diff options
Diffstat (limited to 'contrib/ipfilter/rules')
-rw-r--r-- | contrib/ipfilter/rules/.cvsignore | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.1 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.10 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.11 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.12 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.13 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.2 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.3 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.4 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.5 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.6 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.7 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.8 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.9 | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.sr | 1 | ||||
-rw-r--r-- | contrib/ipfilter/rules/ip_rules | 3 | ||||
-rw-r--r-- | contrib/ipfilter/rules/ipmon.conf | 24 | ||||
-rw-r--r-- | contrib/ipfilter/rules/pool.conf | 4 |
18 files changed, 46 insertions, 0 deletions
diff --git a/contrib/ipfilter/rules/.cvsignore b/contrib/ipfilter/rules/.cvsignore new file mode 100644 index 0000000..3e75765 --- /dev/null +++ b/contrib/ipfilter/rules/.cvsignore @@ -0,0 +1 @@ +new diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1 index ff93f49..3da9f3c 100644 --- a/contrib/ipfilter/rules/example.1 +++ b/contrib/ipfilter/rules/example.1 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. # diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10 index 560d1e6..f7a0b01 100644 --- a/contrib/ipfilter/rules/example.10 +++ b/contrib/ipfilter/rules/example.10 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # pass ack packets (ie established connection) # diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11 index c6b4e7f..1cefa9a 100644 --- a/contrib/ipfilter/rules/example.11 +++ b/contrib/ipfilter/rules/example.11 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # allow any TCP packets from the same subnet as foo is on through to host # 10.1.1.2 if they are destined for port 6667. diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12 index c0ba1d3..6dbaef5 100644 --- a/contrib/ipfilter/rules/example.12 +++ b/contrib/ipfilter/rules/example.12 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # get rid of all short IP fragments (too small for valid comparison) # diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13 index 854f07f..ca74114 100644 --- a/contrib/ipfilter/rules/example.13 +++ b/contrib/ipfilter/rules/example.13 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # Log all short TCP packets to qe3, with 10.3.3.3 as the intended # destination for the packet. diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2 index 4f81725..81e7d25 100644 --- a/contrib/ipfilter/rules/example.2 +++ b/contrib/ipfilter/rules/example.2 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # block all outgoing TCP packets on le0 from any host to port 23 of # host 10.1.1.2 diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3 index cd31f73..c5b4344 100644 --- a/contrib/ipfilter/rules/example.3 +++ b/contrib/ipfilter/rules/example.3 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # block all inbound packets. # diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4 index 7918ec2..f18dcdd 100644 --- a/contrib/ipfilter/rules/example.4 +++ b/contrib/ipfilter/rules/example.4 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # block all ICMP packets. # diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5 index 6d688b5..959dfb8 100644 --- a/contrib/ipfilter/rules/example.5 +++ b/contrib/ipfilter/rules/example.5 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # test ruleset # diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6 index d40f0f3..e9ce23a 100644 --- a/contrib/ipfilter/rules/example.6 +++ b/contrib/ipfilter/rules/example.6 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # block all TCP packets with only the SYN flag set (this is the first # packet sent to establish a connection) out of the SYN-ACK pair. diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7 index 062de98..0ddd7f7 100644 --- a/contrib/ipfilter/rules/example.7 +++ b/contrib/ipfilter/rules/example.7 @@ -1,3 +1,4 @@ +# $FreeBSD$ # block all ICMP packets. # block in proto icmp all diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8 index baa0258..2276b52 100644 --- a/contrib/ipfilter/rules/example.8 +++ b/contrib/ipfilter/rules/example.8 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # block all incoming TCP connections but send back a TCP-RST for ones to # the ident port diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9 index daff203..50bb46a 100644 --- a/contrib/ipfilter/rules/example.9 +++ b/contrib/ipfilter/rules/example.9 @@ -1,3 +1,4 @@ +# $FreeBSD$ # # drop all packets without IP security options # diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr index c4c1994..46fb6f1 100644 --- a/contrib/ipfilter/rules/example.sr +++ b/contrib/ipfilter/rules/example.sr @@ -1,3 +1,4 @@ +# $FreeBSD$ # # log all inbound packet on le0 which has IP options present # diff --git a/contrib/ipfilter/rules/ip_rules b/contrib/ipfilter/rules/ip_rules new file mode 100644 index 0000000..9850f16 --- /dev/null +++ b/contrib/ipfilter/rules/ip_rules @@ -0,0 +1,3 @@ +# Used to generate ../ip_rules.c and ../ip_rules.h +pass in all +pass out all diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf new file mode 100644 index 0000000..47b0146 --- /dev/null +++ b/contrib/ipfilter/rules/ipmon.conf @@ -0,0 +1,24 @@ +# +# +# +# +match { logtag = 10000 } + do { execute "/usr/bin/mail -s 'logtag 10000' root" }; +match { logtag = 2000, every 10 seconds } + do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" }; +# +match { protocol = udp, result = block } + do { execute "/usr/bin/mail -s 'blocked udp' root" +}; +# +match { + srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 } + do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root" +}; +# +match { + rule = 12, logtag = 101, direction = in, result = block, + protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 } + do { execute "run shell command" +}; +# diff --git a/contrib/ipfilter/rules/pool.conf b/contrib/ipfilter/rules/pool.conf new file mode 100644 index 0000000..285398d --- /dev/null +++ b/contrib/ipfilter/rules/pool.conf @@ -0,0 +1,4 @@ +# +pool 0 = { !10.0.0.0 - 10.255.255.255, 10.1.0.0 - 10.1.255.255, + 10.1.1.0 - 10.1.1.255, !10.1.2.0 - 10.2.2.255, + 10.1.2.3 - 10.1.2.3, 10.1.2.15 - 10.1.2.15 }; |