From 115d008392113efc6f844baa7cc407e9eaae63db Mon Sep 17 00:00:00 2001 From: ngie Date: Mon, 5 Oct 2015 03:25:30 +0000 Subject: Remove some paths preparing for a re-copy from head --- contrib/ipfilter/rules/BASIC.NAT | 46 ------------------ contrib/ipfilter/rules/BASIC_1.FW | 99 --------------------------------------- contrib/ipfilter/rules/BASIC_2.FW | 72 ---------------------------- contrib/ipfilter/rules/example.1 | 4 -- contrib/ipfilter/rules/example.10 | 12 ----- contrib/ipfilter/rules/example.11 | 26 ---------- contrib/ipfilter/rules/example.12 | 17 ------- contrib/ipfilter/rules/example.13 | 17 ------- contrib/ipfilter/rules/example.2 | 5 -- contrib/ipfilter/rules/example.3 | 40 ---------------- contrib/ipfilter/rules/example.4 | 4 -- contrib/ipfilter/rules/example.5 | 25 ---------- contrib/ipfilter/rules/example.6 | 5 -- contrib/ipfilter/rules/example.7 | 12 ----- contrib/ipfilter/rules/example.8 | 10 ---- contrib/ipfilter/rules/example.9 | 12 ----- contrib/ipfilter/rules/example.sr | 61 ------------------------ contrib/ipfilter/rules/firewall | 39 --------------- contrib/ipfilter/rules/ftp-proxy | 45 ------------------ contrib/ipfilter/rules/ftppxy | 6 --- contrib/ipfilter/rules/ip_rules | 3 -- contrib/ipfilter/rules/ipmon.conf | 25 ---------- contrib/ipfilter/rules/nat-setup | 77 ------------------------------ contrib/ipfilter/rules/nat.eg | 14 ------ contrib/ipfilter/rules/pool.conf | 4 -- contrib/ipfilter/rules/server | 11 ----- contrib/ipfilter/rules/tcpstate | 13 ----- 27 files changed, 704 deletions(-) delete mode 100644 contrib/ipfilter/rules/BASIC.NAT delete mode 100644 contrib/ipfilter/rules/BASIC_1.FW delete mode 100644 contrib/ipfilter/rules/BASIC_2.FW delete mode 100644 contrib/ipfilter/rules/example.1 delete mode 100644 contrib/ipfilter/rules/example.10 delete mode 100644 contrib/ipfilter/rules/example.11 delete mode 100644 contrib/ipfilter/rules/example.12 delete mode 100644 contrib/ipfilter/rules/example.13 delete mode 100644 contrib/ipfilter/rules/example.2 delete mode 100644 contrib/ipfilter/rules/example.3 delete mode 100644 contrib/ipfilter/rules/example.4 delete mode 100644 contrib/ipfilter/rules/example.5 delete mode 100644 contrib/ipfilter/rules/example.6 delete mode 100644 contrib/ipfilter/rules/example.7 delete mode 100644 contrib/ipfilter/rules/example.8 delete mode 100644 contrib/ipfilter/rules/example.9 delete mode 100644 contrib/ipfilter/rules/example.sr delete mode 100644 contrib/ipfilter/rules/firewall delete mode 100644 contrib/ipfilter/rules/ftp-proxy delete mode 100755 contrib/ipfilter/rules/ftppxy delete mode 100644 contrib/ipfilter/rules/ip_rules delete mode 100644 contrib/ipfilter/rules/ipmon.conf delete mode 100644 contrib/ipfilter/rules/nat-setup delete mode 100644 contrib/ipfilter/rules/nat.eg delete mode 100644 contrib/ipfilter/rules/pool.conf delete mode 100644 contrib/ipfilter/rules/server delete mode 100644 contrib/ipfilter/rules/tcpstate (limited to 'contrib/ipfilter/rules') diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT deleted file mode 100644 index 213e338..0000000 --- a/contrib/ipfilter/rules/BASIC.NAT +++ /dev/null @@ -1,46 +0,0 @@ -#!/sbin/ipnat -f - -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# If we have only 1 valid IP address from our ISP, then we do this: -# -# To make ftp work, using the internal ftp proxy, use: -# -map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp -# -# For normal TCP/UDP and other IP protocols -# -map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 -map ppp0 w.x.y.z/24 -> a.b.c.d/32 -# -# if we get a different dialup IP address each time, then we would use: -# -#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.z/24 -> 0/32 -# -# If we have a class C address space of valid IP#'s from our ISP, then we can -# do this: -# -#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.z/24 -> a.b.c.d/24 -# -# or, if we only have a small number of PC's, this: -# -#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.v/32 -> a.b.c.E/32 -#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.u/32 -> a.b.c.F/32 -#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.t/32 -> a.b.c.G/32 -#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.s/32 -> a.b.c.H/32 -#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.r/32 -> a.b.c.I/32 -#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.q/32 -> a.b.c.J/32 -#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.p/32 -> a.b.c.K/32 diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW deleted file mode 100644 index 642dde0..0000000 --- a/contrib/ipfilter/rules/BASIC_1.FW +++ /dev/null @@ -1,99 +0,0 @@ -#!/sbin/ipf -f - -# -# SAMPLE: RESTRICTIVE FILTER RULES -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# This file contains the basic rules needed to construct a firewall for the -# above situation. -# -#------------------------------------------------------- -# *Nasty* packets we don't want to allow near us at all! -# short packets which are packets fragmented too short to be real. -block in log quick all with short -#------------------------------------------------------- -# Group setup. -# ============ -# By default, block and log everything. This maybe too much logging -# (especially for ed0) and needs to be further refined. -# -block in log on ppp0 all head 100 -block in log proto tcp all flags S/SA head 101 group 100 -block out log on ppp0 all head 150 -block in log on ed0 from w.x.y.z/24 to any head 200 -block in log proto tcp all flags S/SA head 201 group 200 -block in log proto udp all head 202 group 200 -block out log on ed0 all head 250 -#------------------------------------------------------- -# Localhost packets. -# ================== -# packets going in/out of network interfaces that aren't on the loopback -# interface should *NOT* exist. -block in log quick from 127.0.0.0/8 to any group 100 -block in log quick from any to 127.0.0.0/8 group 100 -block in log quick from 127.0.0.0/8 to any group 200 -block in log quick from any to 127.0.0.0/8 group 200 -# And of course, make sure the loopback allows packets to traverse it. -pass in quick on lo0 all -pass out quick on lo0 all -#------------------------------------------------------- -# Invalid Internet packets. -# ========================= -# -# Deny reserved addresses. -# -block in log quick from 10.0.0.0/8 to any group 100 -block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/12 to any group 100 -# -# Prevent IP spoofing. -# -block in log quick from a.b.c.d/24 to any group 100 -# -#------------------------------------------------------- -# Allow outgoing DNS requests (no named on firewall) -# -pass in quick proto udp from any to any port = 53 keep state group 202 -# -# If we were running named on the firewall and all internal hosts talked to -# it, we'd use the following: -# -#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 -#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state -# -# Allow outgoing FTP from any internal host to any external FTP server. -# -pass in quick proto tcp from any to any port = ftp keep state group 201 -pass in quick proto tcp from any to any port = ftp-data keep state group 201 -pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 -# -# Allow NTP from any internal host to any external NTP server. -# -pass in quick proto udp from any to any port = ntp keep state group 202 -# -# Allow outgoing connections: SSH, TELNET, WWW -# -pass in quick proto tcp from any to any port = 22 keep state group 201 -pass in quick proto tcp from any to any port = telnet keep state group 201 -pass in quick proto tcp from any to any port = www keep state group 201 -# -#------------------------------------------------------- -block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 -# -# Allow incoming to the external firewall interface: mail, WWW, DNS -# -pass in log quick proto tcp from any to any port = smtp keep state group 110 -pass in log quick proto tcp from any to any port = www keep state group 110 -pass in log quick proto tcp from any to any port = 53 keep state group 110 -pass in log quick proto udp from any to any port = 53 keep state group 100 -#------------------------------------------------------- -# Log these: -# ========== -# * return RST packets for invalid SYN packets to help the other end close -block return-rst in log proto tcp from any to any flags S/SA group 100 -# * return ICMP error packets for invalid UDP packets -block return-icmp(net-unr) in proto udp all group 100 diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW deleted file mode 100644 index 1d4fd73..0000000 --- a/contrib/ipfilter/rules/BASIC_2.FW +++ /dev/null @@ -1,72 +0,0 @@ -#!/sbin/ipf -f - -# -# SAMPLE: PERMISSIVE FILTER RULES -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# This file contains the basic rules needed to construct a firewall for the -# above situation. -# -#------------------------------------------------------- -# *Nasty* packets we don't want to allow near us at all! -# short packets which are packets fragmented too short to be real. -block in log quick all with short -#------------------------------------------------------- -# Group setup. -# ============ -# By default, block and log everything. This maybe too much logging -# (especially for ed0) and needs to be further refined. -# -block in log on ppp0 all head 100 -block out log on ppp0 all head 150 -block in log on ed0 from w.x.y.z/24 to any head 200 -block out log on ed0 all head 250 -#------------------------------------------------------- -# Invalid Internet packets. -# ========================= -# -# Deny reserved addresses. -# -block in log quick from 10.0.0.0/8 to any group 100 -block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/12 to any group 100 -# -# Prevent IP spoofing. -# -block in log quick from a.b.c.d/24 to any group 100 -# -#------------------------------------------------------- -# Localhost packets. -# ================== -# packets going in/out of network interfaces that aren't on the loopback -# interface should *NOT* exist. -block in log quick from 127.0.0.0/8 to any group 100 -block in log quick from any to 127.0.0.0/8 group 100 -block in log quick from 127.0.0.0/8 to any group 200 -block in log quick from any to 127.0.0.0/8 group 200 -# And of course, make sure the loopback allows packets to traverse it. -pass in quick on lo0 all -pass out quick on lo0 all -#------------------------------------------------------- -# Allow any communication between the inside network and the outside only. -# -# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) -# -pass in log quick proto tcp all flags S/SA keep state group 200 -# -# Support all UDP `connections' initiated from inside. -# -# Allow ping out -# -pass in log quick proto icmp all keep state group 200 -#------------------------------------------------------- -# Log these: -# ========== -# * return RST packets for invalid SYN packets to help the other end close -block return-rst in log proto tcp from any to any flags S/SA group 100 -# * return ICMP error packets for invalid UDP packets -block return-icmp(net-unr) in proto udp all group 100 diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1 deleted file mode 100644 index ff93f49..0000000 --- a/contrib/ipfilter/rules/example.1 +++ /dev/null @@ -1,4 +0,0 @@ -# -# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. -# -block in on le0 proto tcp from 10.1.1.1/32 to any diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10 deleted file mode 100644 index 560d1e6..0000000 --- a/contrib/ipfilter/rules/example.10 +++ /dev/null @@ -1,12 +0,0 @@ -# -# pass ack packets (ie established connection) -# -pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A -pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A -# -# block incoming connection requests to my internal network from the big bad -# internet. -# -block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA -# to block the replies: -block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11 deleted file mode 100644 index c6b4e7f..0000000 --- a/contrib/ipfilter/rules/example.11 +++ /dev/null @@ -1,26 +0,0 @@ -# -# allow any TCP packets from the same subnet as foo is on through to host -# 10.1.1.2 if they are destined for port 6667. -# -pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 -# -# allow in UDP packets which are NOT from port 53 and are destined for -# localhost -# -pass in proto udp from 10.2.2.2 port != 53 to localhost -# -# block anything trying to get to X terminal ports, X:0 to X:9 -# -block in proto tcp from any to any port 5999 >< 6010 -# -# allow any connections to be made, except to BSD print/r-services -# this will also protect syslog. -# -block in proto tcp/udp all -pass in proto tcp/udp from any to any port 512 <> 515 -# -# allow any connections to be made, except to BSD print/r-services -# this will also protect syslog. -# -pass in proto tcp/udp all -block in proto tcp/udp from any to any port 511 >< 516 diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12 deleted file mode 100644 index c0ba1d3..0000000 --- a/contrib/ipfilter/rules/example.12 +++ /dev/null @@ -1,17 +0,0 @@ -# -# get rid of all short IP fragments (too small for valid comparison) -# -block in proto tcp all with short -# -# drop and log any IP packets with options set in them. -# -block in log all with ipopts -# -# log packets with BOTH ssrr and lsrr set -# -log in all with opt lsrr,ssrr -# -# drop any source routing options -# -block in quick all with opt lsrr -block in quick all with opt ssrr diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13 deleted file mode 100644 index 854f07f..0000000 --- a/contrib/ipfilter/rules/example.13 +++ /dev/null @@ -1,17 +0,0 @@ -# -# Log all short TCP packets to qe3, with 10.3.3.3 as the intended -# destination for the packet. -# -block in on qe0 to qe3:10.3.3.3 proto tcp all with short -# -# Log all connection attempts for TCP -# -pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA -# -# Route all UDP packets through transparently. -# -pass in on ppp0 fastroute proto udp all -# -# Route all ICMP packets to network 10 out through le1, to 10.3.3.1 -# -pass in on le0 to le1:10.3.3.1 proto icmp all diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2 deleted file mode 100644 index 4f81725..0000000 --- a/contrib/ipfilter/rules/example.2 +++ /dev/null @@ -1,5 +0,0 @@ -# -# block all outgoing TCP packets on le0 from any host to port 23 of -# host 10.1.1.2 -# -block out on le0 proto tcp from any to 10.1.1.3/32 port = 23 diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3 deleted file mode 100644 index cd31f73..0000000 --- a/contrib/ipfilter/rules/example.3 +++ /dev/null @@ -1,40 +0,0 @@ -# -# block all inbound packets. -# -block in from any to any -# -# pass through packets to and from localhost. -# -pass in from 127.0.0.1/32 to 127.0.0.1/32 -# -# allow a variety of individual hosts to send any type of IP packet to any -# other host. -# -pass in from 10.1.3.1/32 to any -pass in from 10.1.3.2/32 to any -pass in from 10.1.3.3/32 to any -pass in from 10.1.3.4/32 to any -pass in from 10.1.3.5/32 to any -pass in from 10.1.0.13/32 to any -pass in from 10.1.1.1/32 to any -pass in from 10.1.2.1/32 to any -# -# -# block all outbound packets. -# -block out from any to any -# -# allow any packets destined for localhost out. -# -pass out from any to 127.0.0.1/32 -# -# allow any host to send any IP packet out to a limited number of hosts. -# -pass out from any to 10.1.3.1/32 -pass out from any to 10.1.3.2/32 -pass out from any to 10.1.3.3/32 -pass out from any to 10.1.3.4/32 -pass out from any to 10.1.3.5/32 -pass out from any to 10.1.0.13/32 -pass out from any to 10.1.1.1/32 -pass out from any to 10.1.2.1/32 diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4 deleted file mode 100644 index 7918ec2..0000000 --- a/contrib/ipfilter/rules/example.4 +++ /dev/null @@ -1,4 +0,0 @@ -# -# block all ICMP packets. -# -block in proto icmp from any to any diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5 deleted file mode 100644 index 6d688b5..0000000 --- a/contrib/ipfilter/rules/example.5 +++ /dev/null @@ -1,25 +0,0 @@ -# -# test ruleset -# -# allow packets coming from foo to bar through. -# -pass in from 10.1.1.2 to 10.2.1.1 -# -# allow any TCP packets from the same subnet as foo is on through to host -# 10.1.1.2 if they are destined for port 6667. -# -pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 -# -# allow in UDP packets which are NOT from port 53 and are destined for -# localhost -# -pass in proto udp from 10.2.2.2 port != 53 to localhost -# -# block all ICMP unreachables. -# -block in proto icmp from any to any icmp-type unreach -# -# allow packets through which have a non-standard IP header length (ie there -# are IP options such as source-routing present). -# -pass in from any to any with ipopts diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6 deleted file mode 100644 index d40f0f3..0000000 --- a/contrib/ipfilter/rules/example.6 +++ /dev/null @@ -1,5 +0,0 @@ -# -# block all TCP packets with only the SYN flag set (this is the first -# packet sent to establish a connection) out of the SYN-ACK pair. -# -block in proto tcp from any to any flags S/SA diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7 deleted file mode 100644 index 062de98..0000000 --- a/contrib/ipfilter/rules/example.7 +++ /dev/null @@ -1,12 +0,0 @@ -# block all ICMP packets. -# -block in proto icmp all -# -# allow in ICMP echos and echo-replies. -# -pass in on le1 proto icmp from any to any icmp-type echo -pass in on le1 proto icmp from any to any icmp-type echorep -# -# block all ICMP destination unreachable packets which are port-unreachables -# -block in on le1 proto icmp from any to any icmp-type unreach code 3 diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8 deleted file mode 100644 index baa0258..0000000 --- a/contrib/ipfilter/rules/example.8 +++ /dev/null @@ -1,10 +0,0 @@ -# -# block all incoming TCP connections but send back a TCP-RST for ones to -# the ident port -# -block in proto tcp from any to any flags S/SA -block return-rst in quick proto tcp from any to any port = 113 flags S/SA -# -# block all inbound UDP packets and send back an ICMP error. -# -block return-icmp in proto udp from any to any diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9 deleted file mode 100644 index daff203..0000000 --- a/contrib/ipfilter/rules/example.9 +++ /dev/null @@ -1,12 +0,0 @@ -# -# drop all packets without IP security options -# -block in all -pass in all with opt sec -# -# only allow packets in and out on le1 which are top secret -# -block out on le1 all -pass out on le1 all with opt sec-class topsecret -block in on le1 all -pass in on le1 all with opt sec-class topsecret diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr deleted file mode 100644 index c4c1994..0000000 --- a/contrib/ipfilter/rules/example.sr +++ /dev/null @@ -1,61 +0,0 @@ -# -# log all inbound packet on le0 which has IP options present -# -log in on le0 from any to any with ipopts -# -# block any inbound packets on le0 which are fragmented and "too short" to -# do any meaningful comparison on. This actually only applies to TCP -# packets which can be missing the flags/ports (depending on which part -# of the fragment you see). -# -block in log quick on le0 from any to any with short frag -# -# log all inbound TCP packets with the SYN flag (only) set -# (NOTE: if it were an inbound TCP packet with the SYN flag set and it -# had IP options present, this rule and the above would cause it -# to be logged twice). -# -log in on le0 proto tcp from any to any flags S/SA -# -# block and log any inbound ICMP unreachables -# -block in log on le0 proto icmp from any to any icmp-type unreach -# -# block and log any inbound UDP packets on le0 which are going to port 2049 -# (the NFS port). -# -block in log on le0 proto udp from any to any port = 2049 -# -# quickly allow any packets to/from a particular pair of hosts -# -pass in quick from any to 10.1.3.2/32 -pass in quick from any to 10.1.0.13/32 -pass in quick from 10.1.3.2/32 to any -pass in quick from 10.1.0.13/32 to any -# -# block (and stop matching) any packet with IP options present. -# -block in quick on le0 from any to any with ipopts -# -# allow any packet through -# -pass in from any to any -# -# block any inbound UDP packets destined for these subnets. -# -block in on le0 proto udp from any to 10.1.3.0/24 -block in on le0 proto udp from any to 10.1.1.0/24 -block in on le0 proto udp from any to 10.1.2.0/24 -# -# block any inbound TCP packets with only the SYN flag set that are -# destined for these subnets. -# -block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA -# -# block any inbound ICMP packets destined for these subnets. -# -block in on le0 proto icmp from any to 10.1.3.0/24 -block in on le0 proto icmp from any to 10.1.1.0/24 -block in on le0 proto icmp from any to 10.1.2.0/24 diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall deleted file mode 100644 index f26b715..0000000 --- a/contrib/ipfilter/rules/firewall +++ /dev/null @@ -1,39 +0,0 @@ -Configuring IP Filter for firewall usage. -========================================= - -Step 1 - Block out "bad" IP packets. ------------------------------------- - -Run the perl script "mkfilters". This will generate a list of blocking -rules which: - a) blocks all packets which might belong to an IP Spoofing attack; - b) blocks all packets with IP options; - c) blocks all packets which have a length which is too short for - any legal packet; - -Step 2 - Convert Network Security Policy to filter rules. ---------------------------------------------------------- - -Draw up a list of which services you want to allow users to use on the -Internet (e.g. WWW, ftp, etc). Draw up a separate list for what you -want each host that is part of your firewall to be allowed to do, including -communication with internal hosts. - -Step 3 - Create TCP "keep state" rules. ---------------------------------------- - -For each service that uses TCP, create a rule as follows: - -pass in on proto tcp from to any port flags S/SA keep state - -where -* "int-a" is the internal interface of the firewall. That is, it is the - closest to your internal network in terms of network hops. - -* "int-net" is the internal network IP# subnet address range. This might - be something like 10.1.0.0/16, or 128.33.1.0/24 - -* "ext-service" is the service to which you wish to connect or if it doesn't - have a proper name, a number can be used. The translation of "ext-service" - as a name to a number is controlled with the /etc/services file. - diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy deleted file mode 100644 index ad2f717..0000000 --- a/contrib/ipfilter/rules/ftp-proxy +++ /dev/null @@ -1,45 +0,0 @@ -How to setup FTP proxying using the built in proxy code. -======================================================== - -NOTE: Currently, the built-in FTP proxy is only available for use with NAT - (i.e. only if you're already using "map" rules with ipnat). It does - support null-NAT mappings, that is, using the proxy without changing - the addresses. - -Lets assume your network diagram looks something like this: - - -[host A] - |a ----+-------------+---------- - |b - [host B] - |c ----+-------------+---------- - |d -[host C] - -and IP Filter is running on host B. If you want to proxy FTP from A to C -then you would do: - -map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp - -int-c = name of "interface c" -ipaddr-a = ip# of interface a -ipaddr-c-net = another ip# on the C-network (usually not the same as the -interface). - -e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0 -which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was -203.45.67.90, you would do: - -map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp - -where: -ipaddr-a = 10.1.1.1 -int-c = vx0 -ipaddr-c-net = 203.45.67.91 - -The "map" rule for this proxy should precede any other NAT rules you are -using. - diff --git a/contrib/ipfilter/rules/ftppxy b/contrib/ipfilter/rules/ftppxy deleted file mode 100755 index 2c42c52..0000000 --- a/contrib/ipfilter/rules/ftppxy +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -# The proxy bit is as follows: -# proxy [port ] / -# the should match a tagname in the proxy table, as does the protocol. -# this format isn't finalised yet -echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f - diff --git a/contrib/ipfilter/rules/ip_rules b/contrib/ipfilter/rules/ip_rules deleted file mode 100644 index 9850f16..0000000 --- a/contrib/ipfilter/rules/ip_rules +++ /dev/null @@ -1,3 +0,0 @@ -# Used to generate ../ip_rules.c and ../ip_rules.h -pass in all -pass out all diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf deleted file mode 100644 index 652afce..0000000 --- a/contrib/ipfilter/rules/ipmon.conf +++ /dev/null @@ -1,25 +0,0 @@ -# -# -# -# -match { logtag = 10000; } -do { execute("/usr/bin/mail -s 'logtag 10000' root"); }; -# -match { logtag = 2000, every 10 seconds; } -do { execute("echo 'XXXXXXXX tag 2000 packet XXXXXXXX'"); }; -# -match { protocol = udp, result = block; } -do { file("file:///var/log/udp-block"); }; -# -match { protocol = tcp, result = block, dstport = 25; } -do { syslog("local0.info"), syslog("local1."), syslog(".warn"); }; -# -match { srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; } -do { execute("/usr/bin/mail -s 'from 10.1 to 192.168.1' root"); }; - -# -match { - rule = 12, logtag = 101, direction = in, result = block, - protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24; } -do { nothing; }; -# diff --git a/contrib/ipfilter/rules/nat-setup b/contrib/ipfilter/rules/nat-setup deleted file mode 100644 index b10e8f1..0000000 --- a/contrib/ipfilter/rules/nat-setup +++ /dev/null @@ -1,77 +0,0 @@ -Configuring NAT on your network. -================================ - -To start setting up NAT, we need to define which is your "internal" interface -and which is your "external" interface. The "internal" interface is the -network adapter connected to the network with private IP addresses which -you need to change for communicating on the Internet. The "external" -interface is configured with a valid internet address. - -For example, your internal interface might have an IP# of 10.1.1.1 and be -connected to your ethernet, whilst your external interface might be a PPP -connection with an IP number of 204.51.62.176. - -Thus your network might look like this: - - - [pc] [pc] - | | -+-+---------+------+ - | - [firewall] - | - | - Internet - - - -Writing the map-rule. ---------------------- -When you're connected to the Internet, you will either have a block of IP -addresses assigned to you, maybe several different blocks, or you use a -single IP address, i.e. with dialup PPP. If you have a block of addresses -assigned, these can be used to create either a 1:1 mapping (if you have -only a few internal IP addresses) or N:1 mappings, where groups of internal -addresses map to a single IP address and unless you have enough Internet -addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and -UDP port numbers. - -For an N:1 situation, you might have: - -map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000 -map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap - -where if you had 16 addresses available, you could do: - -map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 -map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap - -Or if you wanted to allocate subnets to each IP#, you might do: - -map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000 -map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000 -map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000 -map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap -map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap -map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap - -*** NOTE: NAT rules are used on a first-match basis only! - - -Filtering with NAT. -------------------- -IP Filter will always translate addresses in a packet _BEFORE_ it checks its -access list for inbound packets and translates addresses _AFTER_ it has -checked the access control lists for outbound packets. - -For example (using the above NAT rules), if you wanted to prevent all hosts -in the 10.1.2.0/24 subnet from using NAT, you might use the following rule -with ipf: - -block out on ppp0 from 10.1.2.0/24 to any -block in on ppp0 from any to 10.1.2.0/24 - -and use these with ipnat: - -map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000 -map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap diff --git a/contrib/ipfilter/rules/nat.eg b/contrib/ipfilter/rules/nat.eg deleted file mode 100644 index 9c26754..0000000 --- a/contrib/ipfilter/rules/nat.eg +++ /dev/null @@ -1,14 +0,0 @@ -# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source -# port number to something between 10,000 and 20,000 inclusive. For all other -# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily -# for each new user. -# -map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 -map ed1 10.1.0.0/16 -> 240.1.0.0/24 -# -# Redirection is triggered for input packets. -# For example, to redirect FTP connections through this box, to the local ftp -# port, forcing them to connect through a proxy, you would use: -# -rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp -# diff --git a/contrib/ipfilter/rules/pool.conf b/contrib/ipfilter/rules/pool.conf deleted file mode 100644 index 285398d..0000000 --- a/contrib/ipfilter/rules/pool.conf +++ /dev/null @@ -1,4 +0,0 @@ -# -pool 0 = { !10.0.0.0 - 10.255.255.255, 10.1.0.0 - 10.1.255.255, - 10.1.1.0 - 10.1.1.255, !10.1.2.0 - 10.2.2.255, - 10.1.2.3 - 10.1.2.3, 10.1.2.15 - 10.1.2.15 }; diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server deleted file mode 100644 index de0e9bb..0000000 --- a/contrib/ipfilter/rules/server +++ /dev/null @@ -1,11 +0,0 @@ -# -# For a network server, which has two interfaces, 128.1.40.1 (le0) and -# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is -# connected to the majority of the network, whilst le0 is connected to a -# leaf subnet. We're not concerned about filtering individual services -# or -# -pass in quick on le0 from 128.1.40.0/24 to any -block in log quick on le0 from any to any -block in log quick on le1 from 128.1.1.0/24 to any -pass in quick on le1 from any to any diff --git a/contrib/ipfilter/rules/tcpstate b/contrib/ipfilter/rules/tcpstate deleted file mode 100644 index 339a25f..0000000 --- a/contrib/ipfilter/rules/tcpstate +++ /dev/null @@ -1,13 +0,0 @@ -# -# Only allow TCP packets in/out of le0 if there is an outgoing connection setup -# somewhere, waiting for it. -# -pass out quick on le0 proto tcp from any to any flags S/SAFR keep state -block out on le0 proto tcp all -block in on le0 proto tcp all -# -# allow nameserver queries and replies to pass through, but no other UDP -# -pass out quick on le0 proto udp from any to any port = 53 keep state -block out on le0 proto udp all -block in on le0 proto udp all -- cgit v1.1