As per the developers handbook (5.3.1 step 1), prepare the vendor trees for

import of new ipfilter vendor sources by flattening them.

To keep the tags consistent with dist, the tags are also flattened.

Approved by:	glebius (Mentor)

29 files changed, 0 insertions, 709 deletions

diff --git a/contrib/ipfilter/rules/.cvsignore b/contrib/ipfilter/rules/.cvsignore
deleted file mode 100644
index 3e75765..0000000
--- a/contrib/ipfilter/rules/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-new
diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT
deleted file mode 100644
index 213e338..0000000
--- a/contrib/ipfilter/rules/BASIC.NAT
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/sbin/ipnat -f -
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# If we have only 1 valid IP address from our ISP, then we do this:
-#
-# To make ftp work, using the internal ftp proxy, use:
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
-#
-# For normal TCP/UDP and other IP protocols
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
-map ppp0 w.x.y.z/24 -> a.b.c.d/32
-#
-# if we get a different dialup IP address each time, then we would use:
-#
-#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> 0/32
-#
-# If we have a class C address space of valid IP#'s from our ISP, then we can
-# do this:
-#
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24
-#
-# or, if we only have a small number of PC's, this:
-#
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW
deleted file mode 100644
index d2bd60a..0000000
--- a/contrib/ipfilter/rules/BASIC_1.FW
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: RESTRICTIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything.  This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block in log proto tcp all flags S/SA head 101 group 100 
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block in log proto tcp all flags S/SA head 201 group 200 
-block in log proto udp all head 202 group 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Allow outgoing DNS requests (no named on firewall)
-#
-pass in quick proto udp from any to any port = 53 keep state group 202
-#
-# If we were running named on the firewall and all internal hosts talked to
-# it, we'd use the following:
-#
-#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
-#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
-#
-# Allow outgoing FTP from any internal host to any external FTP server.
-#
-pass in quick proto tcp from any to any port = ftp keep state group 201
-pass in quick proto tcp from any to any port = ftp-data keep state group 201
-pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
-#
-# Allow NTP from any internal host to any external NTP server.
-#
-pass in quick proto udp from any to any port = ntp keep state group 202
-#
-# Allow outgoing connections: SSH, TELNET, WWW
-#
-pass in quick proto tcp from any to any port = 22 keep state group 201
-pass in quick proto tcp from any to any port = telnet keep state group 201
-pass in quick proto tcp from any to any port = www keep state group 201
-#
-#-------------------------------------------------------
-block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
-#
-# Allow incoming to the external firewall interface: mail, WWW, DNS
-#
-pass in log quick proto tcp from any to any port = smtp keep state group 110
-pass in log quick proto tcp from any to any port = www keep state group 110
-pass in log quick proto tcp from any to any port = 53 keep state group 110
-pass in log quick proto udp from any to any port = 53 keep state group 100
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW
deleted file mode 100644
index 46564f0..0000000
--- a/contrib/ipfilter/rules/BASIC_2.FW
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: PERMISSIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything.  This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Allow any communication between the inside network and the outside only.
-#
-# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
-#
-pass in log quick proto tcp all flags S/SA keep state group 200 
-#
-# Support all UDP `connections' initiated from inside.
-#
-# Allow ping out
-#
-pass in log quick proto icmp all keep state group 200
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1
deleted file mode 100644
index ff93f49..0000000
--- a/contrib/ipfilter/rules/example.1
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination.
-#
-block in on le0 proto tcp from 10.1.1.1/32 to any
diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10
deleted file mode 100644
index 560d1e6..0000000
--- a/contrib/ipfilter/rules/example.10
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# pass ack packets (ie established connection)
-#
-pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-#
-# block incoming connection requests to my internal network from the big bad
-# internet.
-#
-block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
-#  to block the replies:
-block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11
deleted file mode 100644
index c6b4e7f..0000000
--- a/contrib/ipfilter/rules/example.11
+++ /dev/null
@@ -1,26 +0,0 @@
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block anything trying to get to X terminal ports, X:0 to X:9
-#
-block in proto tcp from any to any port 5999 >< 6010
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-block in proto tcp/udp all
-pass in proto tcp/udp from any to any port 512 <> 515
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-pass in proto tcp/udp all
-block in proto tcp/udp from any to any port 511 >< 516
diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12
deleted file mode 100644
index c0ba1d3..0000000
--- a/contrib/ipfilter/rules/example.12
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# get rid of all short IP fragments (too small for valid comparison)
-#
-block in proto tcp all with short
-#
-# drop and log any IP packets with options set in them.
-#
-block in log all with ipopts
-#
-# log packets with BOTH ssrr and lsrr set
-#
-log in all with opt lsrr,ssrr
-#
-# drop any source routing options
-#
-block in quick all with opt lsrr
-block in quick all with opt ssrr
diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13
deleted file mode 100644
index 854f07f..0000000
--- a/contrib/ipfilter/rules/example.13
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# Log all short TCP packets to qe3, with 10.3.3.3 as the intended
-# destination for the packet.
-#
-block in on qe0 to qe3:10.3.3.3 proto tcp all with short
-#
-# Log all connection attempts for TCP
-#
-pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA
-#
-# Route all UDP packets through transparently.
-#
-pass in on ppp0 fastroute proto udp all
-#
-# Route all ICMP packets to network 10 out through le1, to 10.3.3.1
-#
-pass in on le0 to le1:10.3.3.1 proto icmp all
diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2
deleted file mode 100644
index 4f81725..0000000
--- a/contrib/ipfilter/rules/example.2
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all outgoing TCP packets on le0 from any host to port 23 of
-# host 10.1.1.2
-#
-block out on le0 proto tcp from any to 10.1.1.3/32 port = 23
diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3
deleted file mode 100644
index cd31f73..0000000
--- a/contrib/ipfilter/rules/example.3
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# block all inbound packets.
-#
-block in from any to any
-#
-# pass through packets to and from localhost.
-#
-pass in from 127.0.0.1/32 to 127.0.0.1/32
-#
-# allow a variety of individual hosts to send any type of IP packet to any
-# other host.
-#
-pass in from 10.1.3.1/32 to any
-pass in from 10.1.3.2/32 to any
-pass in from 10.1.3.3/32 to any
-pass in from 10.1.3.4/32 to any
-pass in from 10.1.3.5/32 to any
-pass in from 10.1.0.13/32 to any
-pass in from 10.1.1.1/32 to any
-pass in from 10.1.2.1/32 to any
-#
-#
-# block all outbound packets.
-#
-block out from any to any
-#
-# allow any packets destined for localhost out.
-#
-pass out from any to 127.0.0.1/32
-#
-# allow any host to send any IP packet out to a limited number of hosts.
-#
-pass out from any to 10.1.3.1/32
-pass out from any to 10.1.3.2/32
-pass out from any to 10.1.3.3/32
-pass out from any to 10.1.3.4/32
-pass out from any to 10.1.3.5/32
-pass out from any to 10.1.0.13/32
-pass out from any to 10.1.1.1/32
-pass out from any to 10.1.2.1/32
diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4
deleted file mode 100644
index 7918ec2..0000000
--- a/contrib/ipfilter/rules/example.4
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all ICMP packets.
-#
-block in proto icmp from any to any
diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5
deleted file mode 100644
index 6d688b5..0000000
--- a/contrib/ipfilter/rules/example.5
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# test ruleset
-#
-# allow packets coming from foo to bar through.
-#
-pass in from 10.1.1.2 to 10.2.1.1
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block all ICMP unreachables.
-#
-block in proto icmp from any to any icmp-type unreach
-#
-# allow packets through which have a non-standard IP header length (ie there
-# are IP options such as source-routing present).
-#
-pass in from any to any with ipopts
diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6
deleted file mode 100644
index d40f0f3..0000000
--- a/contrib/ipfilter/rules/example.6
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all TCP packets with only the SYN flag set (this is the first
-# packet sent to establish a connection) out of the SYN-ACK pair.
-#
-block in proto tcp from any to any flags S/SA
diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7
deleted file mode 100644
index 062de98..0000000
--- a/contrib/ipfilter/rules/example.7
+++ /dev/null
@@ -1,12 +0,0 @@
-# block all ICMP packets.
-#
-block in proto icmp all
-#
-# allow in ICMP echos and echo-replies.
-#
-pass in on le1 proto icmp from any to any icmp-type echo
-pass in on le1 proto icmp from any to any icmp-type echorep
-#
-# block all ICMP destination unreachable packets which are port-unreachables
-#
-block in on le1 proto icmp from any to any icmp-type unreach code 3
diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8
deleted file mode 100644
index baa0258..0000000
--- a/contrib/ipfilter/rules/example.8
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# block all incoming TCP connections but send back a TCP-RST for ones to
-# the ident port
-#
-block in proto tcp from any to any flags S/SA
-block return-rst in quick proto tcp from any to any port = 113 flags S/SA
-#
-# block all inbound UDP packets and send back an ICMP error.
-#
-block return-icmp in proto udp from any to any
diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9
deleted file mode 100644
index daff203..0000000
--- a/contrib/ipfilter/rules/example.9
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# drop all packets without IP security options
-#
-block in all
-pass in all with opt sec
-#
-# only allow packets in and out on le1 which are top secret
-#
-block out on le1 all
-pass out on le1 all with opt sec-class topsecret
-block in on le1 all
-pass in on le1 all with opt sec-class topsecret
diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr
deleted file mode 100644
index c4c1994..0000000
--- a/contrib/ipfilter/rules/example.sr
+++ /dev/null
@@ -1,61 +0,0 @@
-#
-# log all inbound packet on le0 which has IP options present
-#
-log in on le0 from any to any with ipopts
-#
-# block any inbound packets on le0 which are fragmented and "too short" to
-# do any meaningful comparison on.  This actually only applies to TCP
-# packets which can be missing the flags/ports (depending on which part
-# of the fragment you see).
-#
-block in log quick on le0 from any to any with short frag
-#
-# log all inbound TCP packets with the SYN flag (only) set
-#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
-#         had IP options present, this rule and the above would cause it
-#         to be logged twice).
-#
-log in on le0 proto tcp from any to any flags S/SA
-#
-# block and log any inbound ICMP unreachables
-#
-block in log on le0 proto icmp from any to any icmp-type unreach
-#
-# block and log any inbound UDP packets on le0 which are going to port 2049
-# (the NFS port).
-#
-block in log on le0 proto udp from any to any port = 2049
-#
-# quickly allow any packets to/from a particular pair of hosts
-#
-pass in quick from any to 10.1.3.2/32
-pass in quick from any to 10.1.0.13/32
-pass in quick from 10.1.3.2/32 to any
-pass in quick from 10.1.0.13/32 to any
-#
-# block (and stop matching) any packet with IP options present.
-#
-block in quick on le0 from any to any with ipopts
-#
-# allow any packet through
-#
-pass in from any to any
-#
-# block any inbound UDP packets destined for these subnets.
-#
-block in on le0 proto udp from any to 10.1.3.0/24
-block in on le0 proto udp from any to 10.1.1.0/24
-block in on le0 proto udp from any to 10.1.2.0/24
-#
-# block any inbound TCP packets with only the SYN flag set that are
-# destined for these subnets.
-#
-block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
-#
-# block any inbound ICMP packets destined for these subnets.
-#
-block in on le0 proto icmp from any to 10.1.3.0/24
-block in on le0 proto icmp from any to 10.1.1.0/24
-block in on le0 proto icmp from any to 10.1.2.0/24
diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall
deleted file mode 100644
index 681a81d..0000000
--- a/contrib/ipfilter/rules/firewall
+++ /dev/null
@@ -1,39 +0,0 @@
-Configuring IP Filter for firewall usage.
-=========================================
-
-Step 1 - Block out "bad" IP packets.
-------------------------------------
-
-Run the perl script "mkfilters".  This will generate a list of blocking
-rules which:
-	a) blocks all packets which might belong to an IP Spoofing attack;
-	b) blocks all packets with IP options;
-	c) blocks all packets which have a length which is too short for
-	   any legal packet;
-
-Step 2 - Convert Network Security Policy to filter rules.
----------------------------------------------------------
-
-Draw up a list of which services you want to allow users to use on the
-Internet (e.g. WWW, ftp, etc).  Draw up a separate list for what you
-want each host that is part of your firewall to be allowed to do, including
-communication with internal hosts.
-
-Step 3 - Create TCP "keep state" rules.
----------------------------------------
-
-For each service that uses TCP, create a rule as follows:
-
-pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
-
-where
-* "int-a" is the internal interface of the firewall.  That is, it is the
-  closest to your internal network in terms of network hops.
-
-* "int-net" is the internal network IP# subnet address range.  This might
-   be something like 10.1.0.0/16, or 128.33.1.0/24 
-
-* "ext-service" is the service to which you wish to connect or if it doesn't
-  have a proper name, a number can be used.  The translation of "ext-service"
-  as a name to a number is controlled with the /etc/services file.
-
diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy
deleted file mode 100644
index ad2f717..0000000
--- a/contrib/ipfilter/rules/ftp-proxy
+++ /dev/null
@@ -1,45 +0,0 @@
-How to setup FTP proxying using the built in proxy code.
-========================================================
-
-NOTE: Currently, the built-in FTP proxy is only available for use with NAT
-      (i.e. only if you're already using "map" rules with ipnat).  It does
-      support null-NAT mappings, that is, using the proxy without changing
-      the addresses.
-
-Lets assume your network diagram looks something like this:
-
-
-[host A]
-   |a
----+-------------+----------
-                 |b
-             [host B]
-                 |c
----+-------------+----------
-   |d
-[host C]
-
-and IP Filter is running on host B.  If you want to proxy FTP from A to C
-then you would do:
-
-map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp
-
-int-c = name of "interface c"
-ipaddr-a = ip# of interface a
-ipaddr-c-net = another ip# on the C-network (usually not the same as the
-interface).
-
-e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
-which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
-203.45.67.90, you would do:
-
-map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp
-
-where:
-ipaddr-a = 10.1.1.1
-int-c = vx0
-ipaddr-c-net = 203.45.67.91
-
-The "map" rule for this proxy should precede any other NAT rules you are
-using.
-
diff --git a/contrib/ipfilter/rules/ftppxy b/contrib/ipfilter/rules/ftppxy
deleted file mode 100755
index 2c42c52..0000000
--- a/contrib/ipfilter/rules/ftppxy
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-# The proxy bit is as follows:
-# proxy [port <portname>] <tag>/<protocol>
-# the <tag> should match a tagname in the proxy table, as does the protocol.
-# this format isn't finalised yet
-echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
diff --git a/contrib/ipfilter/rules/ip_rules b/contrib/ipfilter/rules/ip_rules
deleted file mode 100644
index 9850f16..0000000
--- a/contrib/ipfilter/rules/ip_rules
+++ /dev/null
@@ -1,3 +0,0 @@
-# Used to generate ../ip_rules.c and ../ip_rules.h
-pass in all
-pass out all
diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf
deleted file mode 100644
index 47b0146..0000000
--- a/contrib/ipfilter/rules/ipmon.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-#
-#
-#
-match { logtag = 10000 }
-	do { execute "/usr/bin/mail -s 'logtag 10000' root" };
-match { logtag = 2000, every 10 seconds }
-	do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" };
-#
-match { protocol = udp, result = block }
-	do { execute "/usr/bin/mail -s 'blocked udp' root"
-};
-#
-match {
-	srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
-	do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root"
-};
-#
-match {
-	rule = 12, logtag = 101, direction = in, result = block,
-	protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
-	do { execute "run shell command"
-};
-#
diff --git a/contrib/ipfilter/rules/nat-setup b/contrib/ipfilter/rules/nat-setup
deleted file mode 100644
index b10e8f1..0000000
--- a/contrib/ipfilter/rules/nat-setup
+++ /dev/null
@@ -1,77 +0,0 @@
-Configuring NAT on your network.
-================================
-
-To start setting up NAT, we need to define which is your "internal" interface
-and which is your "external" interface.  The "internal" interface is the
-network adapter connected to the network with private IP addresses which
-you need to change for communicating on the Internet.  The "external"
-interface is configured with a valid internet address.
-
-For example, your internal interface might have an IP# of 10.1.1.1 and be
-connected to your ethernet, whilst your external interface might be a PPP
-connection with an IP number of 204.51.62.176.
-
-Thus your network might look like this:
-
-<Internal Network>
- [pc]      [pc]
-  |         |
-+-+---------+------+
-                   |
-               [firewall]
-                   |
-                   |
-               Internet
-<External Network>
-
-
-Writing the map-rule.
----------------------
-When you're connected to the Internet, you will either have a block of IP
-addresses assigned to you, maybe several different blocks, or you use a
-single IP address, i.e. with dialup PPP.  If you have a block of addresses
-assigned, these can be used to create either a 1:1 mapping (if you have
-only a few internal IP addresses) or N:1 mappings, where groups of internal
-addresses map to a single IP address and unless you have enough Internet
-addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
-UDP port numbers.
-
-For an N:1 situation, you might have:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
-
-where if you had 16 addresses available, you could do:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
-
-Or if you wanted to allocate subnets to each IP#, you might do:
-
-map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
-map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
-map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
-
-*** NOTE: NAT rules are used on a first-match basis only!
-
-
-Filtering with NAT.
--------------------
-IP Filter will always translate addresses in a packet _BEFORE_ it checks its
-access list for inbound packets and translates addresses _AFTER_ it has
-checked the access control lists for outbound packets.
-
-For example (using the above NAT rules), if you wanted to prevent all hosts
-in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
-with ipf:
-
-block out on ppp0 from 10.1.2.0/24 to any
-block in on ppp0 from any to 10.1.2.0/24
-
-and use these with ipnat:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
diff --git a/contrib/ipfilter/rules/nat.eg b/contrib/ipfilter/rules/nat.eg
deleted file mode 100644
index 9c26754..0000000
--- a/contrib/ipfilter/rules/nat.eg
+++ /dev/null
@@ -1,14 +0,0 @@
-# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
-# port number to something between 10,000 and 20,000 inclusive.  For all other
-# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
-# for each new user.
-#
-map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
-map ed1 10.1.0.0/16 -> 240.1.0.0/24
-#
-# Redirection is triggered for input packets.
-# For example, to redirect FTP connections through this box, to the local ftp
-# port, forcing them to connect through a proxy, you would use:
-#
-rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
-#
diff --git a/contrib/ipfilter/rules/pool.conf b/contrib/ipfilter/rules/pool.conf
deleted file mode 100644
index 285398d..0000000
--- a/contrib/ipfilter/rules/pool.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-pool 0 = { !10.0.0.0 - 10.255.255.255, 10.1.0.0 - 10.1.255.255,
-	10.1.1.0 - 10.1.1.255, !10.1.2.0 - 10.2.2.255,
-	10.1.2.3 - 10.1.2.3, 10.1.2.15 - 10.1.2.15 };
diff --git a/contrib/ipfilter/rules/rules.sed b/contrib/ipfilter/rules/rules.sed
deleted file mode 100644
index 050d9b6..0000000
--- a/contrib/ipfilter/rules/rules.sed
+++ /dev/null
@@ -1,5 +0,0 @@
-WÆ
.	Ä..'&CVSWÜ	example.1WÝ
-example.10WÞ
-example.11Wß
-example.12Wà
-example.13Wá	example.2Wâ	example.3Wã	example.4Wä	example.5Wå	example.6Wæ	example.7Wç	example.8Wè	example.9Wé
diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server
deleted file mode 100644
index f2fb204..0000000
--- a/contrib/ipfilter/rules/server
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# For a network server, which has two interfaces, 128.1.40.1 (le0) and
-# 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
-# connected to the majority of the network, whilst le0 is connected to a
-# leaf subnet.  We're not concerned about filtering individual services
-# or 
-#
-pass in quick on le0 from 128.1.40.0/24 to any
-block in log quick on le0 from any to any
-block in log quick on le1 from 128.1.1.0/24 to any
-pass in quick on le1 from any to any
diff --git a/contrib/ipfilter/rules/tcpstate b/contrib/ipfilter/rules/tcpstate
deleted file mode 100644
index 339a25f..0000000
--- a/contrib/ipfilter/rules/tcpstate
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
-# somewhere, waiting for it.
-#
-pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
-block out on le0 proto tcp all
-block in on le0 proto tcp all
-#
-# allow nameserver queries and replies to pass through, but no other UDP
-#
-pass out quick on le0 proto udp from any to any port = 53 keep state
-block out on le0 proto udp all
-block in on le0 proto udp all