diff options
author | guido <guido@FreeBSD.org> | 1999-11-08 20:51:23 +0000 |
---|---|---|
committer | guido <guido@FreeBSD.org> | 1999-11-08 20:51:23 +0000 |
commit | 0539756f3d2277bd1ecc19afb014c074426e2f35 (patch) | |
tree | dbbb879c93cb0348e4c4fd6a3ef24f80198ce5a1 /contrib/ipfilter/rules | |
parent | 9529c38ad8859b9f325867d97f266101f2c4dca3 (diff) | |
download | FreeBSD-src-0539756f3d2277bd1ecc19afb014c074426e2f35.zip FreeBSD-src-0539756f3d2277bd1ecc19afb014c074426e2f35.tar.gz |
Import of ipfilter 3.3.3 in anticipation of its revival.
More to come in the next days.
Diffstat (limited to 'contrib/ipfilter/rules')
-rw-r--r-- | contrib/ipfilter/rules/BASIC.NAT | 2 | ||||
-rw-r--r-- | contrib/ipfilter/rules/BASIC_1.FW | 2 | ||||
-rw-r--r-- | contrib/ipfilter/rules/BASIC_2.FW | 4 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.1 | 4 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.11 | 4 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.13 | 12 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.2 | 5 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.5 | 10 | ||||
-rw-r--r-- | contrib/ipfilter/rules/firewall | 2 | ||||
-rw-r--r-- | contrib/ipfilter/rules/ftp-proxy | 4 | ||||
-rw-r--r-- | contrib/ipfilter/rules/server | 4 |
11 files changed, 27 insertions, 26 deletions
diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT index 31bf1b3..df041d1 100644 --- a/contrib/ipfilter/rules/BASIC.NAT +++ b/contrib/ipfilter/rules/BASIC.NAT @@ -1,6 +1,6 @@ #!/sbin/ipnat -f - # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW index 42d2792..d2bd60a 100644 --- a/contrib/ipfilter/rules/BASIC_1.FW +++ b/contrib/ipfilter/rules/BASIC_1.FW @@ -2,7 +2,7 @@ # # SAMPLE: RESTRICTIVE FILTER RULES # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW index b966dfb..46564f0 100644 --- a/contrib/ipfilter/rules/BASIC_2.FW +++ b/contrib/ipfilter/rules/BASIC_2.FW @@ -2,7 +2,7 @@ # # SAMPLE: PERMISSIVE FILTER RULES # -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2 +# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 # # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 # @@ -56,7 +56,7 @@ pass out quick on lo0 all # # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) # -pass in log quick proto tcp all SA flags S/SA keep state group 200 +pass in log quick proto tcp all flags S/SA keep state group 200 # # Support all UDP `connections' initiated from inside. # diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1 index 604346e..ff93f49 100644 --- a/contrib/ipfilter/rules/example.1 +++ b/contrib/ipfilter/rules/example.1 @@ -1,4 +1,4 @@ # -# block all incoming TCP packets on le0 from host "foo" to any destination. +# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. # -block in on le0 proto tcp from foo/32 to any +block in on le0 proto tcp from 10.1.1.1/32 to any diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11 index 7fc26eb..c6b4e7f 100644 --- a/contrib/ipfilter/rules/example.11 +++ b/contrib/ipfilter/rules/example.11 @@ -2,12 +2,12 @@ # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass in proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block anything trying to get to X terminal ports, X:0 to X:9 # diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13 index df13d0a..854f07f 100644 --- a/contrib/ipfilter/rules/example.13 +++ b/contrib/ipfilter/rules/example.13 @@ -1,17 +1,17 @@ # -# Log all short TCP packets to qe3, with "packetlog" as the intended +# Log all short TCP packets to qe3, with 10.3.3.3 as the intended # destination for the packet. # -block in to qe3:packetlog proto tcp all with short +block in on qe0 to qe3:10.3.3.3 proto tcp all with short # # Log all connection attempts for TCP # -pass in dup-to le0:packetlog proto tcp all flags S/SA +pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA # # Route all UDP packets through transparently. # -pass in fastroute proto udp all +pass in on ppp0 fastroute proto udp all # -# Route all ICMP packets to network 10 out through le1, to "router" +# Route all ICMP packets to network 10 out through le1, to 10.3.3.1 # -pass in to le1:router proto icmp all +pass in on le0 to le1:10.3.3.1 proto icmp all diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2 index 8d8fe57..4f81725 100644 --- a/contrib/ipfilter/rules/example.2 +++ b/contrib/ipfilter/rules/example.2 @@ -1,4 +1,5 @@ # -# block all outgoing TCP packets on le0 from any host to port 23 of host bar. +# block all outgoing TCP packets on le0 from any host to port 23 of +# host 10.1.1.2 # -block out on le0 proto tcp from any to bar/32 port = 23 +block out on le0 proto tcp from any to 10.1.1.3/32 port = 23 diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5 index 6e122e0..6d688b5 100644 --- a/contrib/ipfilter/rules/example.5 +++ b/contrib/ipfilter/rules/example.5 @@ -3,23 +3,23 @@ # # allow packets coming from foo to bar through. # -pass from foo to bar +pass in from 10.1.1.2 to 10.2.1.1 # # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. # -pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 # # allow in UDP packets which are NOT from port 53 and are destined for # localhost # -pass proto udp from fubar port != 53 to localhost +pass in proto udp from 10.2.2.2 port != 53 to localhost # # block all ICMP unreachables. # -block from any to any icmp unreach +block in proto icmp from any to any icmp-type unreach # # allow packets through which have a non-standard IP header length (ie there # are IP options such as source-routing present). # -pass from any to any with ipopts +pass in from any to any with ipopts diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall index af9cf98..681a81d 100644 --- a/contrib/ipfilter/rules/firewall +++ b/contrib/ipfilter/rules/firewall @@ -33,7 +33,7 @@ where * "int-net" is the internal network IP# subnet address range. This might be something like 10.1.0.0/16, or 128.33.1.0/24 -* "ext-service" is the service to which you which to connect or if it doesn't +* "ext-service" is the service to which you wish to connect or if it doesn't have a proper name, a number can be used. The translation of "ext-service" as a name to a number is controlled with the /etc/services file. diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy index a13ef1c..cafeeb6 100644 --- a/contrib/ipfilter/rules/ftp-proxy +++ b/contrib/ipfilter/rules/ftp-proxy @@ -20,7 +20,7 @@ Lets assume your network diagram looks something like this: and IP Filter is running on host B. If you want to proxy FTP from A to C then you would do: -map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp +map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp int-c = name of "interface c" ipaddr-a = ip# of interface a @@ -31,7 +31,7 @@ e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0 which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was 203.45.67.90, you would do: -map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp +map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp where: ipaddr-a = 10.1.1.1 diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server index 5eafc7c..f2fb204 100644 --- a/contrib/ipfilter/rules/server +++ b/contrib/ipfilter/rules/server @@ -6,6 +6,6 @@ # or # pass in quick on le0 from 128.1.40.0/24 to any -block in quick log on le0 from any to any -block in quick log on le1 from 128.1.1.0/24 to any +block in log quick on le0 from any to any +block in log quick on le1 from 128.1.1.0/24 to any pass in quick on le1 from any to any |