Add sample stuff for the ipfw(1) utility.

2 files changed, 112 insertions, 0 deletions

diff --git a/share/misc/ipfw.samp.filters b/share/misc/ipfw.samp.filters
new file mode 100644
index 0000000..4f5a81a
--- /dev/null
+++ b/share/misc/ipfw.samp.filters
@@ -0,0 +1,94 @@
+# A bit of background is needed here.
+#
+#   - nahanni is the name of my machine on my local ethernet.  My local
+#     network is a subnet of a class C network.  This subnet has 29 bits for
+#     for the network address and 3 bits for the host address.  Consequently,
+#     "nahanni/29" matches anything on my local network.
+#
+#   - avalon is a (pseudonym) for a machine out on the internet that I trust
+#     completely.
+#
+#   - zona is the name of my end of the ppp link to my old place of work.
+#     This name corresponds to an IP address on their class C network.
+#     Consequently, "zona/24" matches any IP address on their network.
+#
+#   - xnahanni is my end of my ppp link to the university (i.e. the Internet).
+#
+#   - dab-nahanni is my end of the ppp link to my new place of work.  They
+#     have a class B network so "dab-nahanni/16" matches any IP address on
+#     their network.
+
+# Start from scratch.
+
+ipfirewall flush
+
+# Basic accept filters to provide local sanity.
+# These are the IP addresses of the interfaces on my local machine.
+# The first is an ethernet interface.  The rest are ppp interfaces.
+
+ipfirewall addb accept all from nahanni to 0/0
+ipfirewall addb accept all from xnahanni to 0/0
+# handled below:  ipfirewall addb accept all from zona to 0/0
+# handled below:  ipfirewall addb accept all from dab-nahanni to 0/0
+
+# Trust my local network.
+
+ipfirewall addb accept all from nahanni/29 to 0/0
+
+# Allow anything from avalon.
+
+ipfirewall addb accept all from avalon to 0/0
+
+# Allow anything from our old work (they have a class C network so /24 is appropriate).
+# This also allows anything from zona (our end of the work ppp link).
+
+ipfirewall addb accept all from zona/24 to 0/0
+
+# Allow anything from the new work (and from our end of the ppp link to the
+# new place of work).
+
+ipfirewall addb accept all from dab-nahanni/16 to 0/0
+
+# Allow me to contact any external UDP service and others to contact a few
+# of my special udp services.
+
+ipfirewall addb accept udp from 0/0 to 0/0 900:5000 domain bootp talk ntalk route
+
+# Allow me to contact other services available on untrusted hosts.
+# This one is a bit tricky.  We allow packets from any foreign port number
+# to any local port in the range 900 to 5000.  When we are outbound, privileged
+# applications use port numbers slightly less than 1024 and normal applications
+# allow the local port number to be set by the system (which always picks
+# port numbers in the range 1024 to 5000.
+# The only services that we offer are for port numbers either below 900
+# or over 5000.
+#
+# This approach theoretically allows outsiders to connect to any services
+# that we may offer in the 900:5000 range.  The /etc/services file lists
+# couple of services in this range (in my humble opinion, this is a bug
+# in the /etc/services file).  Since we don't run any of these services,
+# allowing outsiders to connect to services in this range doesn't constitute
+# a security hole.
+
+ipfirewall addb accept tcp from 0/0 to 0/0 900:5000
+
+# Allow others to contact X-servers on my local network.
+# Depend on xhosts to protect things.
+
+ipfirewall addb accept tcp from 0/0 to nahanni/29 6000
+
+# Allow others to connect to a few basic services.
+# We don't actually run the auth service.  Allowing it means that others
+# get a "connection refused" which is better than the total silence that
+# they get if we block it.  Also, I've noticed a few sites try to connect
+# to it when I send them e-mail.  Might as well be polite ...
+#
+# Note that I don't accept packets destined for sendmail.  I send my e-mail
+# via the Internet but I receive my e-mail via uucp. If you get your e-mail
+# via the Internet then you'll have to add smtp to the list of ports to allow.
+
+ipfirewall addb accept tcp from 0/0 to 0/0 daytime time nameserver auth
+
+# Allow icmp stuff from anywhere (this isn't described in the README - sorry).
+
+ipfirewall addb accept icmp from 0/0 to 0/0
diff --git a/share/misc/ipfw.samp.scripts b/share/misc/ipfw.samp.scripts
new file mode 100644
index 0000000..0a78a2d
--- /dev/null
+++ b/share/misc/ipfw.samp.scripts
@@ -0,0 +1,18 @@
+# This file shows how we allow and deny users in runtime
+#
+# Default settings...They deny anybody , which connected to our
+# PPP lines,to access any host on our development network:
+# 192.114.207.*
+ipfirewall addf deny all from 192.114.201.231 to 192.114.208.0/24
+ipfirewall addf deny all from 192.114.201.232 to 192.114.208.0/24
+.....
+ipfirewall addf deny all from 192.114.201.238 to 192.114.208.0/24
+# VIP Login: this option executes when user VIP enters the system.
+# His IP is $VIPIP,which is one of our dial-up lines,for example
+# 192.114.201.233
+ipfirewall delf deny all from $VIPIP to 192.114.208.0/24
+
+# VIP Logout: the guy leaves the system...
+ipfirewall addf deny all from $VIPIP to 192.114.208.0/24
+
+#Thats all folks...