Import of ipfilter 3.3.3 in anticipation of its revival.

More to come in the next days.

11 files changed, 27 insertions, 26 deletions

diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT
index 31bf1b3..df041d1 100644
--- a/contrib/ipfilter/rules/BASIC.NAT
+++ b/contrib/ipfilter/rules/BASIC.NAT
@@ -1,6 +1,6 @@
 #!/sbin/ipnat -f -
 #
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
 #
 # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
 #
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW
index 42d2792..d2bd60a 100644
--- a/contrib/ipfilter/rules/BASIC_1.FW
+++ b/contrib/ipfilter/rules/BASIC_1.FW
@@ -2,7 +2,7 @@
 #
 # SAMPLE: RESTRICTIVE FILTER RULES
 #
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
 #
 # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
 #
diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW
index b966dfb..46564f0 100644
--- a/contrib/ipfilter/rules/BASIC_2.FW
+++ b/contrib/ipfilter/rules/BASIC_2.FW
@@ -2,7 +2,7 @@
 #
 # SAMPLE: PERMISSIVE FILTER RULES
 #
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
 #
 # ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
 #
@@ -56,7 +56,7 @@ pass out quick on lo0 all
 #
 # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
 #
-pass in log quick proto tcp all SA flags S/SA keep state group 200 
+pass in log quick proto tcp all flags S/SA keep state group 200 
 #
 # Support all UDP `connections' initiated from inside.
 #
diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1
index 604346e..ff93f49 100644
--- a/contrib/ipfilter/rules/example.1
+++ b/contrib/ipfilter/rules/example.1
@@ -1,4 +1,4 @@
 #
-# block all incoming TCP packets on le0 from host "foo" to any destination.
+# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination.
 #
-block in on le0 proto tcp from foo/32 to any
+block in on le0 proto tcp from 10.1.1.1/32 to any
diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11
index 7fc26eb..c6b4e7f 100644
--- a/contrib/ipfilter/rules/example.11
+++ b/contrib/ipfilter/rules/example.11
@@ -2,12 +2,12 @@
 # allow any TCP packets from the same subnet as foo is on through to host
 # 10.1.1.2 if they are destined for port 6667.
 #
-pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
+pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
 #
 # allow in UDP packets which are NOT from port 53 and are destined for
 # localhost
 #
-pass in proto udp from fubar port != 53 to localhost
+pass in proto udp from 10.2.2.2 port != 53 to localhost
 #
 # block anything trying to get to X terminal ports, X:0 to X:9
 #
diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13
index df13d0a..854f07f 100644
--- a/contrib/ipfilter/rules/example.13
+++ b/contrib/ipfilter/rules/example.13
@@ -1,17 +1,17 @@
 #
-# Log all short TCP packets to qe3, with "packetlog" as the intended
+# Log all short TCP packets to qe3, with 10.3.3.3 as the intended
 # destination for the packet.
 #
-block in to qe3:packetlog proto tcp all with short
+block in on qe0 to qe3:10.3.3.3 proto tcp all with short
 #
 # Log all connection attempts for TCP
 #
-pass in dup-to le0:packetlog proto tcp all flags S/SA
+pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA
 #
 # Route all UDP packets through transparently.
 #
-pass in fastroute proto udp all
+pass in on ppp0 fastroute proto udp all
 #
-# Route all ICMP packets to network 10 out through le1, to "router"
+# Route all ICMP packets to network 10 out through le1, to 10.3.3.1
 #
-pass in to le1:router proto icmp all
+pass in on le0 to le1:10.3.3.1 proto icmp all
diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2
index 8d8fe57..4f81725 100644
--- a/contrib/ipfilter/rules/example.2
+++ b/contrib/ipfilter/rules/example.2
@@ -1,4 +1,5 @@
 #
-# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
+# block all outgoing TCP packets on le0 from any host to port 23 of
+# host 10.1.1.2
 #
-block out on le0 proto tcp from any to bar/32 port = 23
+block out on le0 proto tcp from any to 10.1.1.3/32 port = 23
diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5
index 6e122e0..6d688b5 100644
--- a/contrib/ipfilter/rules/example.5
+++ b/contrib/ipfilter/rules/example.5
@@ -3,23 +3,23 @@
 #
 # allow packets coming from foo to bar through.
 #
-pass from foo to bar
+pass in from 10.1.1.2 to 10.2.1.1
 #
 # allow any TCP packets from the same subnet as foo is on through to host
 # 10.1.1.2 if they are destined for port 6667.
 #
-pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
+pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
 #
 # allow in UDP packets which are NOT from port 53 and are destined for
 # localhost
 #
-pass proto udp from fubar port != 53 to localhost
+pass in proto udp from 10.2.2.2 port != 53 to localhost
 #
 # block all ICMP unreachables.
 #
-block from any to any icmp unreach
+block in proto icmp from any to any icmp-type unreach
 #
 # allow packets through which have a non-standard IP header length (ie there
 # are IP options such as source-routing present).
 #
-pass from any to any with ipopts
+pass in from any to any with ipopts
diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall
index af9cf98..681a81d 100644
--- a/contrib/ipfilter/rules/firewall
+++ b/contrib/ipfilter/rules/firewall
@@ -33,7 +33,7 @@ where
 * "int-net" is the internal network IP# subnet address range.  This might
    be something like 10.1.0.0/16, or 128.33.1.0/24 
 
-* "ext-service" is the service to which you which to connect or if it doesn't
+* "ext-service" is the service to which you wish to connect or if it doesn't
   have a proper name, a number can be used.  The translation of "ext-service"
   as a name to a number is controlled with the /etc/services file.
 
diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy
index a13ef1c..cafeeb6 100644
--- a/contrib/ipfilter/rules/ftp-proxy
+++ b/contrib/ipfilter/rules/ftp-proxy
@@ -20,7 +20,7 @@ Lets assume your network diagram looks something like this:
 and IP Filter is running on host B.  If you want to proxy FTP from A to C
 then you would do:
 
-map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp
+map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp
 
 int-c = name of "interface c"
 ipaddr-a = ip# of interface a
@@ -31,7 +31,7 @@ e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
 which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
 203.45.67.90, you would do:
 
-map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp
+map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp
 
 where:
 ipaddr-a = 10.1.1.1
diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server
index 5eafc7c..f2fb204 100644
--- a/contrib/ipfilter/rules/server
+++ b/contrib/ipfilter/rules/server
@@ -6,6 +6,6 @@
 # or 
 #
 pass in quick on le0 from 128.1.40.0/24 to any
-block in quick log on le0 from any to any
-block in quick log on le1 from 128.1.1.0/24 to any
+block in log quick on le0 from any to any
+block in log quick on le1 from 128.1.1.0/24 to any
 pass in quick on le1 from any to any