diff options
Diffstat (limited to 'contrib/ipfilter/rules/example.sr')
| -rw-r--r-- | contrib/ipfilter/rules/example.sr | 61 |
1 files changed, 0 insertions, 61 deletions
diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr deleted file mode 100644 index c4c1994..0000000 --- a/contrib/ipfilter/rules/example.sr +++ /dev/null @@ -1,61 +0,0 @@ -# -# log all inbound packet on le0 which has IP options present -# -log in on le0 from any to any with ipopts -# -# block any inbound packets on le0 which are fragmented and "too short" to -# do any meaningful comparison on. This actually only applies to TCP -# packets which can be missing the flags/ports (depending on which part -# of the fragment you see). -# -block in log quick on le0 from any to any with short frag -# -# log all inbound TCP packets with the SYN flag (only) set -# (NOTE: if it were an inbound TCP packet with the SYN flag set and it -# had IP options present, this rule and the above would cause it -# to be logged twice). -# -log in on le0 proto tcp from any to any flags S/SA -# -# block and log any inbound ICMP unreachables -# -block in log on le0 proto icmp from any to any icmp-type unreach -# -# block and log any inbound UDP packets on le0 which are going to port 2049 -# (the NFS port). -# -block in log on le0 proto udp from any to any port = 2049 -# -# quickly allow any packets to/from a particular pair of hosts -# -pass in quick from any to 10.1.3.2/32 -pass in quick from any to 10.1.0.13/32 -pass in quick from 10.1.3.2/32 to any -pass in quick from 10.1.0.13/32 to any -# -# block (and stop matching) any packet with IP options present. -# -block in quick on le0 from any to any with ipopts -# -# allow any packet through -# -pass in from any to any -# -# block any inbound UDP packets destined for these subnets. -# -block in on le0 proto udp from any to 10.1.3.0/24 -block in on le0 proto udp from any to 10.1.1.0/24 -block in on le0 proto udp from any to 10.1.2.0/24 -# -# block any inbound TCP packets with only the SYN flag set that are -# destined for these subnets. -# -block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA -# -# block any inbound ICMP packets destined for these subnets. -# -block in on le0 proto icmp from any to 10.1.3.0/24 -block in on le0 proto icmp from any to 10.1.1.0/24 -block in on le0 proto icmp from any to 10.1.2.0/24 |
