src/share/ipf/example.13 - annotate

Return to example.13 CVS log
Up to [local] / src / share / ipf
Annotation of src/share/ipf/example.13, Revision 1.1

1.1     ! dm          1: #
        !             2: # log all inbound packet on le0 which has IP options present
        !             3: #
        !             4: log in on le0 from any to any with ipopts
        !             5: #
        !             6: # block any inbound packets on le0 which are fragmented and "too short" to
        !             7: # do any meaningful comparison on.  This actually only applies to TCP
        !             8: # packets which can be missing the flags/ports (depending on which part
        !             9: # of the fragment you see).
        !            10: #
        !            11: block in log quick on le0 from any to any with short frag
        !            12: #
        !            13: # log all inbound TCP packets with the SYN flag (only) set
        !            14: #  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
        !            15: #         had IP options present, this rule and the above would cause it
        !            16: #         to be logged twice).
        !            17: #
        !            18: log in on le0 proto tcp from any to any flags S/SA
        !            19: #
        !            20: # block and log any inbound ICMP unreachables
        !            21: #
        !            22: block in log on le0 proto icmp from any to any icmp-type unreach
        !            23: #
        !            24: # block and log any inbound UDP packets on le0 which are going to port 2049
        !            25: # (the NFS port).
        !            26: #
        !            27: block in log on le0 proto udp from any to any port = 2049
        !            28: #
        !            29: # quickly allow any packets to/from a particular pair of hosts
        !            30: #
        !            31: pass in quick from any to 10.1.3.2/32
        !            32: pass in quick from any to 10.1.0.13/32
        !            33: pass in quick from 10.1.3.2/32 to any
        !            34: pass in quick from 10.1.0.13/32 to any
        !            35: #
        !            36: # block (and stop matching) any packet with IP options present.
        !            37: #
        !            38: block in quick on le0 from any to any with ipopts
        !            39: #
        !            40: # allow any packet through
        !            41: #
        !            42: pass in from any to any
        !            43: #
        !            44: # block any inbound UDP packets destined for these subnets.
        !            45: #
        !            46: block in on le0 proto udp from any to 10.1.3.0/24
        !            47: block in on le0 proto udp from any to 10.1.1.0/24
        !            48: block in on le0 proto udp from any to 10.1.2.0/24
        !            49: #
        !            50: # block any inbound TCP packets with only the SYN flag set that are
        !            51: # destined for these subnets.
        !            52: #
        !            53: block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
        !            54: block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
        !            55: block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
        !            56: #
        !            57: # block any inbound ICMP packets destined for these subnets.
        !            58: #
        !            59: block in on le0 proto icmp from any to 10.1.3.0/24
        !            60: block in on le0 proto icmp from any to 10.1.1.0/24
        !            61: block in on le0 proto icmp from any to 10.1.2.0/24