# # block all incoming TCP packets on le0 from host "foo" to any destination. # block in on le0 proto tcp from foo/32 to any ------------------------------------------------------------------------ # # block all outgoing TCP packets on le0 from any host to port 23 of host bar. # block out on le0 proto tcp from any to bar/32 port != 23 ------------------------------------------------------------------------ # # block all inbound packets. # block in from any to any # # pass through packets to and from localhost. # pass in from 127.0.0.1/32 to 127.0.0.1/32 # # allow a variety of individual hosts to send any type of IP packet to any # other host. # pass in from 10.1.3.1 to any pass in from 10.1.3.2 to any pass in from 10.1.3.3 to any pass in from 10.1.3.4 to any pass in from 10.1.3.5 to any pass in from 10.1.0.13/32 to any pass in from 10.1.1.1/32 to any pass in from 10.1.2.1/32 to any # # # block all outbound packets. # block out from any to any # # allow any packets destined for localhost out. # pass out from any to 127.0.0.1/32 # # allow any host to send any IP packet out to a limited number of hosts. # pass out from any to 10.1.3.1/32 pass out from any to 10.1.3.2/32 pass out from any to 10.1.3.3/32 pass out from any to 10.1.3.4/32 pass out from any to 10.1.3.5/32 pass out from any to 10.1.0.13/32 pass out from any to 10.1.1.1/32 pass out from any to 10.1.2.1/32 ------------------------------------------------------------------------ # # block all ICMP packets. # block in proto icmp from any to any ------------------------------------------------------------------------ # # test ruleset # # allow packets coming from foo to bar through. # pass from foo to bar # # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # pass proto udp from fubar port != 53 to localhost # # block all ICMP unreachables. # block from any to any icmp unreach # # allow packets through which have a non-standard IP header length (ie there # are IP options such as source-routing present). # pass from any to any with ipopts ------------------------------------------------------------------------ # # block all TCP packets with only the SYN flag set (this is the first # packet sent to establish a connection). # block in proto tcp from any to any flags S/SA ------------------------------------------------------------------------ # # log all inbound packet on le0 which has IP options present # log in on le0 from any to any with ipopts # # block any inbound packets on le0 which are fragmented and "too short" to # do any meaningful comparison on. This actually only applies to TCP # packets which can be missing the flags/ports (depending on which part # of the fragment you see). # block in log quick on le0 from any to any with short frag # # log all inbound TCP packets with the SYN flag (only) set # (NOTE: if it were an inbound TCP packet with the SYN flag set and it # had IP options present, this rule and the above would cause it # to be logged twice). # log in on le0 proto tcp from any to any flags S/SA # # block and log any inbound ICMP unreachables # block in log on le0 proto icmp from any to any icmp-type unreach # # block and log any inbound UDP packets on le0 which are going to port 2049 # (the NFS port). # block in log on le0 proto udp from any to any port = 2049 # # quickly allow any packets to/from a particular pair of hosts # pass in quick from any to 10.1.3.2/32 pass in quick from any to 10.1.0.13/32 pass in quick from 10.1.3.2/32 to any pass in quick from 10.1.0.13/32 to any # # block (and stop matching) any packet with IP options present. # block in quick on le0 from any to any with ipopts # # allow any packet through # pass in from any to any # # block any inbound UDP packets destined for these subnets. # block in on le0 proto udp from any to 10.1.3.0/24 block in on le0 proto udp from any to 10.1.1.0/24 block in on le0 proto udp from any to 10.1.2.0/24 # # block any inbound TCP packets with only the SYN flag set that are # destined for these subnets. # block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA # # block any inbound ICMP packets destined for these subnets. # block in on le0 proto icmp from any to 10.1.3.0/24 block in on le0 proto icmp from any to 10.1.1.0/24 block in on le0 proto icmp from any to 10.1.2.0/24 # # Log all short TCP packets to qe3, with "packetlog" as the intended # destination for the packet. # block in to qe3:packetlog proto tcp all with short # # Log all connection attempts for TCP # pass in dup-to le0:packetlog proto tcp all flags S/SA # # Route all UDP packets through transparently. # pass in fastroute proto udp all # # Route all ICMP packets to network 10 out through le1, to "router" # pass in to le1:router proto icmp all ------------------------------------------------------------------------ Return to the IP Filter home page