summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rw-r--r--share/Makefile4
-rw-r--r--share/ipf/Makefile13
-rw-r--r--share/ipf/example.14
-rw-r--r--share/ipf/example.1012
-rw-r--r--share/ipf/example.1127
-rw-r--r--share/ipf/example.1217
-rw-r--r--share/ipf/example.1317
-rw-r--r--share/ipf/example.1461
-rw-r--r--share/ipf/example.1511
-rw-r--r--share/ipf/example.1613
-rw-r--r--share/ipf/example.25
-rw-r--r--share/ipf/example.340
-rw-r--r--share/ipf/example.44
-rw-r--r--share/ipf/example.525
-rw-r--r--share/ipf/example.65
-rw-r--r--share/ipf/example.712
-rw-r--r--share/ipf/example.810
-rw-r--r--share/ipf/example.912
-rw-r--r--share/ipf/firewall.135
-rw-r--r--share/ipf/firewall.269
-rw-r--r--share/ipf/firewall.399
-rw-r--r--share/ipf/firewall.472
-rw-r--r--share/ipf/nat.131
-rw-r--r--share/ipf/nat.221
-rw-r--r--share/ipf/nat.345
-rw-r--r--share/man/man4/Makefile4
-rw-r--r--share/man/man4/ipl.481
27 files changed, 4 insertions, 745 deletions
diff --git a/share/Makefile b/share/Makefile
index 5d0ab8a51bc..26acf331c8b 100644
--- a/share/Makefile
+++ b/share/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.8 2000/04/25 21:12:53 jakob Exp $
+# $OpenBSD: Makefile,v 1.9 2001/05/30 02:11:00 deraadt Exp $
-SUBDIR= dict doc ipf ipsec lkm man misc mk tabset termtypes \
+SUBDIR= dict doc ipsec lkm man misc mk tabset termtypes \
tmac zoneinfo smtpd
.include <bsd.subdir.mk>
diff --git a/share/ipf/Makefile b/share/ipf/Makefile
deleted file mode 100644
index 3919a72fd85..00000000000
--- a/share/ipf/Makefile
+++ /dev/null
@@ -1,13 +0,0 @@
-# $OpenBSD: Makefile,v 1.3 2000/03/02 14:46:34 todd Exp $
-#
-#
-FILES= example.* nat.* firewall.*
-NOOBJ= noobj
-
-all clean cleandir depend lint tags:
-
-install:
- install -d ${DESTDIR}${BINDIR}/ipf
- install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/ipf
-
-.include <bsd.prog.mk>
diff --git a/share/ipf/example.1 b/share/ipf/example.1
deleted file mode 100644
index ff93f492caf..00000000000
--- a/share/ipf/example.1
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination.
-#
-block in on le0 proto tcp from 10.1.1.1/32 to any
diff --git a/share/ipf/example.10 b/share/ipf/example.10
deleted file mode 100644
index 560d1e670f6..00000000000
--- a/share/ipf/example.10
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# pass ack packets (ie established connection)
-#
-pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-#
-# block incoming connection requests to my internal network from the big bad
-# internet.
-#
-block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
-# to block the replies:
-block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
diff --git a/share/ipf/example.11 b/share/ipf/example.11
deleted file mode 100644
index e9045d24f1b..00000000000
--- a/share/ipf/example.11
+++ /dev/null
@@ -1,27 +0,0 @@
-# For this example, "foo" has an IP address of 10.2.2.2
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block anything trying to get to X terminal ports, X:0 to X:9
-#
-block in proto tcp from any to any port 5999 >< 6010
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-block in proto tcp/udp all
-pass in proto tcp/udp from any to any port 512 <> 515
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-pass in proto tcp/udp all
-block in proto tcp/udp from any to any port 511 >< 516
diff --git a/share/ipf/example.12 b/share/ipf/example.12
deleted file mode 100644
index c0ba1d3cdda..00000000000
--- a/share/ipf/example.12
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# get rid of all short IP fragments (too small for valid comparison)
-#
-block in proto tcp all with short
-#
-# drop and log any IP packets with options set in them.
-#
-block in log all with ipopts
-#
-# log packets with BOTH ssrr and lsrr set
-#
-log in all with opt lsrr,ssrr
-#
-# drop any source routing options
-#
-block in quick all with opt lsrr
-block in quick all with opt ssrr
diff --git a/share/ipf/example.13 b/share/ipf/example.13
deleted file mode 100644
index 854f07f1694..00000000000
--- a/share/ipf/example.13
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# Log all short TCP packets to qe3, with 10.3.3.3 as the intended
-# destination for the packet.
-#
-block in on qe0 to qe3:10.3.3.3 proto tcp all with short
-#
-# Log all connection attempts for TCP
-#
-pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA
-#
-# Route all UDP packets through transparently.
-#
-pass in on ppp0 fastroute proto udp all
-#
-# Route all ICMP packets to network 10 out through le1, to 10.3.3.1
-#
-pass in on le0 to le1:10.3.3.1 proto icmp all
diff --git a/share/ipf/example.14 b/share/ipf/example.14
deleted file mode 100644
index c4c1994030b..00000000000
--- a/share/ipf/example.14
+++ /dev/null
@@ -1,61 +0,0 @@
-#
-# log all inbound packet on le0 which has IP options present
-#
-log in on le0 from any to any with ipopts
-#
-# block any inbound packets on le0 which are fragmented and "too short" to
-# do any meaningful comparison on. This actually only applies to TCP
-# packets which can be missing the flags/ports (depending on which part
-# of the fragment you see).
-#
-block in log quick on le0 from any to any with short frag
-#
-# log all inbound TCP packets with the SYN flag (only) set
-# (NOTE: if it were an inbound TCP packet with the SYN flag set and it
-# had IP options present, this rule and the above would cause it
-# to be logged twice).
-#
-log in on le0 proto tcp from any to any flags S/SA
-#
-# block and log any inbound ICMP unreachables
-#
-block in log on le0 proto icmp from any to any icmp-type unreach
-#
-# block and log any inbound UDP packets on le0 which are going to port 2049
-# (the NFS port).
-#
-block in log on le0 proto udp from any to any port = 2049
-#
-# quickly allow any packets to/from a particular pair of hosts
-#
-pass in quick from any to 10.1.3.2/32
-pass in quick from any to 10.1.0.13/32
-pass in quick from 10.1.3.2/32 to any
-pass in quick from 10.1.0.13/32 to any
-#
-# block (and stop matching) any packet with IP options present.
-#
-block in quick on le0 from any to any with ipopts
-#
-# allow any packet through
-#
-pass in from any to any
-#
-# block any inbound UDP packets destined for these subnets.
-#
-block in on le0 proto udp from any to 10.1.3.0/24
-block in on le0 proto udp from any to 10.1.1.0/24
-block in on le0 proto udp from any to 10.1.2.0/24
-#
-# block any inbound TCP packets with only the SYN flag set that are
-# destined for these subnets.
-#
-block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
-#
-# block any inbound ICMP packets destined for these subnets.
-#
-block in on le0 proto icmp from any to 10.1.3.0/24
-block in on le0 proto icmp from any to 10.1.1.0/24
-block in on le0 proto icmp from any to 10.1.2.0/24
diff --git a/share/ipf/example.15 b/share/ipf/example.15
deleted file mode 100644
index f2fb2041faf..00000000000
--- a/share/ipf/example.15
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# For a network server, which has two interfaces, 128.1.40.1 (le0) and
-# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is
-# connected to the majority of the network, whilst le0 is connected to a
-# leaf subnet. We're not concerned about filtering individual services
-# or
-#
-pass in quick on le0 from 128.1.40.0/24 to any
-block in log quick on le0 from any to any
-block in log quick on le1 from 128.1.1.0/24 to any
-pass in quick on le1 from any to any
diff --git a/share/ipf/example.16 b/share/ipf/example.16
deleted file mode 100644
index 339a25f963f..00000000000
--- a/share/ipf/example.16
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
-# somewhere, waiting for it.
-#
-pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
-block out on le0 proto tcp all
-block in on le0 proto tcp all
-#
-# allow nameserver queries and replies to pass through, but no other UDP
-#
-pass out quick on le0 proto udp from any to any port = 53 keep state
-block out on le0 proto udp all
-block in on le0 proto udp all
diff --git a/share/ipf/example.2 b/share/ipf/example.2
deleted file mode 100644
index 4f81725eeb0..00000000000
--- a/share/ipf/example.2
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all outgoing TCP packets on le0 from any host to port 23 of
-# host 10.1.1.2
-#
-block out on le0 proto tcp from any to 10.1.1.3/32 port = 23
diff --git a/share/ipf/example.3 b/share/ipf/example.3
deleted file mode 100644
index cd31f73e7c2..00000000000
--- a/share/ipf/example.3
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# block all inbound packets.
-#
-block in from any to any
-#
-# pass through packets to and from localhost.
-#
-pass in from 127.0.0.1/32 to 127.0.0.1/32
-#
-# allow a variety of individual hosts to send any type of IP packet to any
-# other host.
-#
-pass in from 10.1.3.1/32 to any
-pass in from 10.1.3.2/32 to any
-pass in from 10.1.3.3/32 to any
-pass in from 10.1.3.4/32 to any
-pass in from 10.1.3.5/32 to any
-pass in from 10.1.0.13/32 to any
-pass in from 10.1.1.1/32 to any
-pass in from 10.1.2.1/32 to any
-#
-#
-# block all outbound packets.
-#
-block out from any to any
-#
-# allow any packets destined for localhost out.
-#
-pass out from any to 127.0.0.1/32
-#
-# allow any host to send any IP packet out to a limited number of hosts.
-#
-pass out from any to 10.1.3.1/32
-pass out from any to 10.1.3.2/32
-pass out from any to 10.1.3.3/32
-pass out from any to 10.1.3.4/32
-pass out from any to 10.1.3.5/32
-pass out from any to 10.1.0.13/32
-pass out from any to 10.1.1.1/32
-pass out from any to 10.1.2.1/32
diff --git a/share/ipf/example.4 b/share/ipf/example.4
deleted file mode 100644
index 7918ec2fbd9..00000000000
--- a/share/ipf/example.4
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all ICMP packets.
-#
-block in proto icmp from any to any
diff --git a/share/ipf/example.5 b/share/ipf/example.5
deleted file mode 100644
index a45a4fa5b34..00000000000
--- a/share/ipf/example.5
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# test ruleset
-#
-# allow packets coming from foo (10.1.1.2) to bar (10.2.1.1) through.
-#
-pass in from 10.1.1.2 to 10.2.1.1
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block all ICMP unreachables.
-#
-block in proto icmp from any to any icmp-type unreach
-#
-# allow packets through which have a non-standard IP header length (ie there
-# are IP options such as source-routing present).
-#
-pass in from any to any with ipopts
diff --git a/share/ipf/example.6 b/share/ipf/example.6
deleted file mode 100644
index d40f0f3d2a1..00000000000
--- a/share/ipf/example.6
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all TCP packets with only the SYN flag set (this is the first
-# packet sent to establish a connection) out of the SYN-ACK pair.
-#
-block in proto tcp from any to any flags S/SA
diff --git a/share/ipf/example.7 b/share/ipf/example.7
deleted file mode 100644
index 062de981193..00000000000
--- a/share/ipf/example.7
+++ /dev/null
@@ -1,12 +0,0 @@
-# block all ICMP packets.
-#
-block in proto icmp all
-#
-# allow in ICMP echos and echo-replies.
-#
-pass in on le1 proto icmp from any to any icmp-type echo
-pass in on le1 proto icmp from any to any icmp-type echorep
-#
-# block all ICMP destination unreachable packets which are port-unreachables
-#
-block in on le1 proto icmp from any to any icmp-type unreach code 3
diff --git a/share/ipf/example.8 b/share/ipf/example.8
deleted file mode 100644
index baa02581256..00000000000
--- a/share/ipf/example.8
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# block all incoming TCP connections but send back a TCP-RST for ones to
-# the ident port
-#
-block in proto tcp from any to any flags S/SA
-block return-rst in quick proto tcp from any to any port = 113 flags S/SA
-#
-# block all inbound UDP packets and send back an ICMP error.
-#
-block return-icmp in proto udp from any to any
diff --git a/share/ipf/example.9 b/share/ipf/example.9
deleted file mode 100644
index 77968f85d2f..00000000000
--- a/share/ipf/example.9
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# drop all packets without IP security options
-#
-block in all
-pass in all with opt sec
-#
-# only allow packets in and out on le0 which are top secret
-#
-block out on le1 all
-pass out on le1 all with opt sec-class topsecret
-block in on le1 all
-pass in on le1 all with opt sec-class topsecret
diff --git a/share/ipf/firewall.1 b/share/ipf/firewall.1
deleted file mode 100644
index 4a86f3d15df..00000000000
--- a/share/ipf/firewall.1
+++ /dev/null
@@ -1,35 +0,0 @@
-#
-# This is an example of a very light firewall used to guard against
-# some of the most easily exploited common security holes.
-#
-# The example assumes it is running on a gateway with interface ppp0
-# attached to the outside world, and interface ed0 attached to
-# network 192.168.4.0 which needs to be protected.
-#
-#
-# Pass any packets not explicitly mentioned by subsequent rules
-#
-pass out from any to any
-pass in from any to any
-#
-# Block any inherently bad packets coming in from the outside world.
-# These include ICMP redirect packets and IP fragments so short the
-# filtering rules won't be able to examine the whole UDP/TCP header.
-#
-block in log quick on ppp0 proto icmp from any to any icmp-type redir
-block in log quick on ppp0 proto tcp/udp all with short
-#
-# Block any IP spoofing atempts. (Packets "from" our network
-# shouldn't be coming in from outside).
-#
-block in log quick on ppp0 from 192.168.4.0/24 to any
-block in log quick on ppp0 from localhost to any
-block in log quick on ppp0 from 0.0.0.0/32 to any
-block in log quick on ppp0 from 255.255.255.255/32 to any
-#
-# Block any incoming traffic to NFS ports, to the RPC portmapper, and
-# to X servers.
-#
-block in log on ppp0 proto tcp/udp from any to any port = sunrpc
-block in log on ppp0 proto tcp/udp from any to any port = 2049
-block in log on ppp0 proto tcp from any to any port = 6000
diff --git a/share/ipf/firewall.2 b/share/ipf/firewall.2
deleted file mode 100644
index e0ad5639c52..00000000000
--- a/share/ipf/firewall.2
+++ /dev/null
@@ -1,69 +0,0 @@
-#
-# This is an example of a fairly heavy firewall used to keep everyone
-# out of a particular network while still allowing people within that
-# network to get outside.
-#
-# The example assumes it is running on a gateway with interface ppp0
-# attached to the outside world, and interface ed0 attached to
-# network 192.168.4.0 which needs to be protected.
-#
-#
-# Pass any packets not explicitly mentioned by subsequent rules
-#
-pass out from any to any
-pass in from any to any
-#
-# Block any inherently bad packets coming in from the outside world.
-# These include ICMP redirect packets, IP fragments so short the
-# filtering rules won't be able to examine the whole UDP/TCP header,
-# and anything with IP options.
-#
-block in log quick on ppp0 proto icmp from any to any icmp-type redir
-block in log quick on ppp0 proto tcp/udp all with short
-block in log quick on ppp0 from any to any with ipopts
-#
-# Block any IP spoofing atempts. (Packets "from" our network
-# shouldn't be coming in from outside).
-#
-block in log quick on ppp0 from 192.168.4.0/24 to any
-block in log quick on ppp0 from localhost to any
-block in log quick on ppp0 from 0.0.0.0/32 to any
-block in log quick on ppp0 from 255.255.255.255/32 to any
-#
-# Block all incoming UDP traffic except talk and DNS traffic. NFS
-# and portmap are special-cased and logged.
-#
-block in on ppp0 proto udp from any to any
-block in log on ppp0 proto udp from any to any port = sunrpc
-block in log on ppp0 proto udp from any to any port = 2049
-pass in on ppp0 proto udp from any to any port = domain
-pass in on ppp0 proto udp from any to any port = talk
-pass in on ppp0 proto udp from any to any port = ntalk
-#
-# Block all incoming TCP traffic connections to known services,
-# returning a connection reset so things like ident don't take
-# forever timing out. Don't log ident (auth port) as it's so common.
-#
-block return-rst in log on ppp0 proto tcp from any to any flags S/SA
-block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA
-#
-# Allow incoming TCP connections to ports between 1024 and 5000, as
-# these don't have daemons listening but are used by outgoing
-# services like ftp and talk. For slightly more obscurity (though
-# not much more security), the second commented out rule can chosen
-# instead.
-#
-pass in on ppp0 proto tcp from any to any port 1024 >< 5000
-#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
-#
-# Now allow various incoming TCP connections to particular hosts, TCP
-# to the main nameserver so secondaries can do zone transfers, SMTP
-# to the mail host, www to the web server (which really should be
-# outside the firewall if you care about security), and ssh to a
-# hypothetical machine caled 'gatekeeper' that can be used to gain
-# access to the protected network from the outside world.
-#
-pass in on ppp0 proto tcp from any to ns1 port = domain
-pass in on ppp0 proto tcp from any to mail port = smtp
-pass in on ppp0 proto tcp from any to www port = www
-pass in on ppp0 proto tcp from any to gatekeeper port = ssh
diff --git a/share/ipf/firewall.3 b/share/ipf/firewall.3
deleted file mode 100644
index d2bd60a3188..00000000000
--- a/share/ipf/firewall.3
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: RESTRICTIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything. This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block in log proto tcp all flags S/SA head 101 group 100
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block in log proto tcp all flags S/SA head 201 group 200
-block in log proto udp all head 202 group 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Allow outgoing DNS requests (no named on firewall)
-#
-pass in quick proto udp from any to any port = 53 keep state group 202
-#
-# If we were running named on the firewall and all internal hosts talked to
-# it, we'd use the following:
-#
-#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
-#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
-#
-# Allow outgoing FTP from any internal host to any external FTP server.
-#
-pass in quick proto tcp from any to any port = ftp keep state group 201
-pass in quick proto tcp from any to any port = ftp-data keep state group 201
-pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
-#
-# Allow NTP from any internal host to any external NTP server.
-#
-pass in quick proto udp from any to any port = ntp keep state group 202
-#
-# Allow outgoing connections: SSH, TELNET, WWW
-#
-pass in quick proto tcp from any to any port = 22 keep state group 201
-pass in quick proto tcp from any to any port = telnet keep state group 201
-pass in quick proto tcp from any to any port = www keep state group 201
-#
-#-------------------------------------------------------
-block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
-#
-# Allow incoming to the external firewall interface: mail, WWW, DNS
-#
-pass in log quick proto tcp from any to any port = smtp keep state group 110
-pass in log quick proto tcp from any to any port = www keep state group 110
-pass in log quick proto tcp from any to any port = 53 keep state group 110
-pass in log quick proto udp from any to any port = 53 keep state group 100
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/share/ipf/firewall.4 b/share/ipf/firewall.4
deleted file mode 100644
index 46564f0ee41..00000000000
--- a/share/ipf/firewall.4
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: PERMISSIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything. This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Allow any communication between the inside network and the outside only.
-#
-# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
-#
-pass in log quick proto tcp all flags S/SA keep state group 200
-#
-# Support all UDP `connections' initiated from inside.
-#
-# Allow ping out
-#
-pass in log quick proto icmp all keep state group 200
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/share/ipf/nat.1 b/share/ipf/nat.1
deleted file mode 100644
index f862a23786b..00000000000
--- a/share/ipf/nat.1
+++ /dev/null
@@ -1,31 +0,0 @@
-Example NAT Rules
-
-# Scenario: Two network interfaces; one connected to internal 192.168.0.XXX
-# network, other connected externally to the Internet. Suppose the internal
-# interface is named ep1 and the external interface is named xl0. The
-# following mapping will provide the internal network with Internet
-# connectivity for tcp/udp traffic (note the ep1 name is not used; instead
-# its network address is used):
-map xl0 192.168.0.0/24 -> xl0/32 portmap tcp/udp 10000:20000
-
-# map all tcp connections from network 10 to the address of the first ppp0
-# interface (which can be dynamically assigned prior to use of ipnat)
-map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
-
-# map all tcp connections from network 10 into addresses of network 240.1.0
-map ppp0 10.0.0.0/8 -> 240.1.0.0/24 portmap tcp/udp 10000:60000
-
-# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
-# port number to something between 10,000 and 20,000 inclusive. For all other
-# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
-# for each new user.
-#
-map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
-map ed1 10.1.0.0/16 -> 240.1.0.0/24
-#
-# Redirection is triggered for input packets.
-# For example, to redirect FTP connections through this box, to the local ftp
-# port, forcing them to connect through a proxy, you would use:
-#
-rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
-#
diff --git a/share/ipf/nat.2 b/share/ipf/nat.2
deleted file mode 100644
index badec5edb3f..00000000000
--- a/share/ipf/nat.2
+++ /dev/null
@@ -1,21 +0,0 @@
- Miscellaneous NAT Configuration Tips
-
-Don't forget to add "net.inet.ip.forwarding=1" to /etc/sysctl.conf or NAT will
-not work. NAT requires IP packet forwarding.
-
-Don't forget to add "option IPFILTER" (and maybe "option IPFILTER_LOG"
-if you want ipmon(8) to work) to the kernel config file or NAT will
-not work. NAT requires the IPF packet filter.
-
-You must have IPF enabled even if you aren't using it for anything or
-NAT will not work. The standard way to do this is to make sure
-/etc/ipf.rules is installed and edit /etc/rc.conf changing
-"ipfilter=NO" to "ipfilter=YES" then reboot.
-
-When you bring up NAT it needs the interface to have an address. If you are
-using the ppp0 interface unless you start pppd from /etc/rc you cannot start
-NAT there. Instead, in the /etc/ppp/ip-up shell script add
-
-/sbin/ipnat -CF -f /etc/ipnat.rules
-
-to start NAT when the link comes up and the interface has an address.
diff --git a/share/ipf/nat.3 b/share/ipf/nat.3
deleted file mode 100644
index df041d1119c..00000000000
--- a/share/ipf/nat.3
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/sbin/ipnat -f -
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# If we have only 1 valid IP address from our ISP, then we do this:
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
-map ppp0 w.x.y.z/24 -> a.b.c.d/32
-#
-# if we get a different dialup IP address each time, then we would use:
-#
-#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> 0/32
-#
-# If we have a class C address space of valid IP#'s from our ISP, then we can
-# do this:
-#
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24
-#
-# or, if we only have a small number of PC's, this:
-#
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32
-#
-# To make ftp work, using the internal ftp proxy, use:
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
-#
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index 0dcea02bed8..c413c406549 100644
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.162 2001/05/14 09:32:36 deraadt Exp $
+# $OpenBSD: Makefile,v 1.163 2001/05/30 02:12:10 deraadt Exp $
MAN= aac.4 ac97.4 adv.4 aha.4 ahb.4 ahc.4 aic.4 ami.4 amphy.4 an.4 \
aria.4 ast.4 \
@@ -11,7 +11,7 @@ MAN= aac.4 ac97.4 adv.4 aha.4 ahb.4 ahc.4 aic.4 ami.4 amphy.4 an.4 \
eso.4 ess.4 exphy.4 fd.4 fdc.4 fpa.4 \
fms.4 fxp.4 gdt.4 gre.4 hifn.4 hsq.4 auich.4 icmp.4 icsphy.4 \
idp.4 iha.4 ifmedia.4 \
- inet.4 inphy.4 iophy.4 ip.4 ipl.4 ipsec.4 isa.4 isapnp.4 ises.4 iso.4 \
+ inet.4 inphy.4 iophy.4 ip.4 ipsec.4 isa.4 isapnp.4 ises.4 iso.4 \
isp.4 \
ksyms.4 kue.4 lkm.4 lmc.4 lo.4 lxtphy.4 maestro.4 midi.4 mii.4 \
mtdphy.4 \
diff --git a/share/man/man4/ipl.4 b/share/man/man4/ipl.4
deleted file mode 100644
index f897e591288..00000000000
--- a/share/man/man4/ipl.4
+++ /dev/null
@@ -1,81 +0,0 @@
-.\" $OpenBSD: ipl.4,v 1.9 2000/04/13 19:59:40 kjell Exp $
-.\"
-.TH IPL 4
-.SH NAME
-ipl \- IP packet log device
-.SH DESCRIPTION
-The \fBipl\fP pseudo device's purpose is to provide an easy way to gather
-packet headers of packets you wish to log. If a packet header is to be
-logged, the entire header is logged (including any IP options \- TCP/UDP
-options are not included when it calculates header size) or not at all.
-The packet contents are also logged after the header. If the log reader
-is busy or otherwise unable to read log records, upto IPLLOGSIZE (8192 is the
-default) bytes of data are stored.
-.PP
-Prepending every packet header logged is a structure containing information
-relevant to the packet following and why it was logged. The structure's
-format is as follows:
-.LP
-.nf
-/*
- * Log structure. Each packet header logged is prepended by one of these.
- * Following this in the log records read from the device will be an ipflog
- * structure which is then followed by any packet data.
- */
-typedef struct iplog {
- u_long ipl_sec;
- u_long ipl_usec;
- u_int ipl_len;
- u_int ipl_count;
- size_t ipl_dsize;
- struct iplog *ipl_next;
-} iplog_t;
-
-
-typedef struct ipflog {
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
- u_char fl_ifname[IFNAMSIZ];
-#else
- u_int fl_unit;
- u_char fl_ifname[4];
-#endif
- u_char fl_plen; /* extra data after hlen */
- u_char fl_hlen; /* length of IP headers saved */
- u_short fl_rule; /* assume never more than 64k rules, total */
- u_32_t fl_flags;
-} ipflog_t;
-
-.fi
-.PP
-When reading from the \fBipl\fP device, it is necessary to call read(2) with
-a buffer big enough to hold at least 1 complete log record - reading of partial
-log records is not supported.
-.PP
-If the packet contents is more then 128 bytes when \fBlog body\fP is used,
-then only 128 bytes of the packet contents is logged.
-.PP
-Although it is only possible to read from the \fBipl\fP device, opening it
-for writing is required when using an ioctl which changes any kernel data.
-.PP
-The ioctls which are loaded with this device can be found under \fBipf(4)\fP.
-The ioctls which are for use with logging and don't affect the filter are:
-.LP
-.nf
- ioctl(fd, SIOCIPFFB, int *)
- ioctl(fd, FIONREAD, int *)
-.fi
-.PP
-The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes
-flushed. FIONREAD returns the number of bytes currently used for storing
-log data. If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not
-available and FIONREAD will return but not do anything.
-.PP
-There is currently no support for non-blocking IO with this device, meaning
-all read operations should be considered blocking in nature (if there is no
-data to read, it will sleep until some is made available).
-.SH SEE ALSO
-ipf(4)
-.SH BUGS
-Packet headers are dropped when the internal buffer (static size) fills.
-.SH FILES
-/dev/ipl