1130b656e5
This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
59 lines
1.3 KiB
Plaintext
59 lines
1.3 KiB
Plaintext
#
|
|
# $FreeBSD$
|
|
#
|
|
# An example of packet filter definition.
|
|
#
|
|
#
|
|
filterd:
|
|
#
|
|
# Don't keep Alive with ICMP,DNS and RIP packet
|
|
#
|
|
set afilter 0 deny icmp
|
|
set afilter 1 deny udp src eq 53
|
|
set afilter 2 deny udp dst eq 53
|
|
set afilter 3 deny udp src eq 520
|
|
set afilter 4 deny udp dst eq 520
|
|
set afilter 5 permit 0/0 0/0
|
|
#
|
|
# Don't dial with ICMP packet
|
|
#
|
|
set dfilter 0 deny icmp
|
|
set dfilter 1 permit 0/0 0/0
|
|
#
|
|
# Allow ident packet pass through
|
|
#
|
|
set ifilter 0 permit tcp dst eq 113
|
|
set ofilter 0 permit tcp src eq 113
|
|
#
|
|
# Allow telnet connection to the Internet
|
|
#
|
|
set ifilter 1 permit tcp src eq 23 estab
|
|
set ofilter 1 permit tcp dst eq 23
|
|
#
|
|
# Allow ftp access to the Internet
|
|
#
|
|
set ifilter 2 permit tcp src eq 21 estab
|
|
set ofilter 2 permit tcp dst eq 21
|
|
set ifilter 3 permit tcp src eq 20 dst gt 1023
|
|
set ofilter 3 permit tcp dst eq 20
|
|
#
|
|
# Allow access to DNS
|
|
#
|
|
set ifilter 4 permit udp src eq 53
|
|
set ofilter 4 permit udp dst eq 53
|
|
#
|
|
# Allow access from/to my company network
|
|
#
|
|
set ifilter 5 permit 192.244.191.0/24 0/0
|
|
set ofilter 5 permit 0/0 192.244.191.0/24
|
|
#
|
|
# Allow ping and traceroute response
|
|
#
|
|
set ifilter 6 permit icmp
|
|
set ofilter 6 permit icmp
|
|
set ifilter 7 permit udp dst gt 33433
|
|
set ofilter 7 permit udp dst gt 33433
|
|
#
|
|
# If none of above rules matches, then packet is blockd.
|
|
#
|