1# $FreeBSD: releng/11.0/share/examples/ipfilter/rules.txt 85213 2001-10-20 04:17:07Z darrenr $ 2# 3# block all incoming TCP packets on le0 from host "foo" to any destination. 4# 5block in on le0 proto tcp from foo/32 to any 6 7 ------------------------------------------------------------------------ 8 9# 10# block all outgoing TCP packets on le0 from any host to port 23 of host bar. 11# 12block out on le0 proto tcp from any to bar/32 port != 23 13 14 ------------------------------------------------------------------------ 15 16# 17# block all inbound packets. 18# 19block in from any to any 20# 21# pass through packets to and from localhost. 22# 23pass in from 127.0.0.1/32 to 127.0.0.1/32 24# 25# allow a variety of individual hosts to send any type of IP packet to any 26# other host. 27# 28pass in from 10.1.3.1 to any 29pass in from 10.1.3.2 to any 30pass in from 10.1.3.3 to any 31pass in from 10.1.3.4 to any 32pass in from 10.1.3.5 to any 33pass in from 10.1.0.13/32 to any 34pass in from 10.1.1.1/32 to any 35pass in from 10.1.2.1/32 to any 36# 37# 38# block all outbound packets. 39# 40block out from any to any 41# 42# allow any packets destined for localhost out. 43# 44pass out from any to 127.0.0.1/32 45# 46# allow any host to send any IP packet out to a limited number of hosts. 47# 48pass out from any to 10.1.3.1/32 49pass out from any to 10.1.3.2/32 50pass out from any to 10.1.3.3/32 51pass out from any to 10.1.3.4/32 52pass out from any to 10.1.3.5/32 53pass out from any to 10.1.0.13/32 54pass out from any to 10.1.1.1/32 55pass out from any to 10.1.2.1/32 56 57 ------------------------------------------------------------------------ 58 59# 60# block all ICMP packets. 61# 62block in proto icmp from any to any 63 64 ------------------------------------------------------------------------ 65 66# 67# test ruleset 68# 69# allow packets coming from foo to bar through. 70# 71pass from foo to bar 72# 73# allow any TCP packets from the same subnet as foo is on through to host 74# 10.1.1.2 if they are destined for port 6667. 75# 76pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 77# 78# allow in UDP packets which are NOT from port 53 and are destined for 79# localhost 80# 81pass proto udp from fubar port != 53 to localhost 82# 83# block all ICMP unreachables. 84# 85block from any to any icmp unreach 86# 87# allow packets through which have a non-standard IP header length (ie there 88# are IP options such as source-routing present). 89# 90pass from any to any with ipopts 91 92 ------------------------------------------------------------------------ 93 94# 95# block all TCP packets with only the SYN flag set (this is the first 96# packet sent to establish a connection). 97# 98block in proto tcp from any to any flags S/SA 99 100 ------------------------------------------------------------------------ 101 102# 103# log all inbound packet on le0 which has IP options present 104# 105log in on le0 from any to any with ipopts 106# 107# block any inbound packets on le0 which are fragmented and "too short" to 108# do any meaningful comparison on. This actually only applies to TCP 109# packets which can be missing the flags/ports (depending on which part 110# of the fragment you see). 111# 112block in log quick on le0 from any to any with short frag 113# 114# log all inbound TCP packets with the SYN flag (only) set 115# (NOTE: if it were an inbound TCP packet with the SYN flag set and it 116# had IP options present, this rule and the above would cause it 117# to be logged twice). 118# 119log in on le0 proto tcp from any to any flags S/SA 120# 121# block and log any inbound ICMP unreachables 122# 123block in log on le0 proto icmp from any to any icmp-type unreach 124# 125# block and log any inbound UDP packets on le0 which are going to port 2049 126# (the NFS port). 127# 128block in log on le0 proto udp from any to any port = 2049 129# 130# quickly allow any packets to/from a particular pair of hosts 131# 132pass in quick from any to 10.1.3.2/32 133pass in quick from any to 10.1.0.13/32 134pass in quick from 10.1.3.2/32 to any 135pass in quick from 10.1.0.13/32 to any 136# 137# block (and stop matching) any packet with IP options present. 138# 139block in quick on le0 from any to any with ipopts 140# 141# allow any packet through 142# 143pass in from any to any 144# 145# block any inbound UDP packets destined for these subnets. 146# 147block in on le0 proto udp from any to 10.1.3.0/24 148block in on le0 proto udp from any to 10.1.1.0/24 149block in on le0 proto udp from any to 10.1.2.0/24 150# 151# block any inbound TCP packets with only the SYN flag set that are 152# destined for these subnets. 153# 154block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA 155block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA 156block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA 157# 158# block any inbound ICMP packets destined for these subnets. 159# 160block in on le0 proto icmp from any to 10.1.3.0/24 161block in on le0 proto icmp from any to 10.1.1.0/24 162block in on le0 proto icmp from any to 10.1.2.0/24 163# 164# Log all short TCP packets to qe3, with "packetlog" as the intended 165# destination for the packet. 166# 167block in to qe3:packetlog proto tcp all with short 168# 169# Log all connection attempts for TCP 170# 171pass in dup-to le0:packetlog proto tcp all flags S/SA 172# 173# Route all UDP packets through transparently. 174# 175pass in fastroute proto udp all 176# 177# Route all ICMP packets to network 10 out through le1, to "router" 178# 179pass in to le1:router proto icmp all 180 181 ------------------------------------------------------------------------ 182Return to the IP Filter home page 183