From cb8d46a179f2d30ac1cd0a01eb156e1a4c08d717 Mon Sep 17 00:00:00 2001 From: darrenr Date: Sun, 9 Feb 1997 22:50:16 +0000 Subject: Import IP Filter v3.1.7 into FreeBSD tree --- contrib/ipfilter/rules/example.1 | 4 +++ contrib/ipfilter/rules/example.10 | 12 ++++++++ contrib/ipfilter/rules/example.11 | 26 +++++++++++++++++ contrib/ipfilter/rules/example.12 | 17 +++++++++++ contrib/ipfilter/rules/example.13 | 17 +++++++++++ contrib/ipfilter/rules/example.2 | 4 +++ contrib/ipfilter/rules/example.3 | 40 +++++++++++++++++++++++++ contrib/ipfilter/rules/example.4 | 4 +++ contrib/ipfilter/rules/example.5 | 25 ++++++++++++++++ contrib/ipfilter/rules/example.6 | 5 ++++ contrib/ipfilter/rules/example.7 | 12 ++++++++ contrib/ipfilter/rules/example.8 | 10 +++++++ contrib/ipfilter/rules/example.9 | 12 ++++++++ contrib/ipfilter/rules/example.sr | 61 +++++++++++++++++++++++++++++++++++++++ contrib/ipfilter/rules/nat.eg | 14 +++++++++ contrib/ipfilter/rules/server | 11 +++++++ contrib/ipfilter/rules/tcpstate | 13 +++++++++ 17 files changed, 287 insertions(+) create mode 100644 contrib/ipfilter/rules/example.1 create mode 100644 contrib/ipfilter/rules/example.10 create mode 100644 contrib/ipfilter/rules/example.11 create mode 100644 contrib/ipfilter/rules/example.12 create mode 100644 contrib/ipfilter/rules/example.13 create mode 100644 contrib/ipfilter/rules/example.2 create mode 100644 contrib/ipfilter/rules/example.3 create mode 100644 contrib/ipfilter/rules/example.4 create mode 100644 contrib/ipfilter/rules/example.5 create mode 100644 contrib/ipfilter/rules/example.6 create mode 100644 contrib/ipfilter/rules/example.7 create mode 100644 contrib/ipfilter/rules/example.8 create mode 100644 contrib/ipfilter/rules/example.9 create mode 100644 contrib/ipfilter/rules/example.sr create mode 100644 contrib/ipfilter/rules/nat.eg create mode 100644 contrib/ipfilter/rules/server create mode 100644 contrib/ipfilter/rules/tcpstate (limited to 'contrib/ipfilter/rules') diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1 new file mode 100644 index 0000000..604346e --- /dev/null +++ b/contrib/ipfilter/rules/example.1 @@ -0,0 +1,4 @@ +# +# block all incoming TCP packets on le0 from host "foo" to any destination. +# +block in on le0 proto tcp from foo/32 to any diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10 new file mode 100644 index 0000000..477c2e0 --- /dev/null +++ b/contrib/ipfilter/rules/example.10 @@ -0,0 +1,12 @@ +# +# pass ack packets (ie established connection) +# +pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A +pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A +# +# block incoming connection requests to my internal network from the big bad +# internet. +# +block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA +# to block the replies: +block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11 new file mode 100644 index 0000000..7fc26eb --- /dev/null +++ b/contrib/ipfilter/rules/example.11 @@ -0,0 +1,26 @@ +# +# allow any TCP packets from the same subnet as foo is on through to host +# 10.1.1.2 if they are destined for port 6667. +# +pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +# +# allow in UDP packets which are NOT from port 53 and are destined for +# localhost +# +pass in proto udp from fubar port != 53 to localhost +# +# block anything trying to get to X terminal ports, X:0 to X:9 +# +block in proto tcp from any to any port 5999 >< 6010 +# +# allow any connections to be made, except to BSD print/r-services +# this will also protect syslog. +# +block in proto tcp/udp all +pass in proto tcp/udp from any to any port 512 <> 515 +# +# allow any connections to be made, except to BSD print/r-services +# this will also protect syslog. +# +pass in proto tcp/udp all +block in proto tcp/udp from any to any port 511 >< 516 diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12 new file mode 100644 index 0000000..c0ba1d3 --- /dev/null +++ b/contrib/ipfilter/rules/example.12 @@ -0,0 +1,17 @@ +# +# get rid of all short IP fragments (too small for valid comparison) +# +block in proto tcp all with short +# +# drop and log any IP packets with options set in them. +# +block in log all with ipopts +# +# log packets with BOTH ssrr and lsrr set +# +log in all with opt lsrr,ssrr +# +# drop any source routing options +# +block in quick all with opt lsrr +block in quick all with opt ssrr diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13 new file mode 100644 index 0000000..df13d0a --- /dev/null +++ b/contrib/ipfilter/rules/example.13 @@ -0,0 +1,17 @@ +# +# Log all short TCP packets to qe3, with "packetlog" as the intended +# destination for the packet. +# +block in to qe3:packetlog proto tcp all with short +# +# Log all connection attempts for TCP +# +pass in dup-to le0:packetlog proto tcp all flags S/SA +# +# Route all UDP packets through transparently. +# +pass in fastroute proto udp all +# +# Route all ICMP packets to network 10 out through le1, to "router" +# +pass in to le1:router proto icmp all diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2 new file mode 100644 index 0000000..59d9ec8 --- /dev/null +++ b/contrib/ipfilter/rules/example.2 @@ -0,0 +1,4 @@ +# +# block all outgoing TCP packets on le0 from any host to port 23 of host bar. +# +block out on le0 proto tcp from any to bar/32 port != 23 diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3 new file mode 100644 index 0000000..cd31f73 --- /dev/null +++ b/contrib/ipfilter/rules/example.3 @@ -0,0 +1,40 @@ +# +# block all inbound packets. +# +block in from any to any +# +# pass through packets to and from localhost. +# +pass in from 127.0.0.1/32 to 127.0.0.1/32 +# +# allow a variety of individual hosts to send any type of IP packet to any +# other host. +# +pass in from 10.1.3.1/32 to any +pass in from 10.1.3.2/32 to any +pass in from 10.1.3.3/32 to any +pass in from 10.1.3.4/32 to any +pass in from 10.1.3.5/32 to any +pass in from 10.1.0.13/32 to any +pass in from 10.1.1.1/32 to any +pass in from 10.1.2.1/32 to any +# +# +# block all outbound packets. +# +block out from any to any +# +# allow any packets destined for localhost out. +# +pass out from any to 127.0.0.1/32 +# +# allow any host to send any IP packet out to a limited number of hosts. +# +pass out from any to 10.1.3.1/32 +pass out from any to 10.1.3.2/32 +pass out from any to 10.1.3.3/32 +pass out from any to 10.1.3.4/32 +pass out from any to 10.1.3.5/32 +pass out from any to 10.1.0.13/32 +pass out from any to 10.1.1.1/32 +pass out from any to 10.1.2.1/32 diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4 new file mode 100644 index 0000000..7918ec2 --- /dev/null +++ b/contrib/ipfilter/rules/example.4 @@ -0,0 +1,4 @@ +# +# block all ICMP packets. +# +block in proto icmp from any to any diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5 new file mode 100644 index 0000000..6e122e0 --- /dev/null +++ b/contrib/ipfilter/rules/example.5 @@ -0,0 +1,25 @@ +# +# test ruleset +# +# allow packets coming from foo to bar through. +# +pass from foo to bar +# +# allow any TCP packets from the same subnet as foo is on through to host +# 10.1.1.2 if they are destined for port 6667. +# +pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +# +# allow in UDP packets which are NOT from port 53 and are destined for +# localhost +# +pass proto udp from fubar port != 53 to localhost +# +# block all ICMP unreachables. +# +block from any to any icmp unreach +# +# allow packets through which have a non-standard IP header length (ie there +# are IP options such as source-routing present). +# +pass from any to any with ipopts diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6 new file mode 100644 index 0000000..d40f0f3 --- /dev/null +++ b/contrib/ipfilter/rules/example.6 @@ -0,0 +1,5 @@ +# +# block all TCP packets with only the SYN flag set (this is the first +# packet sent to establish a connection) out of the SYN-ACK pair. +# +block in proto tcp from any to any flags S/SA diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7 new file mode 100644 index 0000000..062de98 --- /dev/null +++ b/contrib/ipfilter/rules/example.7 @@ -0,0 +1,12 @@ +# block all ICMP packets. +# +block in proto icmp all +# +# allow in ICMP echos and echo-replies. +# +pass in on le1 proto icmp from any to any icmp-type echo +pass in on le1 proto icmp from any to any icmp-type echorep +# +# block all ICMP destination unreachable packets which are port-unreachables +# +block in on le1 proto icmp from any to any icmp-type unreach code 3 diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8 new file mode 100644 index 0000000..baa0258 --- /dev/null +++ b/contrib/ipfilter/rules/example.8 @@ -0,0 +1,10 @@ +# +# block all incoming TCP connections but send back a TCP-RST for ones to +# the ident port +# +block in proto tcp from any to any flags S/SA +block return-rst in quick proto tcp from any to any port = 113 flags S/SA +# +# block all inbound UDP packets and send back an ICMP error. +# +block return-icmp in proto udp from any to any diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9 new file mode 100644 index 0000000..77968f8 --- /dev/null +++ b/contrib/ipfilter/rules/example.9 @@ -0,0 +1,12 @@ +# +# drop all packets without IP security options +# +block in all +pass in all with opt sec +# +# only allow packets in and out on le0 which are top secret +# +block out on le1 all +pass out on le1 all with opt sec-class topsecret +block in on le1 all +pass in on le1 all with opt sec-class topsecret diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr new file mode 100644 index 0000000..c4c1994 --- /dev/null +++ b/contrib/ipfilter/rules/example.sr @@ -0,0 +1,61 @@ +# +# log all inbound packet on le0 which has IP options present +# +log in on le0 from any to any with ipopts +# +# block any inbound packets on le0 which are fragmented and "too short" to +# do any meaningful comparison on. This actually only applies to TCP +# packets which can be missing the flags/ports (depending on which part +# of the fragment you see). +# +block in log quick on le0 from any to any with short frag +# +# log all inbound TCP packets with the SYN flag (only) set +# (NOTE: if it were an inbound TCP packet with the SYN flag set and it +# had IP options present, this rule and the above would cause it +# to be logged twice). +# +log in on le0 proto tcp from any to any flags S/SA +# +# block and log any inbound ICMP unreachables +# +block in log on le0 proto icmp from any to any icmp-type unreach +# +# block and log any inbound UDP packets on le0 which are going to port 2049 +# (the NFS port). +# +block in log on le0 proto udp from any to any port = 2049 +# +# quickly allow any packets to/from a particular pair of hosts +# +pass in quick from any to 10.1.3.2/32 +pass in quick from any to 10.1.0.13/32 +pass in quick from 10.1.3.2/32 to any +pass in quick from 10.1.0.13/32 to any +# +# block (and stop matching) any packet with IP options present. +# +block in quick on le0 from any to any with ipopts +# +# allow any packet through +# +pass in from any to any +# +# block any inbound UDP packets destined for these subnets. +# +block in on le0 proto udp from any to 10.1.3.0/24 +block in on le0 proto udp from any to 10.1.1.0/24 +block in on le0 proto udp from any to 10.1.2.0/24 +# +# block any inbound TCP packets with only the SYN flag set that are +# destined for these subnets. +# +block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA +block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA +block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA +# +# block any inbound ICMP packets destined for these subnets. +# +block in on le0 proto icmp from any to 10.1.3.0/24 +block in on le0 proto icmp from any to 10.1.1.0/24 +block in on le0 proto icmp from any to 10.1.2.0/24 diff --git a/contrib/ipfilter/rules/nat.eg b/contrib/ipfilter/rules/nat.eg new file mode 100644 index 0000000..9c26754 --- /dev/null +++ b/contrib/ipfilter/rules/nat.eg @@ -0,0 +1,14 @@ +# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source +# port number to something between 10,000 and 20,000 inclusive. For all other +# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily +# for each new user. +# +map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 +map ed1 10.1.0.0/16 -> 240.1.0.0/24 +# +# Redirection is triggered for input packets. +# For example, to redirect FTP connections through this box, to the local ftp +# port, forcing them to connect through a proxy, you would use: +# +rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp +# diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server new file mode 100644 index 0000000..5eafc7c --- /dev/null +++ b/contrib/ipfilter/rules/server @@ -0,0 +1,11 @@ +# +# For a network server, which has two interfaces, 128.1.40.1 (le0) and +# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is +# connected to the majority of the network, whilst le0 is connected to a +# leaf subnet. We're not concerned about filtering individual services +# or +# +pass in quick on le0 from 128.1.40.0/24 to any +block in quick log on le0 from any to any +block in quick log on le1 from 128.1.1.0/24 to any +pass in quick on le1 from any to any diff --git a/contrib/ipfilter/rules/tcpstate b/contrib/ipfilter/rules/tcpstate new file mode 100644 index 0000000..339a25f --- /dev/null +++ b/contrib/ipfilter/rules/tcpstate @@ -0,0 +1,13 @@ +# +# Only allow TCP packets in/out of le0 if there is an outgoing connection setup +# somewhere, waiting for it. +# +pass out quick on le0 proto tcp from any to any flags S/SAFR keep state +block out on le0 proto tcp all +block in on le0 proto tcp all +# +# allow nameserver queries and replies to pass through, but no other UDP +# +pass out quick on le0 proto udp from any to any port = 53 keep state +block out on le0 proto udp all +block in on le0 proto udp all -- cgit v1.1