Revert r288682

I meant to do this on ^/user/ngie/more-tests

Pointyhat to: ngie (use svn info next time...)

27 files changed, 704 insertions, 0 deletions

diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT
new file mode 100644
index 0000000..213e338
--- /dev/null
+++ b/contrib/ipfilter/rules/BASIC.NAT
@@ -0,0 +1,46 @@
+#!/sbin/ipnat -f -
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# If we have only 1 valid IP address from our ISP, then we do this:
+#
+# To make ftp work, using the internal ftp proxy, use:
+#
+map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
+#
+# For normal TCP/UDP and other IP protocols
+#
+map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
+map ppp0 w.x.y.z/24 -> a.b.c.d/32
+#
+# if we get a different dialup IP address each time, then we would use:
+#
+#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.z/24 -> 0/32
+#
+# If we have a class C address space of valid IP#'s from our ISP, then we can
+# do this:
+#
+#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.z/24 -> a.b.c.d/24
+#
+# or, if we only have a small number of PC's, this:
+#
+#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.v/32 -> a.b.c.E/32
+#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.u/32 -> a.b.c.F/32
+#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.t/32 -> a.b.c.G/32
+#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.s/32 -> a.b.c.H/32
+#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.r/32 -> a.b.c.I/32
+#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.q/32 -> a.b.c.J/32
+#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.p/32 -> a.b.c.K/32
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW
new file mode 100644
index 0000000..642dde0
--- /dev/null
+++ b/contrib/ipfilter/rules/BASIC_1.FW
@@ -0,0 +1,99 @@
+#!/sbin/ipf -f -
+#
+# SAMPLE: RESTRICTIVE FILTER RULES
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# This file contains the basic rules needed to construct a firewall for the
+# above situation.
+#
+#-------------------------------------------------------
+# *Nasty* packets we don't want to allow near us at all!
+# short packets which are packets fragmented too short to be real.
+block in log quick all with short
+#-------------------------------------------------------
+# Group setup.
+# ============
+# By default, block and log everything.  This maybe too much logging
+# (especially for ed0) and needs to be further refined.
+#
+block in log on ppp0 all head 100
+block in log proto tcp all flags S/SA head 101 group 100
+block out log on ppp0 all head 150
+block in log on ed0 from w.x.y.z/24 to any head 200
+block in log proto tcp all flags S/SA head 201 group 200
+block in log proto udp all head 202 group 200
+block out log on ed0 all head 250
+#-------------------------------------------------------
+# Localhost packets.
+# ==================
+# packets going in/out of network interfaces that aren't on the loopback
+# interface should *NOT* exist.
+block in log quick from 127.0.0.0/8 to any group 100
+block in log quick from any to 127.0.0.0/8 group 100
+block in log quick from 127.0.0.0/8 to any group 200
+block in log quick from any to 127.0.0.0/8 group 200
+# And of course, make sure the loopback allows packets to traverse it.
+pass in quick on lo0 all
+pass out quick on lo0 all
+#-------------------------------------------------------
+# Invalid Internet packets.
+# =========================
+#
+# Deny reserved addresses.
+#
+block in log quick from 10.0.0.0/8 to any group 100
+block in log quick from 192.168.0.0/16 to any group 100
+block in log quick from 172.16.0.0/12 to any group 100
+#
+# Prevent IP spoofing.
+#
+block in log quick from a.b.c.d/24 to any group 100
+#
+#-------------------------------------------------------
+# Allow outgoing DNS requests (no named on firewall)
+#
+pass in quick proto udp from any to any port = 53 keep state group 202
+#
+# If we were running named on the firewall and all internal hosts talked to
+# it, we'd use the following:
+#
+#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
+#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
+#
+# Allow outgoing FTP from any internal host to any external FTP server.
+#
+pass in quick proto tcp from any to any port = ftp keep state group 201
+pass in quick proto tcp from any to any port = ftp-data keep state group 201
+pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
+#
+# Allow NTP from any internal host to any external NTP server.
+#
+pass in quick proto udp from any to any port = ntp keep state group 202
+#
+# Allow outgoing connections: SSH, TELNET, WWW
+#
+pass in quick proto tcp from any to any port = 22 keep state group 201
+pass in quick proto tcp from any to any port = telnet keep state group 201
+pass in quick proto tcp from any to any port = www keep state group 201
+#
+#-------------------------------------------------------
+block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
+#
+# Allow incoming to the external firewall interface: mail, WWW, DNS
+#
+pass in log quick proto tcp from any to any port = smtp keep state group 110
+pass in log quick proto tcp from any to any port = www keep state group 110
+pass in log quick proto tcp from any to any port = 53 keep state group 110
+pass in log quick proto udp from any to any port = 53 keep state group 100
+#-------------------------------------------------------
+# Log these:
+# ==========
+# * return RST packets for invalid SYN packets to help the other end close
+block return-rst in log proto tcp from any to any flags S/SA group 100
+# * return ICMP error packets for invalid UDP packets
+block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW
new file mode 100644
index 0000000..1d4fd73
--- /dev/null
+++ b/contrib/ipfilter/rules/BASIC_2.FW
@@ -0,0 +1,72 @@
+#!/sbin/ipf -f -
+#
+# SAMPLE: PERMISSIVE FILTER RULES
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# This file contains the basic rules needed to construct a firewall for the
+# above situation.
+#
+#-------------------------------------------------------
+# *Nasty* packets we don't want to allow near us at all!
+# short packets which are packets fragmented too short to be real.
+block in log quick all with short
+#-------------------------------------------------------
+# Group setup.
+# ============
+# By default, block and log everything.  This maybe too much logging
+# (especially for ed0) and needs to be further refined.
+#
+block in log on ppp0 all head 100
+block out log on ppp0 all head 150
+block in log on ed0 from w.x.y.z/24 to any head 200
+block out log on ed0 all head 250
+#-------------------------------------------------------
+# Invalid Internet packets.
+# =========================
+#
+# Deny reserved addresses.
+#
+block in log quick from 10.0.0.0/8 to any group 100
+block in log quick from 192.168.0.0/16 to any group 100
+block in log quick from 172.16.0.0/12 to any group 100
+#
+# Prevent IP spoofing.
+#
+block in log quick from a.b.c.d/24 to any group 100
+#
+#-------------------------------------------------------
+# Localhost packets.
+# ==================
+# packets going in/out of network interfaces that aren't on the loopback
+# interface should *NOT* exist.
+block in log quick from 127.0.0.0/8 to any group 100
+block in log quick from any to 127.0.0.0/8 group 100
+block in log quick from 127.0.0.0/8 to any group 200
+block in log quick from any to 127.0.0.0/8 group 200
+# And of course, make sure the loopback allows packets to traverse it.
+pass in quick on lo0 all
+pass out quick on lo0 all
+#-------------------------------------------------------
+# Allow any communication between the inside network and the outside only.
+#
+# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
+#
+pass in log quick proto tcp all flags S/SA keep state group 200
+#
+# Support all UDP `connections' initiated from inside.
+#
+# Allow ping out
+#
+pass in log quick proto icmp all keep state group 200
+#-------------------------------------------------------
+# Log these:
+# ==========
+# * return RST packets for invalid SYN packets to help the other end close
+block return-rst in log proto tcp from any to any flags S/SA group 100
+# * return ICMP error packets for invalid UDP packets
+block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1
new file mode 100644
index 0000000..ff93f49
--- /dev/null
+++ b/contrib/ipfilter/rules/example.1
@@ -0,0 +1,4 @@
+#
+# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination.
+#
+block in on le0 proto tcp from 10.1.1.1/32 to any
diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10
new file mode 100644
index 0000000..560d1e6
--- /dev/null
+++ b/contrib/ipfilter/rules/example.10
@@ -0,0 +1,12 @@
+#
+# pass ack packets (ie established connection)
+#
+pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
+pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
+#
+# block incoming connection requests to my internal network from the big bad
+# internet.
+#
+block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
+#  to block the replies:
+block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11
new file mode 100644
index 0000000..c6b4e7f
--- /dev/null
+++ b/contrib/ipfilter/rules/example.11
@@ -0,0 +1,26 @@
+#
+# allow any TCP packets from the same subnet as foo is on through to host
+# 10.1.1.2 if they are destined for port 6667.
+#
+pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
+#
+# allow in UDP packets which are NOT from port 53 and are destined for
+# localhost
+#
+pass in proto udp from 10.2.2.2 port != 53 to localhost
+#
+# block anything trying to get to X terminal ports, X:0 to X:9
+#
+block in proto tcp from any to any port 5999 >< 6010
+#
+# allow any connections to be made, except to BSD print/r-services
+# this will also protect syslog.
+#
+block in proto tcp/udp all
+pass in proto tcp/udp from any to any port 512 <> 515
+#
+# allow any connections to be made, except to BSD print/r-services
+# this will also protect syslog.
+#
+pass in proto tcp/udp all
+block in proto tcp/udp from any to any port 511 >< 516
diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12
new file mode 100644
index 0000000..c0ba1d3
--- /dev/null
+++ b/contrib/ipfilter/rules/example.12
@@ -0,0 +1,17 @@
+#
+# get rid of all short IP fragments (too small for valid comparison)
+#
+block in proto tcp all with short
+#
+# drop and log any IP packets with options set in them.
+#
+block in log all with ipopts
+#
+# log packets with BOTH ssrr and lsrr set
+#
+log in all with opt lsrr,ssrr
+#
+# drop any source routing options
+#
+block in quick all with opt lsrr
+block in quick all with opt ssrr
diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13
new file mode 100644
index 0000000..854f07f
--- /dev/null
+++ b/contrib/ipfilter/rules/example.13
@@ -0,0 +1,17 @@
+#
+# Log all short TCP packets to qe3, with 10.3.3.3 as the intended
+# destination for the packet.
+#
+block in on qe0 to qe3:10.3.3.3 proto tcp all with short
+#
+# Log all connection attempts for TCP
+#
+pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA
+#
+# Route all UDP packets through transparently.
+#
+pass in on ppp0 fastroute proto udp all
+#
+# Route all ICMP packets to network 10 out through le1, to 10.3.3.1
+#
+pass in on le0 to le1:10.3.3.1 proto icmp all
diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2
new file mode 100644
index 0000000..4f81725
--- /dev/null
+++ b/contrib/ipfilter/rules/example.2
@@ -0,0 +1,5 @@
+#
+# block all outgoing TCP packets on le0 from any host to port 23 of
+# host 10.1.1.2
+#
+block out on le0 proto tcp from any to 10.1.1.3/32 port = 23
diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3
new file mode 100644
index 0000000..cd31f73
--- /dev/null
+++ b/contrib/ipfilter/rules/example.3
@@ -0,0 +1,40 @@
+#
+# block all inbound packets.
+#
+block in from any to any
+#
+# pass through packets to and from localhost.
+#
+pass in from 127.0.0.1/32 to 127.0.0.1/32
+#
+# allow a variety of individual hosts to send any type of IP packet to any
+# other host.
+#
+pass in from 10.1.3.1/32 to any
+pass in from 10.1.3.2/32 to any
+pass in from 10.1.3.3/32 to any
+pass in from 10.1.3.4/32 to any
+pass in from 10.1.3.5/32 to any
+pass in from 10.1.0.13/32 to any
+pass in from 10.1.1.1/32 to any
+pass in from 10.1.2.1/32 to any
+#
+#
+# block all outbound packets.
+#
+block out from any to any
+#
+# allow any packets destined for localhost out.
+#
+pass out from any to 127.0.0.1/32
+#
+# allow any host to send any IP packet out to a limited number of hosts.
+#
+pass out from any to 10.1.3.1/32
+pass out from any to 10.1.3.2/32
+pass out from any to 10.1.3.3/32
+pass out from any to 10.1.3.4/32
+pass out from any to 10.1.3.5/32
+pass out from any to 10.1.0.13/32
+pass out from any to 10.1.1.1/32
+pass out from any to 10.1.2.1/32
diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4
new file mode 100644
index 0000000..7918ec2
--- /dev/null
+++ b/contrib/ipfilter/rules/example.4
@@ -0,0 +1,4 @@
+#
+# block all ICMP packets.
+#
+block in proto icmp from any to any
diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5
new file mode 100644
index 0000000..6d688b5
--- /dev/null
+++ b/contrib/ipfilter/rules/example.5
@@ -0,0 +1,25 @@
+#
+# test ruleset
+#
+# allow packets coming from foo to bar through.
+#
+pass in from 10.1.1.2 to 10.2.1.1
+#
+# allow any TCP packets from the same subnet as foo is on through to host
+# 10.1.1.2 if they are destined for port 6667.
+#
+pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
+#
+# allow in UDP packets which are NOT from port 53 and are destined for
+# localhost
+#
+pass in proto udp from 10.2.2.2 port != 53 to localhost
+#
+# block all ICMP unreachables.
+#
+block in proto icmp from any to any icmp-type unreach
+#
+# allow packets through which have a non-standard IP header length (ie there
+# are IP options such as source-routing present).
+#
+pass in from any to any with ipopts
diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6
new file mode 100644
index 0000000..d40f0f3
--- /dev/null
+++ b/contrib/ipfilter/rules/example.6
@@ -0,0 +1,5 @@
+#
+# block all TCP packets with only the SYN flag set (this is the first
+# packet sent to establish a connection) out of the SYN-ACK pair.
+#
+block in proto tcp from any to any flags S/SA
diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7
new file mode 100644
index 0000000..062de98
--- /dev/null
+++ b/contrib/ipfilter/rules/example.7
@@ -0,0 +1,12 @@
+# block all ICMP packets.
+#
+block in proto icmp all
+#
+# allow in ICMP echos and echo-replies.
+#
+pass in on le1 proto icmp from any to any icmp-type echo
+pass in on le1 proto icmp from any to any icmp-type echorep
+#
+# block all ICMP destination unreachable packets which are port-unreachables
+#
+block in on le1 proto icmp from any to any icmp-type unreach code 3
diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8
new file mode 100644
index 0000000..baa0258
--- /dev/null
+++ b/contrib/ipfilter/rules/example.8
@@ -0,0 +1,10 @@
+#
+# block all incoming TCP connections but send back a TCP-RST for ones to
+# the ident port
+#
+block in proto tcp from any to any flags S/SA
+block return-rst in quick proto tcp from any to any port = 113 flags S/SA
+#
+# block all inbound UDP packets and send back an ICMP error.
+#
+block return-icmp in proto udp from any to any
diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9
new file mode 100644
index 0000000..daff203
--- /dev/null
+++ b/contrib/ipfilter/rules/example.9
@@ -0,0 +1,12 @@
+#
+# drop all packets without IP security options
+#
+block in all
+pass in all with opt sec
+#
+# only allow packets in and out on le1 which are top secret
+#
+block out on le1 all
+pass out on le1 all with opt sec-class topsecret
+block in on le1 all
+pass in on le1 all with opt sec-class topsecret
diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr
new file mode 100644
index 0000000..c4c1994
--- /dev/null
+++ b/contrib/ipfilter/rules/example.sr
@@ -0,0 +1,61 @@
+#
+# log all inbound packet on le0 which has IP options present
+#
+log in on le0 from any to any with ipopts
+#
+# block any inbound packets on le0 which are fragmented and "too short" to
+# do any meaningful comparison on.  This actually only applies to TCP
+# packets which can be missing the flags/ports (depending on which part
+# of the fragment you see).
+#
+block in log quick on le0 from any to any with short frag
+#
+# log all inbound TCP packets with the SYN flag (only) set
+#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
+#         had IP options present, this rule and the above would cause it
+#         to be logged twice).
+#
+log in on le0 proto tcp from any to any flags S/SA
+#
+# block and log any inbound ICMP unreachables
+#
+block in log on le0 proto icmp from any to any icmp-type unreach
+#
+# block and log any inbound UDP packets on le0 which are going to port 2049
+# (the NFS port).
+#
+block in log on le0 proto udp from any to any port = 2049
+#
+# quickly allow any packets to/from a particular pair of hosts
+#
+pass in quick from any to 10.1.3.2/32
+pass in quick from any to 10.1.0.13/32
+pass in quick from 10.1.3.2/32 to any
+pass in quick from 10.1.0.13/32 to any
+#
+# block (and stop matching) any packet with IP options present.
+#
+block in quick on le0 from any to any with ipopts
+#
+# allow any packet through
+#
+pass in from any to any
+#
+# block any inbound UDP packets destined for these subnets.
+#
+block in on le0 proto udp from any to 10.1.3.0/24
+block in on le0 proto udp from any to 10.1.1.0/24
+block in on le0 proto udp from any to 10.1.2.0/24
+#
+# block any inbound TCP packets with only the SYN flag set that are
+# destined for these subnets.
+#
+block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
+#
+# block any inbound ICMP packets destined for these subnets.
+#
+block in on le0 proto icmp from any to 10.1.3.0/24
+block in on le0 proto icmp from any to 10.1.1.0/24
+block in on le0 proto icmp from any to 10.1.2.0/24
diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall
new file mode 100644
index 0000000..f26b715
--- /dev/null
+++ b/contrib/ipfilter/rules/firewall
@@ -0,0 +1,39 @@
+Configuring IP Filter for firewall usage.
+=========================================
+
+Step 1 - Block out "bad" IP packets.
+------------------------------------
+
+Run the perl script "mkfilters".  This will generate a list of blocking
+rules which:
+	a) blocks all packets which might belong to an IP Spoofing attack;
+	b) blocks all packets with IP options;
+	c) blocks all packets which have a length which is too short for
+	   any legal packet;
+
+Step 2 - Convert Network Security Policy to filter rules.
+---------------------------------------------------------
+
+Draw up a list of which services you want to allow users to use on the
+Internet (e.g. WWW, ftp, etc).  Draw up a separate list for what you
+want each host that is part of your firewall to be allowed to do, including
+communication with internal hosts.
+
+Step 3 - Create TCP "keep state" rules.
+---------------------------------------
+
+For each service that uses TCP, create a rule as follows:
+
+pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
+
+where
+* "int-a" is the internal interface of the firewall.  That is, it is the
+  closest to your internal network in terms of network hops.
+
+* "int-net" is the internal network IP# subnet address range.  This might
+   be something like 10.1.0.0/16, or 128.33.1.0/24
+
+* "ext-service" is the service to which you wish to connect or if it doesn't
+  have a proper name, a number can be used.  The translation of "ext-service"
+  as a name to a number is controlled with the /etc/services file.
+
diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy
new file mode 100644
index 0000000..ad2f717
--- /dev/null
+++ b/contrib/ipfilter/rules/ftp-proxy
@@ -0,0 +1,45 @@
+How to setup FTP proxying using the built in proxy code.
+========================================================
+
+NOTE: Currently, the built-in FTP proxy is only available for use with NAT
+      (i.e. only if you're already using "map" rules with ipnat).  It does
+      support null-NAT mappings, that is, using the proxy without changing
+      the addresses.
+
+Lets assume your network diagram looks something like this:
+
+
+[host A]
+   |a
+---+-------------+----------
+                 |b
+             [host B]
+                 |c
+---+-------------+----------
+   |d
+[host C]
+
+and IP Filter is running on host B.  If you want to proxy FTP from A to C
+then you would do:
+
+map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp
+
+int-c = name of "interface c"
+ipaddr-a = ip# of interface a
+ipaddr-c-net = another ip# on the C-network (usually not the same as the
+interface).
+
+e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
+which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
+203.45.67.90, you would do:
+
+map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp
+
+where:
+ipaddr-a = 10.1.1.1
+int-c = vx0
+ipaddr-c-net = 203.45.67.91
+
+The "map" rule for this proxy should precede any other NAT rules you are
+using.
+
diff --git a/contrib/ipfilter/rules/ftppxy b/contrib/ipfilter/rules/ftppxy
new file mode 100755
index 0000000..2c42c52
--- /dev/null
+++ b/contrib/ipfilter/rules/ftppxy
@@ -0,0 +1,6 @@
+#!/bin/sh
+# The proxy bit is as follows:
+# proxy [port <portname>] <tag>/<protocol>
+# the <tag> should match a tagname in the proxy table, as does the protocol.
+# this format isn't finalised yet
+echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
diff --git a/contrib/ipfilter/rules/ip_rules b/contrib/ipfilter/rules/ip_rules
new file mode 100644
index 0000000..9850f16
--- /dev/null
+++ b/contrib/ipfilter/rules/ip_rules
@@ -0,0 +1,3 @@
+# Used to generate ../ip_rules.c and ../ip_rules.h
+pass in all
+pass out all
diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf
new file mode 100644
index 0000000..652afce
--- /dev/null
+++ b/contrib/ipfilter/rules/ipmon.conf
@@ -0,0 +1,25 @@
+#
+#
+#
+#
+match { logtag = 10000; }
+do { execute("/usr/bin/mail -s 'logtag 10000' root"); };
+#
+match { logtag = 2000, every 10 seconds; }
+do { execute("echo 'XXXXXXXX tag 2000 packet XXXXXXXX'"); };
+#
+match { protocol = udp, result = block; }
+do { file("file:///var/log/udp-block"); };
+#
+match { protocol = tcp, result = block, dstport = 25; }
+do { syslog("local0.info"), syslog("local1."), syslog(".warn"); };
+#
+match { srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; }
+do { execute("/usr/bin/mail -s 'from 10.1 to 192.168.1' root"); };
+
+#
+match {
+	rule = 12, logtag = 101, direction = in, result = block,
+	protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; }
+do { nothing; };
+#
diff --git a/contrib/ipfilter/rules/nat-setup b/contrib/ipfilter/rules/nat-setup
new file mode 100644
index 0000000..b10e8f1
--- /dev/null
+++ b/contrib/ipfilter/rules/nat-setup
@@ -0,0 +1,77 @@
+Configuring NAT on your network.
+================================
+
+To start setting up NAT, we need to define which is your "internal" interface
+and which is your "external" interface.  The "internal" interface is the
+network adapter connected to the network with private IP addresses which
+you need to change for communicating on the Internet.  The "external"
+interface is configured with a valid internet address.
+
+For example, your internal interface might have an IP# of 10.1.1.1 and be
+connected to your ethernet, whilst your external interface might be a PPP
+connection with an IP number of 204.51.62.176.
+
+Thus your network might look like this:
+
+<Internal Network>
+ [pc]      [pc]
+  |         |
++-+---------+------+
+                   |
+               [firewall]
+                   |
+                   |
+               Internet
+<External Network>
+
+
+Writing the map-rule.
+---------------------
+When you're connected to the Internet, you will either have a block of IP
+addresses assigned to you, maybe several different blocks, or you use a
+single IP address, i.e. with dialup PPP.  If you have a block of addresses
+assigned, these can be used to create either a 1:1 mapping (if you have
+only a few internal IP addresses) or N:1 mappings, where groups of internal
+addresses map to a single IP address and unless you have enough Internet
+addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
+UDP port numbers.
+
+For an N:1 situation, you might have:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
+
+where if you had 16 addresses available, you could do:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
+
+Or if you wanted to allocate subnets to each IP#, you might do:
+
+map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
+map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
+map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
+map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
+
+*** NOTE: NAT rules are used on a first-match basis only!
+
+
+Filtering with NAT.
+-------------------
+IP Filter will always translate addresses in a packet _BEFORE_ it checks its
+access list for inbound packets and translates addresses _AFTER_ it has
+checked the access control lists for outbound packets.
+
+For example (using the above NAT rules), if you wanted to prevent all hosts
+in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
+with ipf:
+
+block out on ppp0 from 10.1.2.0/24 to any
+block in on ppp0 from any to 10.1.2.0/24
+
+and use these with ipnat:
+
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
+map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
diff --git a/contrib/ipfilter/rules/nat.eg b/contrib/ipfilter/rules/nat.eg
new file mode 100644
index 0000000..9c26754
--- /dev/null
+++ b/contrib/ipfilter/rules/nat.eg
@@ -0,0 +1,14 @@
+# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
+# port number to something between 10,000 and 20,000 inclusive.  For all other
+# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
+# for each new user.
+#
+map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
+map ed1 10.1.0.0/16 -> 240.1.0.0/24
+#
+# Redirection is triggered for input packets.
+# For example, to redirect FTP connections through this box, to the local ftp
+# port, forcing them to connect through a proxy, you would use:
+#
+rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
+#
diff --git a/contrib/ipfilter/rules/pool.conf b/contrib/ipfilter/rules/pool.conf
new file mode 100644
index 0000000..285398d
--- /dev/null
+++ b/contrib/ipfilter/rules/pool.conf
@@ -0,0 +1,4 @@
+#
+pool 0 = { !10.0.0.0 - 10.255.255.255, 10.1.0.0 - 10.1.255.255,
+	10.1.1.0 - 10.1.1.255, !10.1.2.0 - 10.2.2.255,
+	10.1.2.3 - 10.1.2.3, 10.1.2.15 - 10.1.2.15 };
diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server
new file mode 100644
index 0000000..de0e9bb
--- /dev/null
+++ b/contrib/ipfilter/rules/server
@@ -0,0 +1,11 @@
+#
+# For a network server, which has two interfaces, 128.1.40.1 (le0) and
+# 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
+# connected to the majority of the network, whilst le0 is connected to a
+# leaf subnet.  We're not concerned about filtering individual services
+# or
+#
+pass in quick on le0 from 128.1.40.0/24 to any
+block in log quick on le0 from any to any
+block in log quick on le1 from 128.1.1.0/24 to any
+pass in quick on le1 from any to any
diff --git a/contrib/ipfilter/rules/tcpstate b/contrib/ipfilter/rules/tcpstate
new file mode 100644
index 0000000..339a25f
--- /dev/null
+++ b/contrib/ipfilter/rules/tcpstate
@@ -0,0 +1,13 @@
+#
+# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
+# somewhere, waiting for it.
+#
+pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
+block out on le0 proto tcp all
+block in on le0 proto tcp all
+#
+# allow nameserver queries and replies to pass through, but no other UDP
+#
+pass out quick on le0 proto udp from any to any port = 53 keep state
+block out on le0 proto udp all
+block in on le0 proto udp all