diff options
Diffstat (limited to 'share')
-rw-r--r-- | share/Makefile | 4 | ||||
-rw-r--r-- | share/ipf/Makefile | 13 | ||||
-rw-r--r-- | share/ipf/example.1 | 4 | ||||
-rw-r--r-- | share/ipf/example.10 | 12 | ||||
-rw-r--r-- | share/ipf/example.11 | 27 | ||||
-rw-r--r-- | share/ipf/example.12 | 17 | ||||
-rw-r--r-- | share/ipf/example.13 | 17 | ||||
-rw-r--r-- | share/ipf/example.14 | 61 | ||||
-rw-r--r-- | share/ipf/example.15 | 11 | ||||
-rw-r--r-- | share/ipf/example.16 | 13 | ||||
-rw-r--r-- | share/ipf/example.2 | 5 | ||||
-rw-r--r-- | share/ipf/example.3 | 40 | ||||
-rw-r--r-- | share/ipf/example.4 | 4 | ||||
-rw-r--r-- | share/ipf/example.5 | 25 | ||||
-rw-r--r-- | share/ipf/example.6 | 5 | ||||
-rw-r--r-- | share/ipf/example.7 | 12 | ||||
-rw-r--r-- | share/ipf/example.8 | 10 | ||||
-rw-r--r-- | share/ipf/example.9 | 12 | ||||
-rw-r--r-- | share/ipf/firewall.1 | 35 | ||||
-rw-r--r-- | share/ipf/firewall.2 | 69 | ||||
-rw-r--r-- | share/ipf/firewall.3 | 99 | ||||
-rw-r--r-- | share/ipf/firewall.4 | 72 | ||||
-rw-r--r-- | share/ipf/nat.1 | 31 | ||||
-rw-r--r-- | share/ipf/nat.2 | 21 | ||||
-rw-r--r-- | share/ipf/nat.3 | 45 | ||||
-rw-r--r-- | share/man/man4/Makefile | 4 | ||||
-rw-r--r-- | share/man/man4/ipl.4 | 81 |
27 files changed, 4 insertions, 745 deletions
diff --git a/share/Makefile b/share/Makefile index 5d0ab8a51bc..26acf331c8b 100644 --- a/share/Makefile +++ b/share/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.8 2000/04/25 21:12:53 jakob Exp $ +# $OpenBSD: Makefile,v 1.9 2001/05/30 02:11:00 deraadt Exp $ -SUBDIR= dict doc ipf ipsec lkm man misc mk tabset termtypes \ +SUBDIR= dict doc ipsec lkm man misc mk tabset termtypes \ tmac zoneinfo smtpd .include <bsd.subdir.mk> diff --git a/share/ipf/Makefile b/share/ipf/Makefile deleted file mode 100644 index 3919a72fd85..00000000000 --- a/share/ipf/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 2000/03/02 14:46:34 todd Exp $ -# -# -FILES= example.* nat.* firewall.* -NOOBJ= noobj - -all clean cleandir depend lint tags: - -install: - install -d ${DESTDIR}${BINDIR}/ipf - install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/ipf - -.include <bsd.prog.mk> diff --git a/share/ipf/example.1 b/share/ipf/example.1 deleted file mode 100644 index ff93f492caf..00000000000 --- a/share/ipf/example.1 +++ /dev/null @@ -1,4 +0,0 @@ -# -# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. -# -block in on le0 proto tcp from 10.1.1.1/32 to any diff --git a/share/ipf/example.10 b/share/ipf/example.10 deleted file mode 100644 index 560d1e670f6..00000000000 --- a/share/ipf/example.10 +++ /dev/null @@ -1,12 +0,0 @@ -# -# pass ack packets (ie established connection) -# -pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A -pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A -# -# block incoming connection requests to my internal network from the big bad -# internet. -# -block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA -# to block the replies: -block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA diff --git a/share/ipf/example.11 b/share/ipf/example.11 deleted file mode 100644 index e9045d24f1b..00000000000 --- a/share/ipf/example.11 +++ /dev/null @@ -1,27 +0,0 @@ -# For this example, "foo" has an IP address of 10.2.2.2 -# -# allow any TCP packets from the same subnet as foo is on through to host -# 10.1.1.2 if they are destined for port 6667. -# -pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 -# -# allow in UDP packets which are NOT from port 53 and are destined for -# localhost -# -pass in proto udp from 10.2.2.2 port != 53 to localhost -# -# block anything trying to get to X terminal ports, X:0 to X:9 -# -block in proto tcp from any to any port 5999 >< 6010 -# -# allow any connections to be made, except to BSD print/r-services -# this will also protect syslog. -# -block in proto tcp/udp all -pass in proto tcp/udp from any to any port 512 <> 515 -# -# allow any connections to be made, except to BSD print/r-services -# this will also protect syslog. -# -pass in proto tcp/udp all -block in proto tcp/udp from any to any port 511 >< 516 diff --git a/share/ipf/example.12 b/share/ipf/example.12 deleted file mode 100644 index c0ba1d3cdda..00000000000 --- a/share/ipf/example.12 +++ /dev/null @@ -1,17 +0,0 @@ -# -# get rid of all short IP fragments (too small for valid comparison) -# -block in proto tcp all with short -# -# drop and log any IP packets with options set in them. -# -block in log all with ipopts -# -# log packets with BOTH ssrr and lsrr set -# -log in all with opt lsrr,ssrr -# -# drop any source routing options -# -block in quick all with opt lsrr -block in quick all with opt ssrr diff --git a/share/ipf/example.13 b/share/ipf/example.13 deleted file mode 100644 index 854f07f1694..00000000000 --- a/share/ipf/example.13 +++ /dev/null @@ -1,17 +0,0 @@ -# -# Log all short TCP packets to qe3, with 10.3.3.3 as the intended -# destination for the packet. -# -block in on qe0 to qe3:10.3.3.3 proto tcp all with short -# -# Log all connection attempts for TCP -# -pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA -# -# Route all UDP packets through transparently. -# -pass in on ppp0 fastroute proto udp all -# -# Route all ICMP packets to network 10 out through le1, to 10.3.3.1 -# -pass in on le0 to le1:10.3.3.1 proto icmp all diff --git a/share/ipf/example.14 b/share/ipf/example.14 deleted file mode 100644 index c4c1994030b..00000000000 --- a/share/ipf/example.14 +++ /dev/null @@ -1,61 +0,0 @@ -# -# log all inbound packet on le0 which has IP options present -# -log in on le0 from any to any with ipopts -# -# block any inbound packets on le0 which are fragmented and "too short" to -# do any meaningful comparison on. This actually only applies to TCP -# packets which can be missing the flags/ports (depending on which part -# of the fragment you see). -# -block in log quick on le0 from any to any with short frag -# -# log all inbound TCP packets with the SYN flag (only) set -# (NOTE: if it were an inbound TCP packet with the SYN flag set and it -# had IP options present, this rule and the above would cause it -# to be logged twice). -# -log in on le0 proto tcp from any to any flags S/SA -# -# block and log any inbound ICMP unreachables -# -block in log on le0 proto icmp from any to any icmp-type unreach -# -# block and log any inbound UDP packets on le0 which are going to port 2049 -# (the NFS port). -# -block in log on le0 proto udp from any to any port = 2049 -# -# quickly allow any packets to/from a particular pair of hosts -# -pass in quick from any to 10.1.3.2/32 -pass in quick from any to 10.1.0.13/32 -pass in quick from 10.1.3.2/32 to any -pass in quick from 10.1.0.13/32 to any -# -# block (and stop matching) any packet with IP options present. -# -block in quick on le0 from any to any with ipopts -# -# allow any packet through -# -pass in from any to any -# -# block any inbound UDP packets destined for these subnets. -# -block in on le0 proto udp from any to 10.1.3.0/24 -block in on le0 proto udp from any to 10.1.1.0/24 -block in on le0 proto udp from any to 10.1.2.0/24 -# -# block any inbound TCP packets with only the SYN flag set that are -# destined for these subnets. -# -block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA -# -# block any inbound ICMP packets destined for these subnets. -# -block in on le0 proto icmp from any to 10.1.3.0/24 -block in on le0 proto icmp from any to 10.1.1.0/24 -block in on le0 proto icmp from any to 10.1.2.0/24 diff --git a/share/ipf/example.15 b/share/ipf/example.15 deleted file mode 100644 index f2fb2041faf..00000000000 --- a/share/ipf/example.15 +++ /dev/null @@ -1,11 +0,0 @@ -# -# For a network server, which has two interfaces, 128.1.40.1 (le0) and -# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is -# connected to the majority of the network, whilst le0 is connected to a -# leaf subnet. We're not concerned about filtering individual services -# or -# -pass in quick on le0 from 128.1.40.0/24 to any -block in log quick on le0 from any to any -block in log quick on le1 from 128.1.1.0/24 to any -pass in quick on le1 from any to any diff --git a/share/ipf/example.16 b/share/ipf/example.16 deleted file mode 100644 index 339a25f963f..00000000000 --- a/share/ipf/example.16 +++ /dev/null @@ -1,13 +0,0 @@ -# -# Only allow TCP packets in/out of le0 if there is an outgoing connection setup -# somewhere, waiting for it. -# -pass out quick on le0 proto tcp from any to any flags S/SAFR keep state -block out on le0 proto tcp all -block in on le0 proto tcp all -# -# allow nameserver queries and replies to pass through, but no other UDP -# -pass out quick on le0 proto udp from any to any port = 53 keep state -block out on le0 proto udp all -block in on le0 proto udp all diff --git a/share/ipf/example.2 b/share/ipf/example.2 deleted file mode 100644 index 4f81725eeb0..00000000000 --- a/share/ipf/example.2 +++ /dev/null @@ -1,5 +0,0 @@ -# -# block all outgoing TCP packets on le0 from any host to port 23 of -# host 10.1.1.2 -# -block out on le0 proto tcp from any to 10.1.1.3/32 port = 23 diff --git a/share/ipf/example.3 b/share/ipf/example.3 deleted file mode 100644 index cd31f73e7c2..00000000000 --- a/share/ipf/example.3 +++ /dev/null @@ -1,40 +0,0 @@ -# -# block all inbound packets. -# -block in from any to any -# -# pass through packets to and from localhost. -# -pass in from 127.0.0.1/32 to 127.0.0.1/32 -# -# allow a variety of individual hosts to send any type of IP packet to any -# other host. -# -pass in from 10.1.3.1/32 to any -pass in from 10.1.3.2/32 to any -pass in from 10.1.3.3/32 to any -pass in from 10.1.3.4/32 to any -pass in from 10.1.3.5/32 to any -pass in from 10.1.0.13/32 to any -pass in from 10.1.1.1/32 to any -pass in from 10.1.2.1/32 to any -# -# -# block all outbound packets. -# -block out from any to any -# -# allow any packets destined for localhost out. -# -pass out from any to 127.0.0.1/32 -# -# allow any host to send any IP packet out to a limited number of hosts. -# -pass out from any to 10.1.3.1/32 -pass out from any to 10.1.3.2/32 -pass out from any to 10.1.3.3/32 -pass out from any to 10.1.3.4/32 -pass out from any to 10.1.3.5/32 -pass out from any to 10.1.0.13/32 -pass out from any to 10.1.1.1/32 -pass out from any to 10.1.2.1/32 diff --git a/share/ipf/example.4 b/share/ipf/example.4 deleted file mode 100644 index 7918ec2fbd9..00000000000 --- a/share/ipf/example.4 +++ /dev/null @@ -1,4 +0,0 @@ -# -# block all ICMP packets. -# -block in proto icmp from any to any diff --git a/share/ipf/example.5 b/share/ipf/example.5 deleted file mode 100644 index a45a4fa5b34..00000000000 --- a/share/ipf/example.5 +++ /dev/null @@ -1,25 +0,0 @@ -# -# test ruleset -# -# allow packets coming from foo (10.1.1.2) to bar (10.2.1.1) through. -# -pass in from 10.1.1.2 to 10.2.1.1 -# -# allow any TCP packets from the same subnet as foo is on through to host -# 10.1.1.2 if they are destined for port 6667. -# -pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 -# -# allow in UDP packets which are NOT from port 53 and are destined for -# localhost -# -pass in proto udp from 10.2.2.2 port != 53 to localhost -# -# block all ICMP unreachables. -# -block in proto icmp from any to any icmp-type unreach -# -# allow packets through which have a non-standard IP header length (ie there -# are IP options such as source-routing present). -# -pass in from any to any with ipopts diff --git a/share/ipf/example.6 b/share/ipf/example.6 deleted file mode 100644 index d40f0f3d2a1..00000000000 --- a/share/ipf/example.6 +++ /dev/null @@ -1,5 +0,0 @@ -# -# block all TCP packets with only the SYN flag set (this is the first -# packet sent to establish a connection) out of the SYN-ACK pair. -# -block in proto tcp from any to any flags S/SA diff --git a/share/ipf/example.7 b/share/ipf/example.7 deleted file mode 100644 index 062de981193..00000000000 --- a/share/ipf/example.7 +++ /dev/null @@ -1,12 +0,0 @@ -# block all ICMP packets. -# -block in proto icmp all -# -# allow in ICMP echos and echo-replies. -# -pass in on le1 proto icmp from any to any icmp-type echo -pass in on le1 proto icmp from any to any icmp-type echorep -# -# block all ICMP destination unreachable packets which are port-unreachables -# -block in on le1 proto icmp from any to any icmp-type unreach code 3 diff --git a/share/ipf/example.8 b/share/ipf/example.8 deleted file mode 100644 index baa02581256..00000000000 --- a/share/ipf/example.8 +++ /dev/null @@ -1,10 +0,0 @@ -# -# block all incoming TCP connections but send back a TCP-RST for ones to -# the ident port -# -block in proto tcp from any to any flags S/SA -block return-rst in quick proto tcp from any to any port = 113 flags S/SA -# -# block all inbound UDP packets and send back an ICMP error. -# -block return-icmp in proto udp from any to any diff --git a/share/ipf/example.9 b/share/ipf/example.9 deleted file mode 100644 index 77968f85d2f..00000000000 --- a/share/ipf/example.9 +++ /dev/null @@ -1,12 +0,0 @@ -# -# drop all packets without IP security options -# -block in all -pass in all with opt sec -# -# only allow packets in and out on le0 which are top secret -# -block out on le1 all -pass out on le1 all with opt sec-class topsecret -block in on le1 all -pass in on le1 all with opt sec-class topsecret diff --git a/share/ipf/firewall.1 b/share/ipf/firewall.1 deleted file mode 100644 index 4a86f3d15df..00000000000 --- a/share/ipf/firewall.1 +++ /dev/null @@ -1,35 +0,0 @@ -# -# This is an example of a very light firewall used to guard against -# some of the most easily exploited common security holes. -# -# The example assumes it is running on a gateway with interface ppp0 -# attached to the outside world, and interface ed0 attached to -# network 192.168.4.0 which needs to be protected. -# -# -# Pass any packets not explicitly mentioned by subsequent rules -# -pass out from any to any -pass in from any to any -# -# Block any inherently bad packets coming in from the outside world. -# These include ICMP redirect packets and IP fragments so short the -# filtering rules won't be able to examine the whole UDP/TCP header. -# -block in log quick on ppp0 proto icmp from any to any icmp-type redir -block in log quick on ppp0 proto tcp/udp all with short -# -# Block any IP spoofing atempts. (Packets "from" our network -# shouldn't be coming in from outside). -# -block in log quick on ppp0 from 192.168.4.0/24 to any -block in log quick on ppp0 from localhost to any -block in log quick on ppp0 from 0.0.0.0/32 to any -block in log quick on ppp0 from 255.255.255.255/32 to any -# -# Block any incoming traffic to NFS ports, to the RPC portmapper, and -# to X servers. -# -block in log on ppp0 proto tcp/udp from any to any port = sunrpc -block in log on ppp0 proto tcp/udp from any to any port = 2049 -block in log on ppp0 proto tcp from any to any port = 6000 diff --git a/share/ipf/firewall.2 b/share/ipf/firewall.2 deleted file mode 100644 index e0ad5639c52..00000000000 --- a/share/ipf/firewall.2 +++ /dev/null @@ -1,69 +0,0 @@ -# -# This is an example of a fairly heavy firewall used to keep everyone -# out of a particular network while still allowing people within that -# network to get outside. -# -# The example assumes it is running on a gateway with interface ppp0 -# attached to the outside world, and interface ed0 attached to -# network 192.168.4.0 which needs to be protected. -# -# -# Pass any packets not explicitly mentioned by subsequent rules -# -pass out from any to any -pass in from any to any -# -# Block any inherently bad packets coming in from the outside world. -# These include ICMP redirect packets, IP fragments so short the -# filtering rules won't be able to examine the whole UDP/TCP header, -# and anything with IP options. -# -block in log quick on ppp0 proto icmp from any to any icmp-type redir -block in log quick on ppp0 proto tcp/udp all with short -block in log quick on ppp0 from any to any with ipopts -# -# Block any IP spoofing atempts. (Packets "from" our network -# shouldn't be coming in from outside). -# -block in log quick on ppp0 from 192.168.4.0/24 to any -block in log quick on ppp0 from localhost to any -block in log quick on ppp0 from 0.0.0.0/32 to any -block in log quick on ppp0 from 255.255.255.255/32 to any -# -# Block all incoming UDP traffic except talk and DNS traffic. NFS -# and portmap are special-cased and logged. -# -block in on ppp0 proto udp from any to any -block in log on ppp0 proto udp from any to any port = sunrpc -block in log on ppp0 proto udp from any to any port = 2049 -pass in on ppp0 proto udp from any to any port = domain -pass in on ppp0 proto udp from any to any port = talk -pass in on ppp0 proto udp from any to any port = ntalk -# -# Block all incoming TCP traffic connections to known services, -# returning a connection reset so things like ident don't take -# forever timing out. Don't log ident (auth port) as it's so common. -# -block return-rst in log on ppp0 proto tcp from any to any flags S/SA -block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA -# -# Allow incoming TCP connections to ports between 1024 and 5000, as -# these don't have daemons listening but are used by outgoing -# services like ftp and talk. For slightly more obscurity (though -# not much more security), the second commented out rule can chosen -# instead. -# -pass in on ppp0 proto tcp from any to any port 1024 >< 5000 -#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000 -# -# Now allow various incoming TCP connections to particular hosts, TCP -# to the main nameserver so secondaries can do zone transfers, SMTP -# to the mail host, www to the web server (which really should be -# outside the firewall if you care about security), and ssh to a -# hypothetical machine caled 'gatekeeper' that can be used to gain -# access to the protected network from the outside world. -# -pass in on ppp0 proto tcp from any to ns1 port = domain -pass in on ppp0 proto tcp from any to mail port = smtp -pass in on ppp0 proto tcp from any to www port = www -pass in on ppp0 proto tcp from any to gatekeeper port = ssh diff --git a/share/ipf/firewall.3 b/share/ipf/firewall.3 deleted file mode 100644 index d2bd60a3188..00000000000 --- a/share/ipf/firewall.3 +++ /dev/null @@ -1,99 +0,0 @@ -#!/sbin/ipf -f - -# -# SAMPLE: RESTRICTIVE FILTER RULES -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# This file contains the basic rules needed to construct a firewall for the -# above situation. -# -#------------------------------------------------------- -# *Nasty* packets we don't want to allow near us at all! -# short packets which are packets fragmented too short to be real. -block in log quick all with short -#------------------------------------------------------- -# Group setup. -# ============ -# By default, block and log everything. This maybe too much logging -# (especially for ed0) and needs to be further refined. -# -block in log on ppp0 all head 100 -block in log proto tcp all flags S/SA head 101 group 100 -block out log on ppp0 all head 150 -block in log on ed0 from w.x.y.z/24 to any head 200 -block in log proto tcp all flags S/SA head 201 group 200 -block in log proto udp all head 202 group 200 -block out log on ed0 all head 250 -#------------------------------------------------------- -# Localhost packets. -# ================== -# packets going in/out of network interfaces that aren't on the loopback -# interface should *NOT* exist. -block in log quick from 127.0.0.0/8 to any group 100 -block in log quick from any to 127.0.0.0/8 group 100 -block in log quick from 127.0.0.0/8 to any group 200 -block in log quick from any to 127.0.0.0/8 group 200 -# And of course, make sure the loopback allows packets to traverse it. -pass in quick on lo0 all -pass out quick on lo0 all -#------------------------------------------------------- -# Invalid Internet packets. -# ========================= -# -# Deny reserved addresses. -# -block in log quick from 10.0.0.0/8 to any group 100 -block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/12 to any group 100 -# -# Prevent IP spoofing. -# -block in log quick from a.b.c.d/24 to any group 100 -# -#------------------------------------------------------- -# Allow outgoing DNS requests (no named on firewall) -# -pass in quick proto udp from any to any port = 53 keep state group 202 -# -# If we were running named on the firewall and all internal hosts talked to -# it, we'd use the following: -# -#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 -#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state -# -# Allow outgoing FTP from any internal host to any external FTP server. -# -pass in quick proto tcp from any to any port = ftp keep state group 201 -pass in quick proto tcp from any to any port = ftp-data keep state group 201 -pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 -# -# Allow NTP from any internal host to any external NTP server. -# -pass in quick proto udp from any to any port = ntp keep state group 202 -# -# Allow outgoing connections: SSH, TELNET, WWW -# -pass in quick proto tcp from any to any port = 22 keep state group 201 -pass in quick proto tcp from any to any port = telnet keep state group 201 -pass in quick proto tcp from any to any port = www keep state group 201 -# -#------------------------------------------------------- -block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 -# -# Allow incoming to the external firewall interface: mail, WWW, DNS -# -pass in log quick proto tcp from any to any port = smtp keep state group 110 -pass in log quick proto tcp from any to any port = www keep state group 110 -pass in log quick proto tcp from any to any port = 53 keep state group 110 -pass in log quick proto udp from any to any port = 53 keep state group 100 -#------------------------------------------------------- -# Log these: -# ========== -# * return RST packets for invalid SYN packets to help the other end close -block return-rst in log proto tcp from any to any flags S/SA group 100 -# * return ICMP error packets for invalid UDP packets -block return-icmp(net-unr) in proto udp all group 100 diff --git a/share/ipf/firewall.4 b/share/ipf/firewall.4 deleted file mode 100644 index 46564f0ee41..00000000000 --- a/share/ipf/firewall.4 +++ /dev/null @@ -1,72 +0,0 @@ -#!/sbin/ipf -f - -# -# SAMPLE: PERMISSIVE FILTER RULES -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# This file contains the basic rules needed to construct a firewall for the -# above situation. -# -#------------------------------------------------------- -# *Nasty* packets we don't want to allow near us at all! -# short packets which are packets fragmented too short to be real. -block in log quick all with short -#------------------------------------------------------- -# Group setup. -# ============ -# By default, block and log everything. This maybe too much logging -# (especially for ed0) and needs to be further refined. -# -block in log on ppp0 all head 100 -block out log on ppp0 all head 150 -block in log on ed0 from w.x.y.z/24 to any head 200 -block out log on ed0 all head 250 -#------------------------------------------------------- -# Invalid Internet packets. -# ========================= -# -# Deny reserved addresses. -# -block in log quick from 10.0.0.0/8 to any group 100 -block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/12 to any group 100 -# -# Prevent IP spoofing. -# -block in log quick from a.b.c.d/24 to any group 100 -# -#------------------------------------------------------- -# Localhost packets. -# ================== -# packets going in/out of network interfaces that aren't on the loopback -# interface should *NOT* exist. -block in log quick from 127.0.0.0/8 to any group 100 -block in log quick from any to 127.0.0.0/8 group 100 -block in log quick from 127.0.0.0/8 to any group 200 -block in log quick from any to 127.0.0.0/8 group 200 -# And of course, make sure the loopback allows packets to traverse it. -pass in quick on lo0 all -pass out quick on lo0 all -#------------------------------------------------------- -# Allow any communication between the inside network and the outside only. -# -# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) -# -pass in log quick proto tcp all flags S/SA keep state group 200 -# -# Support all UDP `connections' initiated from inside. -# -# Allow ping out -# -pass in log quick proto icmp all keep state group 200 -#------------------------------------------------------- -# Log these: -# ========== -# * return RST packets for invalid SYN packets to help the other end close -block return-rst in log proto tcp from any to any flags S/SA group 100 -# * return ICMP error packets for invalid UDP packets -block return-icmp(net-unr) in proto udp all group 100 diff --git a/share/ipf/nat.1 b/share/ipf/nat.1 deleted file mode 100644 index f862a23786b..00000000000 --- a/share/ipf/nat.1 +++ /dev/null @@ -1,31 +0,0 @@ -Example NAT Rules - -# Scenario: Two network interfaces; one connected to internal 192.168.0.XXX -# network, other connected externally to the Internet. Suppose the internal -# interface is named ep1 and the external interface is named xl0. The -# following mapping will provide the internal network with Internet -# connectivity for tcp/udp traffic (note the ep1 name is not used; instead -# its network address is used): -map xl0 192.168.0.0/24 -> xl0/32 portmap tcp/udp 10000:20000 - -# map all tcp connections from network 10 to the address of the first ppp0 -# interface (which can be dynamically assigned prior to use of ipnat) -map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000 - -# map all tcp connections from network 10 into addresses of network 240.1.0 -map ppp0 10.0.0.0/8 -> 240.1.0.0/24 portmap tcp/udp 10000:60000 - -# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source -# port number to something between 10,000 and 20,000 inclusive. For all other -# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily -# for each new user. -# -map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 -map ed1 10.1.0.0/16 -> 240.1.0.0/24 -# -# Redirection is triggered for input packets. -# For example, to redirect FTP connections through this box, to the local ftp -# port, forcing them to connect through a proxy, you would use: -# -rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp -# diff --git a/share/ipf/nat.2 b/share/ipf/nat.2 deleted file mode 100644 index badec5edb3f..00000000000 --- a/share/ipf/nat.2 +++ /dev/null @@ -1,21 +0,0 @@ - Miscellaneous NAT Configuration Tips - -Don't forget to add "net.inet.ip.forwarding=1" to /etc/sysctl.conf or NAT will -not work. NAT requires IP packet forwarding. - -Don't forget to add "option IPFILTER" (and maybe "option IPFILTER_LOG" -if you want ipmon(8) to work) to the kernel config file or NAT will -not work. NAT requires the IPF packet filter. - -You must have IPF enabled even if you aren't using it for anything or -NAT will not work. The standard way to do this is to make sure -/etc/ipf.rules is installed and edit /etc/rc.conf changing -"ipfilter=NO" to "ipfilter=YES" then reboot. - -When you bring up NAT it needs the interface to have an address. If you are -using the ppp0 interface unless you start pppd from /etc/rc you cannot start -NAT there. Instead, in the /etc/ppp/ip-up shell script add - -/sbin/ipnat -CF -f /etc/ipnat.rules - -to start NAT when the link comes up and the interface has an address. diff --git a/share/ipf/nat.3 b/share/ipf/nat.3 deleted file mode 100644 index df041d1119c..00000000000 --- a/share/ipf/nat.3 +++ /dev/null @@ -1,45 +0,0 @@ -#!/sbin/ipnat -f - -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# If we have only 1 valid IP address from our ISP, then we do this: -# -map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 -map ppp0 w.x.y.z/24 -> a.b.c.d/32 -# -# if we get a different dialup IP address each time, then we would use: -# -#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.z/24 -> 0/32 -# -# If we have a class C address space of valid IP#'s from our ISP, then we can -# do this: -# -#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.z/24 -> a.b.c.d/24 -# -# or, if we only have a small number of PC's, this: -# -#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.v/32 -> a.b.c.E/32 -#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.u/32 -> a.b.c.F/32 -#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.t/32 -> a.b.c.G/32 -#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.s/32 -> a.b.c.H/32 -#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.r/32 -> a.b.c.I/32 -#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.q/32 -> a.b.c.J/32 -#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.p/32 -> a.b.c.K/32 -# -# To make ftp work, using the internal ftp proxy, use: -# -map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp -# diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 0dcea02bed8..c413c406549 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.162 2001/05/14 09:32:36 deraadt Exp $ +# $OpenBSD: Makefile,v 1.163 2001/05/30 02:12:10 deraadt Exp $ MAN= aac.4 ac97.4 adv.4 aha.4 ahb.4 ahc.4 aic.4 ami.4 amphy.4 an.4 \ aria.4 ast.4 \ @@ -11,7 +11,7 @@ MAN= aac.4 ac97.4 adv.4 aha.4 ahb.4 ahc.4 aic.4 ami.4 amphy.4 an.4 \ eso.4 ess.4 exphy.4 fd.4 fdc.4 fpa.4 \ fms.4 fxp.4 gdt.4 gre.4 hifn.4 hsq.4 auich.4 icmp.4 icsphy.4 \ idp.4 iha.4 ifmedia.4 \ - inet.4 inphy.4 iophy.4 ip.4 ipl.4 ipsec.4 isa.4 isapnp.4 ises.4 iso.4 \ + inet.4 inphy.4 iophy.4 ip.4 ipsec.4 isa.4 isapnp.4 ises.4 iso.4 \ isp.4 \ ksyms.4 kue.4 lkm.4 lmc.4 lo.4 lxtphy.4 maestro.4 midi.4 mii.4 \ mtdphy.4 \ diff --git a/share/man/man4/ipl.4 b/share/man/man4/ipl.4 deleted file mode 100644 index f897e591288..00000000000 --- a/share/man/man4/ipl.4 +++ /dev/null @@ -1,81 +0,0 @@ -.\" $OpenBSD: ipl.4,v 1.9 2000/04/13 19:59:40 kjell Exp $ -.\" -.TH IPL 4 -.SH NAME -ipl \- IP packet log device -.SH DESCRIPTION -The \fBipl\fP pseudo device's purpose is to provide an easy way to gather -packet headers of packets you wish to log. If a packet header is to be -logged, the entire header is logged (including any IP options \- TCP/UDP -options are not included when it calculates header size) or not at all. -The packet contents are also logged after the header. If the log reader -is busy or otherwise unable to read log records, upto IPLLOGSIZE (8192 is the -default) bytes of data are stored. -.PP -Prepending every packet header logged is a structure containing information -relevant to the packet following and why it was logged. The structure's -format is as follows: -.LP -.nf -/* - * Log structure. Each packet header logged is prepended by one of these. - * Following this in the log records read from the device will be an ipflog - * structure which is then followed by any packet data. - */ -typedef struct iplog { - u_long ipl_sec; - u_long ipl_usec; - u_int ipl_len; - u_int ipl_count; - size_t ipl_dsize; - struct iplog *ipl_next; -} iplog_t; - - -typedef struct ipflog { -#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) - u_char fl_ifname[IFNAMSIZ]; -#else - u_int fl_unit; - u_char fl_ifname[4]; -#endif - u_char fl_plen; /* extra data after hlen */ - u_char fl_hlen; /* length of IP headers saved */ - u_short fl_rule; /* assume never more than 64k rules, total */ - u_32_t fl_flags; -} ipflog_t; - -.fi -.PP -When reading from the \fBipl\fP device, it is necessary to call read(2) with -a buffer big enough to hold at least 1 complete log record - reading of partial -log records is not supported. -.PP -If the packet contents is more then 128 bytes when \fBlog body\fP is used, -then only 128 bytes of the packet contents is logged. -.PP -Although it is only possible to read from the \fBipl\fP device, opening it -for writing is required when using an ioctl which changes any kernel data. -.PP -The ioctls which are loaded with this device can be found under \fBipf(4)\fP. -The ioctls which are for use with logging and don't affect the filter are: -.LP -.nf - ioctl(fd, SIOCIPFFB, int *) - ioctl(fd, FIONREAD, int *) -.fi -.PP -The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes -flushed. FIONREAD returns the number of bytes currently used for storing -log data. If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not -available and FIONREAD will return but not do anything. -.PP -There is currently no support for non-blocking IO with this device, meaning -all read operations should be considered blocking in nature (if there is no -data to read, it will sleep until some is made available). -.SH SEE ALSO -ipf(4) -.SH BUGS -Packet headers are dropped when the internal buffer (static size) fills. -.SH FILES -/dev/ipl |