Import ipfilter 3.2.1 (update from 3.1.8)

7 files changed, 374 insertions, 2 deletions

diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT
new file mode 100644
index 0000000..31bf1b3
--- /dev/null
+++ b/contrib/ipfilter/rules/BASIC.NAT
@@ -0,0 +1,45 @@
+#!/sbin/ipnat -f -
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# If we have only 1 valid IP address from our ISP, then we do this:
+#
+map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
+map ppp0 w.x.y.z/24 -> a.b.c.d/32
+#
+# if we get a different dialup IP address each time, then we would use:
+#
+#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.z/24 -> 0/32
+#
+# If we have a class C address space of valid IP#'s from our ISP, then we can
+# do this:
+#
+#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.z/24 -> a.b.c.d/24
+#
+# or, if we only have a small number of PC's, this:
+#
+#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.v/32 -> a.b.c.E/32
+#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.u/32 -> a.b.c.F/32
+#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.t/32 -> a.b.c.G/32
+#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.s/32 -> a.b.c.H/32
+#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.r/32 -> a.b.c.I/32
+#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.q/32 -> a.b.c.J/32
+#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.p/32 -> a.b.c.K/32
+#
+# To make ftp work, using the internal ftp proxy, use:
+#
+map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
+#
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW
new file mode 100644
index 0000000..47cb941
--- /dev/null
+++ b/contrib/ipfilter/rules/BASIC_1.FW
@@ -0,0 +1,99 @@
+#!/sbin/ipf -f -
+#
+# SAMPLE: RESTRICTIVE FILTER RULES
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# This file contains the basic rules needed to construct a firewall for the
+# above situation.
+#
+#-------------------------------------------------------
+# *Nasty* packets we don't want to allow near us at all!
+# short packets which are packets fragmented too short to be real.
+block in log quick all with short
+#-------------------------------------------------------
+# Group setup.
+# ============
+# By default, block and log everything.  This maybe too much logging
+# (especially for ed0) and needs to be further refined.
+#
+block in log on ppp0 all head 100
+block in log proto tcp all flags S/SA head 101 group 100 
+block out log on ppp0 all head 150
+block in log on ed0 from w.x.y.z/24 to any head 200
+block in log proto tcp all flags S/SA head 201 group 200 
+block in log proto udp all head 202 group 200
+block out log on ed0 all head 250
+#-------------------------------------------------------
+# Localhost packets.
+# ==================
+# packets going in/out of network interfaces that aren't on the loopback
+# interface should *NOT* exist.
+block in log quick from 127.0.0.0/8 to any group 100
+block in log quick from any to 127.0.0.0/8 group 100
+block in log quick from 127.0.0.0/8 to any group 200
+block in log quick from any to 127.0.0.0/8 group 200
+# And of course, make sure the loopback allows packets to traverse it.
+pass in quick on lo0 all
+pass out quick on lo0 all
+#-------------------------------------------------------
+# Invalid Internet packets.
+# =========================
+#
+# Deny reserved addresses.
+#
+block in log quick from 10.0.0.0/8 to any group 100
+block in log quick from 192.168.0.0/16 to any group 100
+block in log quick from 172.16.0.0/16 to any group 100
+#
+# Prevent IP spoofing.
+#
+block in log quick from a.b.c.d/24 to any group 100
+#
+#-------------------------------------------------------
+# Allow outgoing DNS requests (no named on firewall)
+#
+pass in quick proto udp from any to any port = 53 keep state group 202
+#
+# If we were running named on the firewall and all internal hosts talked to
+# it, we'd use the following:
+#
+#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
+#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
+#
+# Allow outgoing FTP from any internal host to any external FTP server.
+#
+pass in quick proto tcp from any to any port = ftp keep state group 201
+pass in quick proto tcp from any to any port = ftp-data keep state group 201
+pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
+#
+# Allow NTP from any internal host to any external NTP server.
+#
+pass in quick proto udp from any to any port = ntp keep state group 202
+#
+# Allow outgoing connections: SSH, TELNET, WWW
+#
+pass in quick proto tcp from any to any port = 22 keep state group 201
+pass in quick proto tcp from any to any port = telnet keep state group 201
+pass in quick proto tcp from any to any port = www keep state group 201
+#
+#-------------------------------------------------------
+block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
+#
+# Allow incoming to the external firewall interface: mail, WWW, DNS
+#
+pass in log quick proto tcp from any to any port = smtp keep state group 110
+pass in log quick proto tcp from any to any port = www keep state group 110
+pass in log quick proto tcp from any to any port = 53 keep state group 110
+pass in log quick proto udp from any to any port = 53 keep state group 100
+#-------------------------------------------------------
+# Log these:
+# ==========
+# * return RST packets for invalid SYN packets to help the other end close
+block return-rst in log proto tcp from any to any flags S/SA group 100
+# * return ICMP error packets for invalid UDP packets
+block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW
new file mode 100644
index 0000000..1614e91
--- /dev/null
+++ b/contrib/ipfilter/rules/BASIC_2.FW
@@ -0,0 +1,72 @@
+#!/sbin/ipf -f -
+#
+# SAMPLE: PERMISSIVE FILTER RULES
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# This file contains the basic rules needed to construct a firewall for the
+# above situation.
+#
+#-------------------------------------------------------
+# *Nasty* packets we don't want to allow near us at all!
+# short packets which are packets fragmented too short to be real.
+block in log quick all with short
+#-------------------------------------------------------
+# Group setup.
+# ============
+# By default, block and log everything.  This maybe too much logging
+# (especially for ed0) and needs to be further refined.
+#
+block in log on ppp0 all head 100
+block out log on ppp0 all head 150
+block in log on ed0 from w.x.y.z/24 to any head 200
+block out log on ed0 all head 250
+#-------------------------------------------------------
+# Invalid Internet packets.
+# =========================
+#
+# Deny reserved addresses.
+#
+block in log quick from 10.0.0.0/8 to any group 100
+block in log quick from 192.168.0.0/16 to any group 100
+block in log quick from 172.16.0.0/16 to any group 100
+#
+# Prevent IP spoofing.
+#
+block in log quick from a.b.c.d/24 to any group 100
+#
+#-------------------------------------------------------
+# Localhost packets.
+# ==================
+# packets going in/out of network interfaces that aren't on the loopback
+# interface should *NOT* exist.
+block in log quick from 127.0.0.0/8 to any group 100
+block in log quick from any to 127.0.0.0/8 group 100
+block in log quick from 127.0.0.0/8 to any group 200
+block in log quick from any to 127.0.0.0/8 group 200
+# And of course, make sure the loopback allows packets to traverse it.
+pass in quick on lo0 all
+pass out quick on lo0 all
+#-------------------------------------------------------
+# Allow any communication between the inside network and the outside only.
+#
+# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
+#
+pass in log quick proto tcp all SA flags S/SA keep state group 200 
+#
+# Support all UDP `connections' initiated from inside.
+#
+# Allow ping out
+#
+pass in log quick proto icmp all keep state group 200
+#-------------------------------------------------------
+# Log these:
+# ==========
+# * return RST packets for invalid SYN packets to help the other end close
+block return-rst in log proto tcp from any to any flags S/SA group 100
+# * return ICMP error packets for invalid UDP packets
+block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10
index 477c2e0..560d1e6 100644
--- a/contrib/ipfilter/rules/example.10
+++ b/contrib/ipfilter/rules/example.10
@@ -1,8 +1,8 @@
 #
 # pass ack packets (ie established connection)
 #
-pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
-pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
+pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
+pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
 #
 # block incoming connection requests to my internal network from the big bad
 # internet.
diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall
new file mode 100644
index 0000000..af9cf98
--- /dev/null
+++ b/contrib/ipfilter/rules/firewall
@@ -0,0 +1,39 @@
+Configuring IP Filter for firewall usage.
+=========================================
+
+Step 1 - Block out "bad" IP packets.
+------------------------------------
+
+Run the perl script "mkfilters".  This will generate a list of blocking
+rules which:
+	a) blocks all packets which might belong to an IP Spoofing attack;
+	b) blocks all packets with IP options;
+	c) blocks all packets which have a length which is too short for
+	   any legal packet;
+
+Step 2 - Convert Network Security Policy to filter rules.
+---------------------------------------------------------
+
+Draw up a list of which services you want to allow users to use on the
+Internet (e.g. WWW, ftp, etc).  Draw up a separate list for what you
+want each host that is part of your firewall to be allowed to do, including
+communication with internal hosts.
+
+Step 3 - Create TCP "keep state" rules.
+---------------------------------------
+
+For each service that uses TCP, create a rule as follows:
+
+pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
+
+where
+* "int-a" is the internal interface of the firewall.  That is, it is the
+  closest to your internal network in terms of network hops.
+
+* "int-net" is the internal network IP# subnet address range.  This might
+   be something like 10.1.0.0/16, or 128.33.1.0/24 
+
+* "ext-service" is the service to which you which to connect or if it doesn't
+  have a proper name, a number can be used.  The translation of "ext-service"
+  as a name to a number is controlled with the /etc/services file.
+
diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy
new file mode 100644
index 0000000..a13ef1c
--- /dev/null
+++ b/contrib/ipfilter/rules/ftp-proxy
@@ -0,0 +1,40 @@
+How to setup FTP proxying using the built in proxy code.
+========================================================
+
+NOTE: Currently, the built-in FTP proxy is only available for use with NAT
+      (i.e. only if you're already using "map" rules with ipnat).
+
+Lets assume your network diagram looks something like this:
+
+
+[host A]
+   |a
+---+-------------+----------
+                 |b
+             [host B]
+                 |c
+---+-------------+----------
+   |d
+[host C]
+
+and IP Filter is running on host B.  If you want to proxy FTP from A to C
+then you would do:
+
+map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp
+
+int-c = name of "interface c"
+ipaddr-a = ip# of interface a
+ipaddr-c-net = another ip# on the C-network (usually not the same as the
+interface).
+
+e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
+which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
+203.45.67.90, you would do:
+
+map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp
+
+where:
+ipaddr-a = 10.1.1.1
+int-c = vx0
+ipaddr-c-net = 203.45.67.91
+
diff --git a/contrib/ipfilter/rules/nat-setup b/contrib/ipfilter/rules/nat-setup
new file mode 100644
index 0000000..b10e8f1
--- /dev/null
+++ b/contrib/ipfilter/rules/nat-setup
@@ -0,0 +1,77 @@
+Configuring NAT on your network.
+================================
+
+To start setting up NAT, we need to define which is your "internal" interface
+and which is your "external" interface.  The "internal" interface is the
+network adapter connected to the network with private IP addresses which
+you need to change for communicating on the Internet.  The "external"
+interface is configured with a valid internet address.
+
+For example, your internal interface might have an IP# of 10.1.1.1 and be
+connected to your ethernet, whilst your external interface might be a PPP
+connection with an IP number of 204.51.62.176.
+
+Thus your network might look like this:
+
+<Internal Network>
+ [pc]      [pc]
+  |         |
++-+---------+------+
+                   |
+               [firewall]
+                   |
+                   |
+               Internet
+<External Network>
+
+
+Writing the map-rule.
+---------------------
+When you're connected to the Internet, you will either have a block of IP
+addresses assigned to you, maybe several different blocks, or you use a
+single IP address, i.e. with dialup PPP.  If you have a block of addresses
+assigned, these can be used to create either a 1:1 mapping (if you have
+only a few internal IP addresses) or N:1 mappings, where groups of internal
+addresses map to a single IP address and unless you have enough Internet
+addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
+UDP port numbers.
+
+For an N:1 situation, you might have:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
+
+where if you had 16 addresses available, you could do:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
+
+Or if you wanted to allocate subnets to each IP#, you might do:
+
+map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
+map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
+map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
+
+*** NOTE: NAT rules are used on a first-match basis only!
+
+
+Filtering with NAT.
+-------------------
+IP Filter will always translate addresses in a packet _BEFORE_ it checks its
+access list for inbound packets and translates addresses _AFTER_ it has
+checked the access control lists for outbound packets.
+
+For example (using the above NAT rules), if you wanted to prevent all hosts
+in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
+with ipf:
+
+block out on ppp0 from 10.1.2.0/24 to any
+block in on ppp0 from any to 10.1.2.0/24
+
+and use these with ipnat:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap