From e3218062cc5930091568933ca422390c9ac4621c Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Fri, 6 Dec 2002 11:09:49 +0000 Subject: block -> block drop --- regress/sbin/pfctl/pf10.ok | 4 +- regress/sbin/pfctl/pf11.ok | 16 ++++---- regress/sbin/pfctl/pf13.ok | 4 +- regress/sbin/pfctl/pf2.ok | 18 ++++----- regress/sbin/pfctl/pf23.ok | 2 +- regress/sbin/pfctl/pf25.ok | 6 +-- regress/sbin/pfctl/pf26.ok | 4 +- regress/sbin/pfctl/pf28.ok | 12 +++--- regress/sbin/pfctl/pf3.ok | 6 +-- regress/sbin/pfctl/pf30.ok | 2 +- regress/sbin/pfctl/pf31.ok | 6 +-- regress/sbin/pfctl/pf4.ok | 92 +++++++++++++++++++++++----------------------- regress/sbin/pfctl/pf5.ok | 16 ++++---- regress/sbin/pfctl/pf7.ok | 16 ++++---- regress/sbin/pfctl/pf8.ok | 4 +- regress/sbin/pfctl/pf9.ok | 4 +- 16 files changed, 106 insertions(+), 106 deletions(-) (limited to 'regress/sbin') diff --git a/regress/sbin/pfctl/pf10.ok b/regress/sbin/pfctl/pf10.ok index df8c6c8a4f3..cc167a7b76b 100644 --- a/regress/sbin/pfctl/pf10.ok +++ b/regress/sbin/pfctl/pf10.ok @@ -1,7 +1,7 @@ pass in inet proto icmp all pass in inet6 proto ipv6-icmp all -block in inet proto icmp all -block in inet6 proto ipv6-icmp all +block drop in inet proto icmp all +block drop in inet6 proto ipv6-icmp all block return-rst in inet proto tcp all block return-rst in inet6 proto tcp all block return-rst(ttl 10) in inet proto tcp all diff --git a/regress/sbin/pfctl/pf11.ok b/regress/sbin/pfctl/pf11.ok index 8e70086e4ca..78a677cc47b 100644 --- a/regress/sbin/pfctl/pf11.ok +++ b/regress/sbin/pfctl/pf11.ok @@ -6,13 +6,13 @@ pass in inet6 proto ipv6-icmp all ipv6-icmp-type 0 pass in inet6 proto ipv6-icmp all ipv6-icmp-type 0 code 0 pass in inet6 proto ipv6-icmp all ipv6-icmp-type unreach pass in inet6 proto ipv6-icmp all ipv6-icmp-type unreach code admin-unr -block in inet proto icmp all icmp-type echorep -block in inet proto icmp all icmp-type echorep code 0 -block in inet proto icmp all icmp-type 1 -block in inet proto icmp all icmp-type 1 code 1 -block in inet6 proto ipv6-icmp all ipv6-icmp-type 0 -block in inet6 proto ipv6-icmp all ipv6-icmp-type 0 code 0 -block in inet6 proto ipv6-icmp all ipv6-icmp-type unreach -block in inet6 proto ipv6-icmp all ipv6-icmp-type unreach code admin-unr +block drop in inet proto icmp all icmp-type echorep +block drop in inet proto icmp all icmp-type echorep code 0 +block drop in inet proto icmp all icmp-type 1 +block drop in inet proto icmp all icmp-type 1 code 1 +block drop in inet6 proto ipv6-icmp all ipv6-icmp-type 0 +block drop in inet6 proto ipv6-icmp all ipv6-icmp-type 0 code 0 +block drop in inet6 proto ipv6-icmp all ipv6-icmp-type unreach +block drop in inet6 proto ipv6-icmp all ipv6-icmp-type unreach code admin-unr pass in inet proto icmp all icmp-type unreach code needfrag pass in inet6 proto ipv6-icmp all ipv6-icmp-type timex code reassemb diff --git a/regress/sbin/pfctl/pf13.ok b/regress/sbin/pfctl/pf13.ok index 01b28384001..85e48745026 100644 --- a/regress/sbin/pfctl/pf13.ok +++ b/regress/sbin/pfctl/pf13.ok @@ -4,8 +4,8 @@ pass in quick on enc0 fastroute inet6 all pass out quick on tun0 route-to tun1 inet all pass out quick on tun0 route-to tun1 inet from any to 192.168.1.1 pass out quick on tun0 route-to tun1 inet6 from any to fec0::1 -block in on tun0 dup-to (tun1 192.168.1.1) inet proto tcp from any to any port = ftp -block in on tun0 dup-to (tun1 fec0::1) inet6 proto tcp from any to any port = ftp +block drop in on tun0 dup-to (tun1 192.168.1.1) inet proto tcp from any to any port = ftp +block drop in on tun0 dup-to (tun1 fec0::1) inet6 proto tcp from any to any port = ftp pass in quick on tun0 route-to tun1 inet from 192.168.1.1 to 10.1.1.1 pass in quick on tun0 route-to tun1 inet6 from fec0::/64 to fec1::2 pass in quick on tun0 dup-to (tun1 192.168.1.100) inet from 192.168.1.1 to 10.1.1.1 diff --git a/regress/sbin/pfctl/pf2.ok b/regress/sbin/pfctl/pf2.ok index 22c078521eb..e65d48d05fe 100644 --- a/regress/sbin/pfctl/pf2.ok +++ b/regress/sbin/pfctl/pf2.ok @@ -1,16 +1,16 @@ -block out log on tun0 all -block in log on tun0 all +block drop out log on tun0 all +block drop in log on tun0 all block return-rst out log on tun0 proto tcp all block return-rst in log on tun0 proto tcp all block return-icmp(port-unr, port-unr) out log on tun0 proto udp all block return-icmp(port-unr, port-unr) in log on tun0 proto udp all -block out log quick on tun0 inet from ! 157.161.48.183 to any -block in quick on tun0 inet from any to 255.255.255.255 -block in log quick on tun0 inet from 10.0.0.0/8 to any -block in log quick on tun0 inet from 172.16.0.0/12 to any -block in log quick on tun0 inet from 192.168.0.0/16 to any -block in log quick on tun0 inet from 255.255.255.255 to any -block in log quick from no-route to any +block drop out log quick on tun0 inet from ! 157.161.48.183 to any +block drop in quick on tun0 inet from any to 255.255.255.255 +block drop in log quick on tun0 inet from 10.0.0.0/8 to any +block drop in log quick on tun0 inet from 172.16.0.0/12 to any +block drop in log quick on tun0 inet from 192.168.0.0/16 to any +block drop in log quick on tun0 inet from 255.255.255.255 to any +block drop in log quick from no-route to any pass out on tun0 inet proto icmp all icmp-type echoreq code 0 keep state pass in on tun0 inet proto icmp all icmp-type echoreq code 0 keep state pass out on tun0 proto udp all keep state diff --git a/regress/sbin/pfctl/pf23.ok b/regress/sbin/pfctl/pf23.ok index e41a3e261ba..b0a7d83eb71 100644 --- a/regress/sbin/pfctl/pf23.ok +++ b/regress/sbin/pfctl/pf23.ok @@ -1 +1 @@ -block in on ! lo0 all +block drop in on ! lo0 all diff --git a/regress/sbin/pfctl/pf25.ok b/regress/sbin/pfctl/pf25.ok index 6f1ea1ec526..a6efe4aed77 100644 --- a/regress/sbin/pfctl/pf25.ok +++ b/regress/sbin/pfctl/pf25.ok @@ -1,3 +1,3 @@ -block in on ! lo0 inet from 127.0.0.0/8 to any -block in on ! lo0 inet6 from ::1 to any -block in log quick on ! lo0 inet from 127.0.0.0/8 to any +block drop in on ! lo0 inet from 127.0.0.0/8 to any +block drop in on ! lo0 inet6 from ::1 to any +block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any diff --git a/regress/sbin/pfctl/pf26.ok b/regress/sbin/pfctl/pf26.ok index 99b0c34630b..1c2df4229ef 100644 --- a/regress/sbin/pfctl/pf26.ok +++ b/regress/sbin/pfctl/pf26.ok @@ -1,2 +1,2 @@ -block in on lo0 inet from ! (lo0) to any -block out on lo0 inet from any to ! (lo0) +block drop in on lo0 inet from ! (lo0) to any +block drop out on lo0 inet from any to ! (lo0) diff --git a/regress/sbin/pfctl/pf28.ok b/regress/sbin/pfctl/pf28.ok index 11322152bf7..38b349ef845 100644 --- a/regress/sbin/pfctl/pf28.ok +++ b/regress/sbin/pfctl/pf28.ok @@ -1,6 +1,6 @@ -block in log-all quick on lo0 all -block in log quick on lo0 all -block in log-all quick on lo0 all -block in log quick on lo0 all -block in log on lo0 all -block in log-all on lo0 all +block drop in log-all quick on lo0 all +block drop in log quick on lo0 all +block drop in log-all quick on lo0 all +block drop in log quick on lo0 all +block drop in log on lo0 all +block drop in log-all on lo0 all diff --git a/regress/sbin/pfctl/pf3.ok b/regress/sbin/pfctl/pf3.ok index 20866b6dd18..a8ae29581c6 100644 --- a/regress/sbin/pfctl/pf3.ok +++ b/regress/sbin/pfctl/pf3.ok @@ -1,8 +1,8 @@ pass in all pass in all -block in proto tcp all flags FPUEW/FSRPAUEW -block in proto tcp all flags FS/FSRA -block in proto tcp all flags /FSRAW +block drop in proto tcp all flags FPUEW/FSRPAUEW +block drop in proto tcp all flags FS/FSRA +block drop in proto tcp all flags /FSRAW pass in proto udp all pass in proto icmp all pass in proto tcp all flags S/SA diff --git a/regress/sbin/pfctl/pf30.ok b/regress/sbin/pfctl/pf30.ok index 46509924aab..66742b12af2 100644 --- a/regress/sbin/pfctl/pf30.ok +++ b/regress/sbin/pfctl/pf30.ok @@ -1 +1 @@ -block in on lo0 all +block drop in on lo0 all diff --git a/regress/sbin/pfctl/pf31.ok b/regress/sbin/pfctl/pf31.ok index a8664622b04..a44ee5f2b25 100644 --- a/regress/sbin/pfctl/pf31.ok +++ b/regress/sbin/pfctl/pf31.ok @@ -3,9 +3,9 @@ set block-policy return block return in on lo0 all block return in on lo0 inet all block return in on lo0 inet6 all -block in on lo0 all -block in on lo0 inet all -block in on lo0 inet6 all +block drop in on lo0 all +block drop in on lo0 inet all +block drop in on lo0 inet6 all block return in on lo0 all block return in on lo0 inet all block return in on lo0 inet6 all diff --git a/regress/sbin/pfctl/pf4.ok b/regress/sbin/pfctl/pf4.ok index 6c1a3f504e2..d51cc9a3d94 100644 --- a/regress/sbin/pfctl/pf4.ok +++ b/regress/sbin/pfctl/pf4.ok @@ -1,46 +1,46 @@ -block in all -block in proto tcp all -block in proto tcp all -block in proto udp all -block in all -block in inet from 10.0.0.0/8 to any -block in inet from ! 10.0.0.0/8 to any -block in inet from 10.0.0.0/8 to any -block in inet from 172.16.0.0/12 to any -block in proto tcp from any port = ssh to any -block in proto tcp from any port = ssh to any -block in proto tcp from any port 21 >< 2048 to any -block in proto tcp from any port != 1234 to any -block in proto tcp from any port >= 80 to any -block in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 -block in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 -block in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 -block in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 -block in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667 -block in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 -block in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 -block in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 -block in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 -block in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 -block in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 -block in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 -block in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667 -block in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 -block in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667 -block in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 -block in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 -block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 -block in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6668 -block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6668 -block in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 -block in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 -block in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 -block in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 -block in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6667 -block in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6668 -block in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6667 -block in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6668 +block drop in all +block drop in proto tcp all +block drop in proto tcp all +block drop in proto udp all +block drop in all +block drop in inet from 10.0.0.0/8 to any +block drop in inet from ! 10.0.0.0/8 to any +block drop in inet from 10.0.0.0/8 to any +block drop in inet from 172.16.0.0/12 to any +block drop in proto tcp from any port = ssh to any +block drop in proto tcp from any port = ssh to any +block drop in proto tcp from any port 21 >< 2048 to any +block drop in proto tcp from any port != 1234 to any +block drop in proto tcp from any port >= 80 to any +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667 +block drop in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6668 +block drop in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6667 +block drop in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6668 diff --git a/regress/sbin/pfctl/pf5.ok b/regress/sbin/pfctl/pf5.ok index a09f801d6b2..930c6af6074 100644 --- a/regress/sbin/pfctl/pf5.ok +++ b/regress/sbin/pfctl/pf5.ok @@ -1,11 +1,11 @@ foo = "ssh, ftp" bar = "other thing" inside = "10.0.0.0/8" -block in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16 -block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16 -block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 16 -block in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 6667 -block in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 16 +block drop in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 6667 +block drop in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 16 diff --git a/regress/sbin/pfctl/pf7.ok b/regress/sbin/pfctl/pf7.ok index 627f72c3a79..295f2f8074a 100644 --- a/regress/sbin/pfctl/pf7.ok +++ b/regress/sbin/pfctl/pf7.ok @@ -1,15 +1,15 @@ -block out log on tun0 all -block in log on tun0 all +block drop out log on tun0 all +block drop in log on tun0 all block return-rst out log on tun0 proto tcp all block return-rst in log on tun0 proto tcp all block return-icmp(port-unr, port-unr) out log on tun0 proto udp all block return-icmp(port-unr, port-unr) in log on tun0 proto udp all -block out log quick on tun0 inet from ! 157.161.48.183 to any -block in quick on tun0 inet from any to 255.255.255.255 -block in log quick on tun0 inet from 10.0.0.0/8 to any -block in log quick on tun0 inet from 172.16.0.0/12 to any -block in log quick on tun0 inet from 192.168.0.0/16 to any -block in log quick on tun0 inet from 255.255.255.255 to any +block drop out log quick on tun0 inet from ! 157.161.48.183 to any +block drop in quick on tun0 inet from any to 255.255.255.255 +block drop in log quick on tun0 inet from 10.0.0.0/8 to any +block drop in log quick on tun0 inet from 172.16.0.0/12 to any +block drop in log quick on tun0 inet from 192.168.0.0/16 to any +block drop in log quick on tun0 inet from 255.255.255.255 to any pass out on tun0 inet proto icmp all icmp-type echoreq code 0 keep state pass in on tun0 inet proto icmp all icmp-type echoreq code 0 keep state pass out on tun0 proto udp all keep state diff --git a/regress/sbin/pfctl/pf8.ok b/regress/sbin/pfctl/pf8.ok index 7b73977d705..ecf95275649 100644 --- a/regress/sbin/pfctl/pf8.ok +++ b/regress/sbin/pfctl/pf8.ok @@ -1,3 +1,3 @@ extern = "{ ! 10.0.0.0/8, 10.1.2.3 }" -block out log on tun1 inet from ! 10.0.0.0/8 to any -block out log on tun1 inet from 10.1.2.3 to any +block drop out log on tun1 inet from ! 10.0.0.0/8 to any +block drop out log on tun1 inet from 10.1.2.3 to any diff --git a/regress/sbin/pfctl/pf9.ok b/regress/sbin/pfctl/pf9.ok index 05be5804c6d..7e4c7f27352 100644 --- a/regress/sbin/pfctl/pf9.ok +++ b/regress/sbin/pfctl/pf9.ok @@ -1,3 +1,3 @@ interfaces = "{ enc0, tun0 }" -block in on enc0 all -block in on tun0 all +block drop in on enc0 all +block drop in on tun0 all -- cgit v1.2.3