| version 1.1, 1996/01/09 09:29:39 |
version 1.2, 1996/07/18 05:57:21 |
|
|
| # |
# |
| # For a network server, which has two interfaces, 128.1.40.1 (le0) and |
# log all inbound packet on le0 which has IP options present |
| # 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is |
|
| # connected to the majority of the network, whilst le0 is connected to a |
|
| # leaf subnet. We're not concerned about filtering individual services. |
|
| # |
# |
| pass in quick on le0 from 128.1.40.0/24 to any |
log in on le0 from any to any with ipopts |
| block in quick log on le0 from any to any |
# |
| block in quick log on le1 from 128.1.40.0/24 to any |
# block any inbound packets on le0 which are fragmented and "too short" to |
| pass in quick on le1 from any to any |
# do any meaningful comparison on. This actually only applies to TCP |
| |
# packets which can be missing the flags/ports (depending on which part |
| |
# of the fragment you see). |
| |
# |
| |
block in log quick on le0 from any to any with short frag |
| |
# |
| |
# log all inbound TCP packets with the SYN flag (only) set |
| |
# (NOTE: if it were an inbound TCP packet with the SYN flag set and it |
| |
# had IP options present, this rule and the above would cause it |
| |
# to be logged twice). |
| |
# |
| |
log in on le0 proto tcp from any to any flags S/SA |
| |
# |
| |
# block and log any inbound ICMP unreachables |
| |
# |
| |
block in log on le0 proto icmp from any to any icmp-type unreach |
| |
# |
| |
# block and log any inbound UDP packets on le0 which are going to port 2049 |
| |
# (the NFS port). |
| |
# |
| |
block in log on le0 proto udp from any to any port = 2049 |
| |
# |
| |
# quickly allow any packets to/from a particular pair of hosts |
| |
# |
| |
pass in quick from any to 10.1.3.2/32 |
| |
pass in quick from any to 10.1.0.13/32 |
| |
pass in quick from 10.1.3.2/32 to any |
| |
pass in quick from 10.1.0.13/32 to any |
| |
# |
| |
# block (and stop matching) any packet with IP options present. |
| |
# |
| |
block in quick on le0 from any to any with ipopts |
| |
# |
| |
# allow any packet through |
| |
# |
| |
pass in from any to any |
| |
# |
| |
# block any inbound UDP packets destined for these subnets. |
| |
# |
| |
block in on le0 proto udp from any to 10.1.3.0/24 |
| |
block in on le0 proto udp from any to 10.1.1.0/24 |
| |
block in on le0 proto udp from any to 10.1.2.0/24 |
| |
# |
| |
# block any inbound TCP packets with only the SYN flag set that are |
| |
# destined for these subnets. |
| |
# |
| |
block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA |
| |
block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA |
| |
block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA |
| |
# |
| |
# block any inbound ICMP packets destined for these subnets. |
| |
# |
| |
block in on le0 proto icmp from any to 10.1.3.0/24 |
| |
block in on le0 proto icmp from any to 10.1.1.0/24 |
| |
block in on le0 proto icmp from any to 10.1.2.0/24 |
![[BACK]](/icons/back.gif){kind=icon}
Return to example.14 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / share / ipf