183 lines
5.1 KiB
Plaintext
183 lines
5.1 KiB
Plaintext
|
# $FreeBSD$
|
||
|
#
|
||
|
# block all incoming TCP packets on le0 from host "foo" to any destination.
|
||
|
#
|
||
|
block in on le0 proto tcp from foo/32 to any
|
||
|
|
||
|
------------------------------------------------------------------------
|
||
|
|
||
|
#
|
||
|
# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
|
||
|
#
|
||
|
block out on le0 proto tcp from any to bar/32 port != 23
|
||
|
|
||
|
------------------------------------------------------------------------
|
||
|
|
||
|
#
|
||
|
# block all inbound packets.
|
||
|
#
|
||
|
block in from any to any
|
||
|
#
|
||
|
# pass through packets to and from localhost.
|
||
|
#
|
||
|
pass in from 127.0.0.1/32 to 127.0.0.1/32
|
||
|
#
|
||
|
# allow a variety of individual hosts to send any type of IP packet to any
|
||
|
# other host.
|
||
|
#
|
||
|
pass in from 10.1.3.1 to any
|
||
|
pass in from 10.1.3.2 to any
|
||
|
pass in from 10.1.3.3 to any
|
||
|
pass in from 10.1.3.4 to any
|
||
|
pass in from 10.1.3.5 to any
|
||
|
pass in from 10.1.0.13/32 to any
|
||
|
pass in from 10.1.1.1/32 to any
|
||
|
pass in from 10.1.2.1/32 to any
|
||
|
#
|
||
|
#
|
||
|
# block all outbound packets.
|
||
|
#
|
||
|
block out from any to any
|
||
|
#
|
||
|
# allow any packets destined for localhost out.
|
||
|
#
|
||
|
pass out from any to 127.0.0.1/32
|
||
|
#
|
||
|
# allow any host to send any IP packet out to a limited number of hosts.
|
||
|
#
|
||
|
pass out from any to 10.1.3.1/32
|
||
|
pass out from any to 10.1.3.2/32
|
||
|
pass out from any to 10.1.3.3/32
|
||
|
pass out from any to 10.1.3.4/32
|
||
|
pass out from any to 10.1.3.5/32
|
||
|
pass out from any to 10.1.0.13/32
|
||
|
pass out from any to 10.1.1.1/32
|
||
|
pass out from any to 10.1.2.1/32
|
||
|
|
||
|
------------------------------------------------------------------------
|
||
|
|
||
|
#
|
||
|
# block all ICMP packets.
|
||
|
#
|
||
|
block in proto icmp from any to any
|
||
|
|
||
|
------------------------------------------------------------------------
|
||
|
|
||
|
#
|
||
|
# test ruleset
|
||
|
#
|
||
|
# allow packets coming from foo to bar through.
|
||
|
#
|
||
|
pass from foo to bar
|
||
|
#
|
||
|
# allow any TCP packets from the same subnet as foo is on through to host
|
||
|
# 10.1.1.2 if they are destined for port 6667.
|
||
|
#
|
||
|
pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
|
||
|
#
|
||
|
# allow in UDP packets which are NOT from port 53 and are destined for
|
||
|
# localhost
|
||
|
#
|
||
|
pass proto udp from fubar port != 53 to localhost
|
||
|
#
|
||
|
# block all ICMP unreachables.
|
||
|
#
|
||
|
block from any to any icmp unreach
|
||
|
#
|
||
|
# allow packets through which have a non-standard IP header length (ie there
|
||
|
# are IP options such as source-routing present).
|
||
|
#
|
||
|
pass from any to any with ipopts
|
||
|
|
||
|
------------------------------------------------------------------------
|
||
|
|
||
|
#
|
||
|
# block all TCP packets with only the SYN flag set (this is the first
|
||
|
# packet sent to establish a connection).
|
||
|
#
|
||
|
block in proto tcp from any to any flags S/SA
|
||
|
|
||
|
------------------------------------------------------------------------
|
||
|
|
||
|
#
|
||
|
# log all inbound packet on le0 which has IP options present
|
||
|
#
|
||
|
log in on le0 from any to any with ipopts
|
||
|
#
|
||
|
# block any inbound packets on le0 which are fragmented and "too short" to
|
||
|
# do any meaningful comparison on. This actually only applies to TCP
|
||
|
# packets which can be missing the flags/ports (depending on which part
|
||
|
# of the fragment you see).
|
||
|
#
|
||
|
block in log quick on le0 from any to any with short frag
|
||
|
#
|
||
|
# log all inbound TCP packets with the SYN flag (only) set
|
||
|
# (NOTE: if it were an inbound TCP packet with the SYN flag set and it
|
||
|
# had IP options present, this rule and the above would cause it
|
||
|
# to be logged twice).
|
||
|
#
|
||
|
log in on le0 proto tcp from any to any flags S/SA
|
||
|
#
|
||
|
# block and log any inbound ICMP unreachables
|
||
|
#
|
||
|
block in log on le0 proto icmp from any to any icmp-type unreach
|
||
|
#
|
||
|
# block and log any inbound UDP packets on le0 which are going to port 2049
|
||
|
# (the NFS port).
|
||
|
#
|
||
|
block in log on le0 proto udp from any to any port = 2049
|
||
|
#
|
||
|
# quickly allow any packets to/from a particular pair of hosts
|
||
|
#
|
||
|
pass in quick from any to 10.1.3.2/32
|
||
|
pass in quick from any to 10.1.0.13/32
|
||
|
pass in quick from 10.1.3.2/32 to any
|
||
|
pass in quick from 10.1.0.13/32 to any
|
||
|
#
|
||
|
# block (and stop matching) any packet with IP options present.
|
||
|
#
|
||
|
block in quick on le0 from any to any with ipopts
|
||
|
#
|
||
|
# allow any packet through
|
||
|
#
|
||
|
pass in from any to any
|
||
|
#
|
||
|
# block any inbound UDP packets destined for these subnets.
|
||
|
#
|
||
|
block in on le0 proto udp from any to 10.1.3.0/24
|
||
|
block in on le0 proto udp from any to 10.1.1.0/24
|
||
|
block in on le0 proto udp from any to 10.1.2.0/24
|
||
|
#
|
||
|
# block any inbound TCP packets with only the SYN flag set that are
|
||
|
# destined for these subnets.
|
||
|
#
|
||
|
block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
|
||
|
block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
|
||
|
block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
|
||
|
#
|
||
|
# block any inbound ICMP packets destined for these subnets.
|
||
|
#
|
||
|
block in on le0 proto icmp from any to 10.1.3.0/24
|
||
|
block in on le0 proto icmp from any to 10.1.1.0/24
|
||
|
block in on le0 proto icmp from any to 10.1.2.0/24
|
||
|
#
|
||
|
# Log all short TCP packets to qe3, with "packetlog" as the intended
|
||
|
# destination for the packet.
|
||
|
#
|
||
|
block in to qe3:packetlog proto tcp all with short
|
||
|
#
|
||
|
# Log all connection attempts for TCP
|
||
|
#
|
||
|
pass in dup-to le0:packetlog proto tcp all flags S/SA
|
||
|
#
|
||
|
# Route all UDP packets through transparently.
|
||
|
#
|
||
|
pass in fastroute proto udp all
|
||
|
#
|
||
|
# Route all ICMP packets to network 10 out through le1, to "router"
|
||
|
#
|
||
|
pass in to le1:router proto icmp all
|
||
|
|
||
|
------------------------------------------------------------------------
|
||
|
Return to the IP Filter home page
|