMP -j DROP
+# Too large icmp requests
+-A PREROUTING -p icmp --icmp-type echo-request -m length --length 85: -j LOG_ICMP
+# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec)
+-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT
+-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP
+
+## LOG and DROP IP spoofing (eth1:WAN)
+-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_SPOOF -j DROP
+-A PREROUTING -i eth1 -s 127.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s 10.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s 172.16.0.0/12 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF
+
+COMMIT