summaryrefslogtreecommitdiff
path: root/share/ipf/example.14
diff options
context:
space:
mode:
authordm <dm@cvs.openbsd.org>1996-07-18 05:57:25 +0000
committerdm <dm@cvs.openbsd.org>1996-07-18 05:57:25 +0000
commit32c1571b6340f34ac25cc12f7bbac65dd8209b45 (patch)
treebf257b3cd4eadd635f5ee6cf370dcbe9e2b2ba20 /share/ipf/example.14
parent855450577164de85ddee7341a7ed13c7073882ca (diff)
added my two firewall examples, plus the stuff from the distribution
Diffstat (limited to 'share/ipf/example.14')
-rw-r--r--share/ipf/example.1469
1 files changed, 60 insertions, 9 deletions
diff --git a/share/ipf/example.14 b/share/ipf/example.14
index a7120527a28..c4c1994030b 100644
--- a/share/ipf/example.14
+++ b/share/ipf/example.14
@@ -1,10 +1,61 @@
#
-# For a network server, which has two interfaces, 128.1.40.1 (le0) and
-# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is
-# connected to the majority of the network, whilst le0 is connected to a
-# leaf subnet. We're not concerned about filtering individual services.
-#
-pass in quick on le0 from 128.1.40.0/24 to any
-block in quick log on le0 from any to any
-block in quick log on le1 from 128.1.40.0/24 to any
-pass in quick on le1 from any to any
+# log all inbound packet on le0 which has IP options present
+#
+log in on le0 from any to any with ipopts
+#
+# block any inbound packets on le0 which are fragmented and "too short" to
+# do any meaningful comparison on. This actually only applies to TCP
+# packets which can be missing the flags/ports (depending on which part
+# of the fragment you see).
+#
+block in log quick on le0 from any to any with short frag
+#
+# log all inbound TCP packets with the SYN flag (only) set
+# (NOTE: if it were an inbound TCP packet with the SYN flag set and it
+# had IP options present, this rule and the above would cause it
+# to be logged twice).
+#
+log in on le0 proto tcp from any to any flags S/SA
+#
+# block and log any inbound ICMP unreachables
+#
+block in log on le0 proto icmp from any to any icmp-type unreach
+#
+# block and log any inbound UDP packets on le0 which are going to port 2049
+# (the NFS port).
+#
+block in log on le0 proto udp from any to any port = 2049
+#
+# quickly allow any packets to/from a particular pair of hosts
+#
+pass in quick from any to 10.1.3.2/32
+pass in quick from any to 10.1.0.13/32
+pass in quick from 10.1.3.2/32 to any
+pass in quick from 10.1.0.13/32 to any
+#
+# block (and stop matching) any packet with IP options present.
+#
+block in quick on le0 from any to any with ipopts
+#
+# allow any packet through
+#
+pass in from any to any
+#
+# block any inbound UDP packets destined for these subnets.
+#
+block in on le0 proto udp from any to 10.1.3.0/24
+block in on le0 proto udp from any to 10.1.1.0/24
+block in on le0 proto udp from any to 10.1.2.0/24
+#
+# block any inbound TCP packets with only the SYN flag set that are
+# destined for these subnets.
+#
+block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
+#
+# block any inbound ICMP packets destined for these subnets.
+#
+block in on le0 proto icmp from any to 10.1.3.0/24
+block in on le0 proto icmp from any to 10.1.1.0/24
+block in on le0 proto icmp from any to 10.1.2.0/24