diff options
author | dm <dm@cvs.openbsd.org> | 1996-07-18 05:57:25 +0000 |
---|---|---|
committer | dm <dm@cvs.openbsd.org> | 1996-07-18 05:57:25 +0000 |
commit | 32c1571b6340f34ac25cc12f7bbac65dd8209b45 (patch) | |
tree | bf257b3cd4eadd635f5ee6cf370dcbe9e2b2ba20 /share/ipf/example.14 | |
parent | 855450577164de85ddee7341a7ed13c7073882ca (diff) |
added my two firewall examples, plus the stuff from the distribution
Diffstat (limited to 'share/ipf/example.14')
-rw-r--r-- | share/ipf/example.14 | 69 |
1 files changed, 60 insertions, 9 deletions
diff --git a/share/ipf/example.14 b/share/ipf/example.14 index a7120527a28..c4c1994030b 100644 --- a/share/ipf/example.14 +++ b/share/ipf/example.14 @@ -1,10 +1,61 @@ # -# For a network server, which has two interfaces, 128.1.40.1 (le0) and -# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is -# connected to the majority of the network, whilst le0 is connected to a -# leaf subnet. We're not concerned about filtering individual services. -# -pass in quick on le0 from 128.1.40.0/24 to any -block in quick log on le0 from any to any -block in quick log on le1 from 128.1.40.0/24 to any -pass in quick on le1 from any to any +# log all inbound packet on le0 which has IP options present +# +log in on le0 from any to any with ipopts +# +# block any inbound packets on le0 which are fragmented and "too short" to +# do any meaningful comparison on. This actually only applies to TCP +# packets which can be missing the flags/ports (depending on which part +# of the fragment you see). +# +block in log quick on le0 from any to any with short frag +# +# log all inbound TCP packets with the SYN flag (only) set +# (NOTE: if it were an inbound TCP packet with the SYN flag set and it +# had IP options present, this rule and the above would cause it +# to be logged twice). +# +log in on le0 proto tcp from any to any flags S/SA +# +# block and log any inbound ICMP unreachables +# +block in log on le0 proto icmp from any to any icmp-type unreach +# +# block and log any inbound UDP packets on le0 which are going to port 2049 +# (the NFS port). +# +block in log on le0 proto udp from any to any port = 2049 +# +# quickly allow any packets to/from a particular pair of hosts +# +pass in quick from any to 10.1.3.2/32 +pass in quick from any to 10.1.0.13/32 +pass in quick from 10.1.3.2/32 to any +pass in quick from 10.1.0.13/32 to any +# +# block (and stop matching) any packet with IP options present. +# +block in quick on le0 from any to any with ipopts +# +# allow any packet through +# +pass in from any to any +# +# block any inbound UDP packets destined for these subnets. +# +block in on le0 proto udp from any to 10.1.3.0/24 +block in on le0 proto udp from any to 10.1.1.0/24 +block in on le0 proto udp from any to 10.1.2.0/24 +# +# block any inbound TCP packets with only the SYN flag set that are +# destined for these subnets. +# +block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA +block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA +block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA +# +# block any inbound ICMP packets destined for these subnets. +# +block in on le0 proto icmp from any to 10.1.3.0/24 +block in on le0 proto icmp from any to 10.1.1.0/24 +block in on le0 proto icmp from any to 10.1.2.0/24 |