This commit was generated by cvs2svn to compensate for changes in r145510,

which included commits to RCS files with non-trunk default branches.

18 files changed, 46 insertions, 0 deletions

diff --git a/contrib/ipfilter/rules/.cvsignore b/contrib/ipfilter/rules/.cvsignore
new file mode 100644
index 0000000..3e75765
--- /dev/null
+++ b/contrib/ipfilter/rules/.cvsignore
@@ -0,0 +1 @@
+new
diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1
index ff93f49..3da9f3c 100644
--- a/contrib/ipfilter/rules/example.1
+++ b/contrib/ipfilter/rules/example.1
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # block all incoming TCP packets on le0 from host 10.1.1.1 to any destination.
 #
diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10
index 560d1e6..f7a0b01 100644
--- a/contrib/ipfilter/rules/example.10
+++ b/contrib/ipfilter/rules/example.10
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # pass ack packets (ie established connection)
 #
diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11
index c6b4e7f..1cefa9a 100644
--- a/contrib/ipfilter/rules/example.11
+++ b/contrib/ipfilter/rules/example.11
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # allow any TCP packets from the same subnet as foo is on through to host
 # 10.1.1.2 if they are destined for port 6667.
diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12
index c0ba1d3..6dbaef5 100644
--- a/contrib/ipfilter/rules/example.12
+++ b/contrib/ipfilter/rules/example.12
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # get rid of all short IP fragments (too small for valid comparison)
 #
diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13
index 854f07f..ca74114 100644
--- a/contrib/ipfilter/rules/example.13
+++ b/contrib/ipfilter/rules/example.13
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # Log all short TCP packets to qe3, with 10.3.3.3 as the intended
 # destination for the packet.
diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2
index 4f81725..81e7d25 100644
--- a/contrib/ipfilter/rules/example.2
+++ b/contrib/ipfilter/rules/example.2
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # block all outgoing TCP packets on le0 from any host to port 23 of
 # host 10.1.1.2
diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3
index cd31f73..c5b4344 100644
--- a/contrib/ipfilter/rules/example.3
+++ b/contrib/ipfilter/rules/example.3
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # block all inbound packets.
 #
diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4
index 7918ec2..f18dcdd 100644
--- a/contrib/ipfilter/rules/example.4
+++ b/contrib/ipfilter/rules/example.4
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # block all ICMP packets.
 #
diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5
index 6d688b5..959dfb8 100644
--- a/contrib/ipfilter/rules/example.5
+++ b/contrib/ipfilter/rules/example.5
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # test ruleset
 #
diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6
index d40f0f3..e9ce23a 100644
--- a/contrib/ipfilter/rules/example.6
+++ b/contrib/ipfilter/rules/example.6
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # block all TCP packets with only the SYN flag set (this is the first
 # packet sent to establish a connection) out of the SYN-ACK pair.
diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7
index 062de98..0ddd7f7 100644
--- a/contrib/ipfilter/rules/example.7
+++ b/contrib/ipfilter/rules/example.7
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 # block all ICMP packets.
 #
 block in proto icmp all
diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8
index baa0258..2276b52 100644
--- a/contrib/ipfilter/rules/example.8
+++ b/contrib/ipfilter/rules/example.8
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # block all incoming TCP connections but send back a TCP-RST for ones to
 # the ident port
diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9
index daff203..50bb46a 100644
--- a/contrib/ipfilter/rules/example.9
+++ b/contrib/ipfilter/rules/example.9
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # drop all packets without IP security options
 #
diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr
index c4c1994..46fb6f1 100644
--- a/contrib/ipfilter/rules/example.sr
+++ b/contrib/ipfilter/rules/example.sr
@@ -1,3 +1,4 @@
+#	$FreeBSD$
 #
 # log all inbound packet on le0 which has IP options present
 #
diff --git a/contrib/ipfilter/rules/ip_rules b/contrib/ipfilter/rules/ip_rules
new file mode 100644
index 0000000..9850f16
--- /dev/null
+++ b/contrib/ipfilter/rules/ip_rules
@@ -0,0 +1,3 @@
+# Used to generate ../ip_rules.c and ../ip_rules.h
+pass in all
+pass out all
diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf
new file mode 100644
index 0000000..47b0146
--- /dev/null
+++ b/contrib/ipfilter/rules/ipmon.conf
@@ -0,0 +1,24 @@
+#
+#
+#
+#
+match { logtag = 10000 }
+	do { execute "/usr/bin/mail -s 'logtag 10000' root" };
+match { logtag = 2000, every 10 seconds }
+	do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" };
+#
+match { protocol = udp, result = block }
+	do { execute "/usr/bin/mail -s 'blocked udp' root"
+};
+#
+match {
+	srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
+	do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root"
+};
+#
+match {
+	rule = 12, logtag = 101, direction = in, result = block,
+	protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
+	do { execute "run shell command"
+};
+#
diff --git a/contrib/ipfilter/rules/pool.conf b/contrib/ipfilter/rules/pool.conf
new file mode 100644
index 0000000..285398d
--- /dev/null
+++ b/contrib/ipfilter/rules/pool.conf
@@ -0,0 +1,4 @@
+#
+pool 0 = { !10.0.0.0 - 10.255.255.255, 10.1.0.0 - 10.1.255.255,
+	10.1.1.0 - 10.1.1.255, !10.1.2.0 - 10.2.2.255,
+	10.1.2.3 - 10.1.2.3, 10.1.2.15 - 10.1.2.15 };