diff options
Diffstat (limited to 'contrib/ipfilter/rules/tcpstate')
| -rw-r--r-- | contrib/ipfilter/rules/tcpstate | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/contrib/ipfilter/rules/tcpstate b/contrib/ipfilter/rules/tcpstate new file mode 100644 index 0000000..339a25f --- /dev/null +++ b/contrib/ipfilter/rules/tcpstate @@ -0,0 +1,13 @@ +# +# Only allow TCP packets in/out of le0 if there is an outgoing connection setup +# somewhere, waiting for it. +# +pass out quick on le0 proto tcp from any to any flags S/SAFR keep state +block out on le0 proto tcp all +block in on le0 proto tcp all +# +# allow nameserver queries and replies to pass through, but no other UDP +# +pass out quick on le0 proto udp from any to any port = 53 keep state +block out on le0 proto udp all +block in on le0 proto udp all |
