185213Sdarrenr# $FreeBSD: releng/11.0/share/examples/ipfilter/rules.txt 85213 2001-10-20 04:17:07Z darrenr $ 285213Sdarrenr# 385213Sdarrenr# block all incoming TCP packets on le0 from host "foo" to any destination. 485213Sdarrenr# 585213Sdarrenrblock in on le0 proto tcp from foo/32 to any 685213Sdarrenr 785213Sdarrenr ------------------------------------------------------------------------ 885213Sdarrenr 985213Sdarrenr# 1085213Sdarrenr# block all outgoing TCP packets on le0 from any host to port 23 of host bar. 1185213Sdarrenr# 1285213Sdarrenrblock out on le0 proto tcp from any to bar/32 port != 23 1385213Sdarrenr 1485213Sdarrenr ------------------------------------------------------------------------ 1585213Sdarrenr 1685213Sdarrenr# 1785213Sdarrenr# block all inbound packets. 1885213Sdarrenr# 1985213Sdarrenrblock in from any to any 2085213Sdarrenr# 2185213Sdarrenr# pass through packets to and from localhost. 2285213Sdarrenr# 2385213Sdarrenrpass in from 127.0.0.1/32 to 127.0.0.1/32 2485213Sdarrenr# 2585213Sdarrenr# allow a variety of individual hosts to send any type of IP packet to any 2685213Sdarrenr# other host. 2785213Sdarrenr# 2885213Sdarrenrpass in from 10.1.3.1 to any 2985213Sdarrenrpass in from 10.1.3.2 to any 3085213Sdarrenrpass in from 10.1.3.3 to any 3185213Sdarrenrpass in from 10.1.3.4 to any 3285213Sdarrenrpass in from 10.1.3.5 to any 3385213Sdarrenrpass in from 10.1.0.13/32 to any 3485213Sdarrenrpass in from 10.1.1.1/32 to any 3585213Sdarrenrpass in from 10.1.2.1/32 to any 3685213Sdarrenr# 3785213Sdarrenr# 3885213Sdarrenr# block all outbound packets. 3985213Sdarrenr# 4085213Sdarrenrblock out from any to any 4185213Sdarrenr# 4285213Sdarrenr# allow any packets destined for localhost out. 4385213Sdarrenr# 4485213Sdarrenrpass out from any to 127.0.0.1/32 4585213Sdarrenr# 4685213Sdarrenr# allow any host to send any IP packet out to a limited number of hosts. 4785213Sdarrenr# 4885213Sdarrenrpass out from any to 10.1.3.1/32 4985213Sdarrenrpass out from any to 10.1.3.2/32 5085213Sdarrenrpass out from any to 10.1.3.3/32 5185213Sdarrenrpass out from any to 10.1.3.4/32 5285213Sdarrenrpass out from any to 10.1.3.5/32 5385213Sdarrenrpass out from any to 10.1.0.13/32 5485213Sdarrenrpass out from any to 10.1.1.1/32 5585213Sdarrenrpass out from any to 10.1.2.1/32 5685213Sdarrenr 5785213Sdarrenr ------------------------------------------------------------------------ 5885213Sdarrenr 5985213Sdarrenr# 6085213Sdarrenr# block all ICMP packets. 6185213Sdarrenr# 6285213Sdarrenrblock in proto icmp from any to any 6385213Sdarrenr 6485213Sdarrenr ------------------------------------------------------------------------ 6585213Sdarrenr 6685213Sdarrenr# 6785213Sdarrenr# test ruleset 6885213Sdarrenr# 6985213Sdarrenr# allow packets coming from foo to bar through. 7085213Sdarrenr# 7185213Sdarrenrpass from foo to bar 7285213Sdarrenr# 7385213Sdarrenr# allow any TCP packets from the same subnet as foo is on through to host 7485213Sdarrenr# 10.1.1.2 if they are destined for port 6667. 7585213Sdarrenr# 7685213Sdarrenrpass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 7785213Sdarrenr# 7885213Sdarrenr# allow in UDP packets which are NOT from port 53 and are destined for 7985213Sdarrenr# localhost 8085213Sdarrenr# 8185213Sdarrenrpass proto udp from fubar port != 53 to localhost 8285213Sdarrenr# 8385213Sdarrenr# block all ICMP unreachables. 8485213Sdarrenr# 8585213Sdarrenrblock from any to any icmp unreach 8685213Sdarrenr# 8785213Sdarrenr# allow packets through which have a non-standard IP header length (ie there 8885213Sdarrenr# are IP options such as source-routing present). 8985213Sdarrenr# 9085213Sdarrenrpass from any to any with ipopts 9185213Sdarrenr 9285213Sdarrenr ------------------------------------------------------------------------ 9385213Sdarrenr 9485213Sdarrenr# 9585213Sdarrenr# block all TCP packets with only the SYN flag set (this is the first 9685213Sdarrenr# packet sent to establish a connection). 9785213Sdarrenr# 9885213Sdarrenrblock in proto tcp from any to any flags S/SA 9985213Sdarrenr 10085213Sdarrenr ------------------------------------------------------------------------ 10185213Sdarrenr 10285213Sdarrenr# 10385213Sdarrenr# log all inbound packet on le0 which has IP options present 10485213Sdarrenr# 10585213Sdarrenrlog in on le0 from any to any with ipopts 10685213Sdarrenr# 10785213Sdarrenr# block any inbound packets on le0 which are fragmented and "too short" to 10885213Sdarrenr# do any meaningful comparison on. This actually only applies to TCP 10985213Sdarrenr# packets which can be missing the flags/ports (depending on which part 11085213Sdarrenr# of the fragment you see). 11185213Sdarrenr# 11285213Sdarrenrblock in log quick on le0 from any to any with short frag 11385213Sdarrenr# 11485213Sdarrenr# log all inbound TCP packets with the SYN flag (only) set 11585213Sdarrenr# (NOTE: if it were an inbound TCP packet with the SYN flag set and it 11685213Sdarrenr# had IP options present, this rule and the above would cause it 11785213Sdarrenr# to be logged twice). 11885213Sdarrenr# 11985213Sdarrenrlog in on le0 proto tcp from any to any flags S/SA 12085213Sdarrenr# 12185213Sdarrenr# block and log any inbound ICMP unreachables 12285213Sdarrenr# 12385213Sdarrenrblock in log on le0 proto icmp from any to any icmp-type unreach 12485213Sdarrenr# 12585213Sdarrenr# block and log any inbound UDP packets on le0 which are going to port 2049 12685213Sdarrenr# (the NFS port). 12785213Sdarrenr# 12885213Sdarrenrblock in log on le0 proto udp from any to any port = 2049 12985213Sdarrenr# 13085213Sdarrenr# quickly allow any packets to/from a particular pair of hosts 13185213Sdarrenr# 13285213Sdarrenrpass in quick from any to 10.1.3.2/32 13385213Sdarrenrpass in quick from any to 10.1.0.13/32 13485213Sdarrenrpass in quick from 10.1.3.2/32 to any 13585213Sdarrenrpass in quick from 10.1.0.13/32 to any 13685213Sdarrenr# 13785213Sdarrenr# block (and stop matching) any packet with IP options present. 13885213Sdarrenr# 13985213Sdarrenrblock in quick on le0 from any to any with ipopts 14085213Sdarrenr# 14185213Sdarrenr# allow any packet through 14285213Sdarrenr# 14385213Sdarrenrpass in from any to any 14485213Sdarrenr# 14585213Sdarrenr# block any inbound UDP packets destined for these subnets. 14685213Sdarrenr# 14785213Sdarrenrblock in on le0 proto udp from any to 10.1.3.0/24 14885213Sdarrenrblock in on le0 proto udp from any to 10.1.1.0/24 14985213Sdarrenrblock in on le0 proto udp from any to 10.1.2.0/24 15085213Sdarrenr# 15185213Sdarrenr# block any inbound TCP packets with only the SYN flag set that are 15285213Sdarrenr# destined for these subnets. 15385213Sdarrenr# 15485213Sdarrenrblock in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA 15585213Sdarrenrblock in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA 15685213Sdarrenrblock in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA 15785213Sdarrenr# 15885213Sdarrenr# block any inbound ICMP packets destined for these subnets. 15985213Sdarrenr# 16085213Sdarrenrblock in on le0 proto icmp from any to 10.1.3.0/24 16185213Sdarrenrblock in on le0 proto icmp from any to 10.1.1.0/24 16285213Sdarrenrblock in on le0 proto icmp from any to 10.1.2.0/24 16385213Sdarrenr# 16485213Sdarrenr# Log all short TCP packets to qe3, with "packetlog" as the intended 16585213Sdarrenr# destination for the packet. 16685213Sdarrenr# 16785213Sdarrenrblock in to qe3:packetlog proto tcp all with short 16885213Sdarrenr# 16985213Sdarrenr# Log all connection attempts for TCP 17085213Sdarrenr# 17185213Sdarrenrpass in dup-to le0:packetlog proto tcp all flags S/SA 17285213Sdarrenr# 17385213Sdarrenr# Route all UDP packets through transparently. 17485213Sdarrenr# 17585213Sdarrenrpass in fastroute proto udp all 17685213Sdarrenr# 17785213Sdarrenr# Route all ICMP packets to network 10 out through le1, to "router" 17885213Sdarrenr# 17985213Sdarrenrpass in to le1:router proto icmp all 18085213Sdarrenr 18185213Sdarrenr ------------------------------------------------------------------------ 18285213SdarrenrReturn to the IP Filter home page 183