Remove some paths preparing for a re-copy from head

27 files changed, 0 insertions, 704 deletions

diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT
deleted file mode 100644
index 213e338..0000000
--- a/contrib/ipfilter/rules/BASIC.NAT
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/sbin/ipnat -f -
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# If we have only 1 valid IP address from our ISP, then we do this:
-#
-# To make ftp work, using the internal ftp proxy, use:
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
-#
-# For normal TCP/UDP and other IP protocols
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
-map ppp0 w.x.y.z/24 -> a.b.c.d/32
-#
-# if we get a different dialup IP address each time, then we would use:
-#
-#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> 0/32
-#
-# If we have a class C address space of valid IP#'s from our ISP, then we can
-# do this:
-#
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24
-#
-# or, if we only have a small number of PC's, this:
-#
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW
deleted file mode 100644
index 642dde0..0000000
--- a/contrib/ipfilter/rules/BASIC_1.FW
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: RESTRICTIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything.  This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block in log proto tcp all flags S/SA head 101 group 100
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block in log proto tcp all flags S/SA head 201 group 200
-block in log proto udp all head 202 group 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Allow outgoing DNS requests (no named on firewall)
-#
-pass in quick proto udp from any to any port = 53 keep state group 202
-#
-# If we were running named on the firewall and all internal hosts talked to
-# it, we'd use the following:
-#
-#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
-#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
-#
-# Allow outgoing FTP from any internal host to any external FTP server.
-#
-pass in quick proto tcp from any to any port = ftp keep state group 201
-pass in quick proto tcp from any to any port = ftp-data keep state group 201
-pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
-#
-# Allow NTP from any internal host to any external NTP server.
-#
-pass in quick proto udp from any to any port = ntp keep state group 202
-#
-# Allow outgoing connections: SSH, TELNET, WWW
-#
-pass in quick proto tcp from any to any port = 22 keep state group 201
-pass in quick proto tcp from any to any port = telnet keep state group 201
-pass in quick proto tcp from any to any port = www keep state group 201
-#
-#-------------------------------------------------------
-block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
-#
-# Allow incoming to the external firewall interface: mail, WWW, DNS
-#
-pass in log quick proto tcp from any to any port = smtp keep state group 110
-pass in log quick proto tcp from any to any port = www keep state group 110
-pass in log quick proto tcp from any to any port = 53 keep state group 110
-pass in log quick proto udp from any to any port = 53 keep state group 100
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW
deleted file mode 100644
index 1d4fd73..0000000
--- a/contrib/ipfilter/rules/BASIC_2.FW
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: PERMISSIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything.  This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Allow any communication between the inside network and the outside only.
-#
-# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
-#
-pass in log quick proto tcp all flags S/SA keep state group 200
-#
-# Support all UDP `connections' initiated from inside.
-#
-# Allow ping out
-#
-pass in log quick proto icmp all keep state group 200
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1
deleted file mode 100644
index ff93f49..0000000
--- a/contrib/ipfilter/rules/example.1
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination.
-#
-block in on le0 proto tcp from 10.1.1.1/32 to any
diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10
deleted file mode 100644
index 560d1e6..0000000
--- a/contrib/ipfilter/rules/example.10
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# pass ack packets (ie established connection)
-#
-pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-#
-# block incoming connection requests to my internal network from the big bad
-# internet.
-#
-block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
-#  to block the replies:
-block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11
deleted file mode 100644
index c6b4e7f..0000000
--- a/contrib/ipfilter/rules/example.11
+++ /dev/null
@@ -1,26 +0,0 @@
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block anything trying to get to X terminal ports, X:0 to X:9
-#
-block in proto tcp from any to any port 5999 >< 6010
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-block in proto tcp/udp all
-pass in proto tcp/udp from any to any port 512 <> 515
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-pass in proto tcp/udp all
-block in proto tcp/udp from any to any port 511 >< 516
diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12
deleted file mode 100644
index c0ba1d3..0000000
--- a/contrib/ipfilter/rules/example.12
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# get rid of all short IP fragments (too small for valid comparison)
-#
-block in proto tcp all with short
-#
-# drop and log any IP packets with options set in them.
-#
-block in log all with ipopts
-#
-# log packets with BOTH ssrr and lsrr set
-#
-log in all with opt lsrr,ssrr
-#
-# drop any source routing options
-#
-block in quick all with opt lsrr
-block in quick all with opt ssrr
diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13
deleted file mode 100644
index 854f07f..0000000
--- a/contrib/ipfilter/rules/example.13
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# Log all short TCP packets to qe3, with 10.3.3.3 as the intended
-# destination for the packet.
-#
-block in on qe0 to qe3:10.3.3.3 proto tcp all with short
-#
-# Log all connection attempts for TCP
-#
-pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA
-#
-# Route all UDP packets through transparently.
-#
-pass in on ppp0 fastroute proto udp all
-#
-# Route all ICMP packets to network 10 out through le1, to 10.3.3.1
-#
-pass in on le0 to le1:10.3.3.1 proto icmp all
diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2
deleted file mode 100644
index 4f81725..0000000
--- a/contrib/ipfilter/rules/example.2
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all outgoing TCP packets on le0 from any host to port 23 of
-# host 10.1.1.2
-#
-block out on le0 proto tcp from any to 10.1.1.3/32 port = 23
diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3
deleted file mode 100644
index cd31f73..0000000
--- a/contrib/ipfilter/rules/example.3
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# block all inbound packets.
-#
-block in from any to any
-#
-# pass through packets to and from localhost.
-#
-pass in from 127.0.0.1/32 to 127.0.0.1/32
-#
-# allow a variety of individual hosts to send any type of IP packet to any
-# other host.
-#
-pass in from 10.1.3.1/32 to any
-pass in from 10.1.3.2/32 to any
-pass in from 10.1.3.3/32 to any
-pass in from 10.1.3.4/32 to any
-pass in from 10.1.3.5/32 to any
-pass in from 10.1.0.13/32 to any
-pass in from 10.1.1.1/32 to any
-pass in from 10.1.2.1/32 to any
-#
-#
-# block all outbound packets.
-#
-block out from any to any
-#
-# allow any packets destined for localhost out.
-#
-pass out from any to 127.0.0.1/32
-#
-# allow any host to send any IP packet out to a limited number of hosts.
-#
-pass out from any to 10.1.3.1/32
-pass out from any to 10.1.3.2/32
-pass out from any to 10.1.3.3/32
-pass out from any to 10.1.3.4/32
-pass out from any to 10.1.3.5/32
-pass out from any to 10.1.0.13/32
-pass out from any to 10.1.1.1/32
-pass out from any to 10.1.2.1/32
diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4
deleted file mode 100644
index 7918ec2..0000000
--- a/contrib/ipfilter/rules/example.4
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all ICMP packets.
-#
-block in proto icmp from any to any
diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5
deleted file mode 100644
index 6d688b5..0000000
--- a/contrib/ipfilter/rules/example.5
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# test ruleset
-#
-# allow packets coming from foo to bar through.
-#
-pass in from 10.1.1.2 to 10.2.1.1
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block all ICMP unreachables.
-#
-block in proto icmp from any to any icmp-type unreach
-#
-# allow packets through which have a non-standard IP header length (ie there
-# are IP options such as source-routing present).
-#
-pass in from any to any with ipopts
diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6
deleted file mode 100644
index d40f0f3..0000000
--- a/contrib/ipfilter/rules/example.6
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all TCP packets with only the SYN flag set (this is the first
-# packet sent to establish a connection) out of the SYN-ACK pair.
-#
-block in proto tcp from any to any flags S/SA
diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7
deleted file mode 100644
index 062de98..0000000
--- a/contrib/ipfilter/rules/example.7
+++ /dev/null
@@ -1,12 +0,0 @@
-# block all ICMP packets.
-#
-block in proto icmp all
-#
-# allow in ICMP echos and echo-replies.
-#
-pass in on le1 proto icmp from any to any icmp-type echo
-pass in on le1 proto icmp from any to any icmp-type echorep
-#
-# block all ICMP destination unreachable packets which are port-unreachables
-#
-block in on le1 proto icmp from any to any icmp-type unreach code 3
diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8
deleted file mode 100644
index baa0258..0000000
--- a/contrib/ipfilter/rules/example.8
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# block all incoming TCP connections but send back a TCP-RST for ones to
-# the ident port
-#
-block in proto tcp from any to any flags S/SA
-block return-rst in quick proto tcp from any to any port = 113 flags S/SA
-#
-# block all inbound UDP packets and send back an ICMP error.
-#
-block return-icmp in proto udp from any to any
diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9
deleted file mode 100644
index daff203..0000000
--- a/contrib/ipfilter/rules/example.9
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# drop all packets without IP security options
-#
-block in all
-pass in all with opt sec
-#
-# only allow packets in and out on le1 which are top secret
-#
-block out on le1 all
-pass out on le1 all with opt sec-class topsecret
-block in on le1 all
-pass in on le1 all with opt sec-class topsecret
diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr
deleted file mode 100644
index c4c1994..0000000
--- a/contrib/ipfilter/rules/example.sr
+++ /dev/null
@@ -1,61 +0,0 @@
-#
-# log all inbound packet on le0 which has IP options present
-#
-log in on le0 from any to any with ipopts
-#
-# block any inbound packets on le0 which are fragmented and "too short" to
-# do any meaningful comparison on.  This actually only applies to TCP
-# packets which can be missing the flags/ports (depending on which part
-# of the fragment you see).
-#
-block in log quick on le0 from any to any with short frag
-#
-# log all inbound TCP packets with the SYN flag (only) set
-#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
-#         had IP options present, this rule and the above would cause it
-#         to be logged twice).
-#
-log in on le0 proto tcp from any to any flags S/SA
-#
-# block and log any inbound ICMP unreachables
-#
-block in log on le0 proto icmp from any to any icmp-type unreach
-#
-# block and log any inbound UDP packets on le0 which are going to port 2049
-# (the NFS port).
-#
-block in log on le0 proto udp from any to any port = 2049
-#
-# quickly allow any packets to/from a particular pair of hosts
-#
-pass in quick from any to 10.1.3.2/32
-pass in quick from any to 10.1.0.13/32
-pass in quick from 10.1.3.2/32 to any
-pass in quick from 10.1.0.13/32 to any
-#
-# block (and stop matching) any packet with IP options present.
-#
-block in quick on le0 from any to any with ipopts
-#
-# allow any packet through
-#
-pass in from any to any
-#
-# block any inbound UDP packets destined for these subnets.
-#
-block in on le0 proto udp from any to 10.1.3.0/24
-block in on le0 proto udp from any to 10.1.1.0/24
-block in on le0 proto udp from any to 10.1.2.0/24
-#
-# block any inbound TCP packets with only the SYN flag set that are
-# destined for these subnets.
-#
-block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
-#
-# block any inbound ICMP packets destined for these subnets.
-#
-block in on le0 proto icmp from any to 10.1.3.0/24
-block in on le0 proto icmp from any to 10.1.1.0/24
-block in on le0 proto icmp from any to 10.1.2.0/24
diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall
deleted file mode 100644
index f26b715..0000000
--- a/contrib/ipfilter/rules/firewall
+++ /dev/null
@@ -1,39 +0,0 @@
-Configuring IP Filter for firewall usage.
-=========================================
-
-Step 1 - Block out "bad" IP packets.
-------------------------------------
-
-Run the perl script "mkfilters".  This will generate a list of blocking
-rules which:
-	a) blocks all packets which might belong to an IP Spoofing attack;
-	b) blocks all packets with IP options;
-	c) blocks all packets which have a length which is too short for
-	   any legal packet;
-
-Step 2 - Convert Network Security Policy to filter rules.
----------------------------------------------------------
-
-Draw up a list of which services you want to allow users to use on the
-Internet (e.g. WWW, ftp, etc).  Draw up a separate list for what you
-want each host that is part of your firewall to be allowed to do, including
-communication with internal hosts.
-
-Step 3 - Create TCP "keep state" rules.
----------------------------------------
-
-For each service that uses TCP, create a rule as follows:
-
-pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
-
-where
-* "int-a" is the internal interface of the firewall.  That is, it is the
-  closest to your internal network in terms of network hops.
-
-* "int-net" is the internal network IP# subnet address range.  This might
-   be something like 10.1.0.0/16, or 128.33.1.0/24
-
-* "ext-service" is the service to which you wish to connect or if it doesn't
-  have a proper name, a number can be used.  The translation of "ext-service"
-  as a name to a number is controlled with the /etc/services file.
-
diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy
deleted file mode 100644
index ad2f717..0000000
--- a/contrib/ipfilter/rules/ftp-proxy
+++ /dev/null
@@ -1,45 +0,0 @@
-How to setup FTP proxying using the built in proxy code.
-========================================================
-
-NOTE: Currently, the built-in FTP proxy is only available for use with NAT
-      (i.e. only if you're already using "map" rules with ipnat).  It does
-      support null-NAT mappings, that is, using the proxy without changing
-      the addresses.
-
-Lets assume your network diagram looks something like this:
-
-
-[host A]
-   |a
----+-------------+----------
-                 |b
-             [host B]
-                 |c
----+-------------+----------
-   |d
-[host C]
-
-and IP Filter is running on host B.  If you want to proxy FTP from A to C
-then you would do:
-
-map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp
-
-int-c = name of "interface c"
-ipaddr-a = ip# of interface a
-ipaddr-c-net = another ip# on the C-network (usually not the same as the
-interface).
-
-e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
-which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
-203.45.67.90, you would do:
-
-map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp
-
-where:
-ipaddr-a = 10.1.1.1
-int-c = vx0
-ipaddr-c-net = 203.45.67.91
-
-The "map" rule for this proxy should precede any other NAT rules you are
-using.
-
diff --git a/contrib/ipfilter/rules/ftppxy b/contrib/ipfilter/rules/ftppxy
deleted file mode 100755
index 2c42c52..0000000
--- a/contrib/ipfilter/rules/ftppxy
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-# The proxy bit is as follows:
-# proxy [port <portname>] <tag>/<protocol>
-# the <tag> should match a tagname in the proxy table, as does the protocol.
-# this format isn't finalised yet
-echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
diff --git a/contrib/ipfilter/rules/ip_rules b/contrib/ipfilter/rules/ip_rules
deleted file mode 100644
index 9850f16..0000000
--- a/contrib/ipfilter/rules/ip_rules
+++ /dev/null
@@ -1,3 +0,0 @@
-# Used to generate ../ip_rules.c and ../ip_rules.h
-pass in all
-pass out all
diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf
deleted file mode 100644
index 652afce..0000000
--- a/contrib/ipfilter/rules/ipmon.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-#
-#
-#
-match { logtag = 10000; }
-do { execute("/usr/bin/mail -s 'logtag 10000' root"); };
-#
-match { logtag = 2000, every 10 seconds; }
-do { execute("echo 'XXXXXXXX tag 2000 packet XXXXXXXX'"); };
-#
-match { protocol = udp, result = block; }
-do { file("file:///var/log/udp-block"); };
-#
-match { protocol = tcp, result = block, dstport = 25; }
-do { syslog("local0.info"), syslog("local1."), syslog(".warn"); };
-#
-match { srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; }
-do { execute("/usr/bin/mail -s 'from 10.1 to 192.168.1' root"); };
-
-#
-match {
-	rule = 12, logtag = 101, direction = in, result = block,
-	protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; }
-do { nothing; };
-#
diff --git a/contrib/ipfilter/rules/nat-setup b/contrib/ipfilter/rules/nat-setup
deleted file mode 100644
index b10e8f1..0000000
--- a/contrib/ipfilter/rules/nat-setup
+++ /dev/null
@@ -1,77 +0,0 @@
-Configuring NAT on your network.
-================================
-
-To start setting up NAT, we need to define which is your "internal" interface
-and which is your "external" interface.  The "internal" interface is the
-network adapter connected to the network with private IP addresses which
-you need to change for communicating on the Internet.  The "external"
-interface is configured with a valid internet address.
-
-For example, your internal interface might have an IP# of 10.1.1.1 and be
-connected to your ethernet, whilst your external interface might be a PPP
-connection with an IP number of 204.51.62.176.
-
-Thus your network might look like this:
-
-<Internal Network>
- [pc]      [pc]
-  |         |
-+-+---------+------+
-                   |
-               [firewall]
-                   |
-                   |
-               Internet
-<External Network>
-
-
-Writing the map-rule.
----------------------
-When you're connected to the Internet, you will either have a block of IP
-addresses assigned to you, maybe several different blocks, or you use a
-single IP address, i.e. with dialup PPP.  If you have a block of addresses
-assigned, these can be used to create either a 1:1 mapping (if you have
-only a few internal IP addresses) or N:1 mappings, where groups of internal
-addresses map to a single IP address and unless you have enough Internet
-addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
-UDP port numbers.
-
-For an N:1 situation, you might have:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
-
-where if you had 16 addresses available, you could do:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
-
-Or if you wanted to allocate subnets to each IP#, you might do:
-
-map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
-map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
-map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
-
-*** NOTE: NAT rules are used on a first-match basis only!
-
-
-Filtering with NAT.
--------------------
-IP Filter will always translate addresses in a packet _BEFORE_ it checks its
-access list for inbound packets and translates addresses _AFTER_ it has
-checked the access control lists for outbound packets.
-
-For example (using the above NAT rules), if you wanted to prevent all hosts
-in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
-with ipf:
-
-block out on ppp0 from 10.1.2.0/24 to any
-block in on ppp0 from any to 10.1.2.0/24
-
-and use these with ipnat:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
diff --git a/contrib/ipfilter/rules/nat.eg b/contrib/ipfilter/rules/nat.eg
deleted file mode 100644
index 9c26754..0000000
--- a/contrib/ipfilter/rules/nat.eg
+++ /dev/null
@@ -1,14 +0,0 @@
-# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
-# port number to something between 10,000 and 20,000 inclusive.  For all other
-# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
-# for each new user.
-#
-map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
-map ed1 10.1.0.0/16 -> 240.1.0.0/24
-#
-# Redirection is triggered for input packets.
-# For example, to redirect FTP connections through this box, to the local ftp
-# port, forcing them to connect through a proxy, you would use:
-#
-rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
-#
diff --git a/contrib/ipfilter/rules/pool.conf b/contrib/ipfilter/rules/pool.conf
deleted file mode 100644
index 285398d..0000000
--- a/contrib/ipfilter/rules/pool.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-pool 0 = { !10.0.0.0 - 10.255.255.255, 10.1.0.0 - 10.1.255.255,
-	10.1.1.0 - 10.1.1.255, !10.1.2.0 - 10.2.2.255,
-	10.1.2.3 - 10.1.2.3, 10.1.2.15 - 10.1.2.15 };
diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server
deleted file mode 100644
index de0e9bb..0000000
--- a/contrib/ipfilter/rules/server
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# For a network server, which has two interfaces, 128.1.40.1 (le0) and
-# 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
-# connected to the majority of the network, whilst le0 is connected to a
-# leaf subnet.  We're not concerned about filtering individual services
-# or
-#
-pass in quick on le0 from 128.1.40.0/24 to any
-block in log quick on le0 from any to any
-block in log quick on le1 from 128.1.1.0/24 to any
-pass in quick on le1 from any to any
diff --git a/contrib/ipfilter/rules/tcpstate b/contrib/ipfilter/rules/tcpstate
deleted file mode 100644
index 339a25f..0000000
--- a/contrib/ipfilter/rules/tcpstate
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
-# somewhere, waiting for it.
-#
-pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
-block out on le0 proto tcp all
-block in on le0 proto tcp all
-#
-# allow nameserver queries and replies to pass through, but no other UDP
-#
-pass out quick on le0 proto udp from any to any port = 53 keep state
-block out on le0 proto udp all
-block in on le0 proto udp all