xref: /freebsd/share/examples/ipfilter/rules.txt (revision 315ee00f) 
1#
2# block all incoming TCP packets on le0 from host "foo" to any destination.
3#
4block in on le0 proto tcp from foo/32 to any
5
6  ------------------------------------------------------------------------
7
8#
9# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
10#
11block out on le0 proto tcp from any to bar/32 port != 23
12
13  ------------------------------------------------------------------------
14
15#
16# block all inbound packets.
17#
18block in from any to any
19#
20# pass through packets to and from localhost.
21#
22pass in from 127.0.0.1/32 to 127.0.0.1/32
23#
24# allow a variety of individual hosts to send any type of IP packet to any
25# other host.
26#
27pass in from 10.1.3.1 to any
28pass in from 10.1.3.2 to any
29pass in from 10.1.3.3 to any
30pass in from 10.1.3.4 to any
31pass in from 10.1.3.5 to any
32pass in from 10.1.0.13/32 to any
33pass in from 10.1.1.1/32 to any
34pass in from 10.1.2.1/32 to any
35#
36#
37# block all outbound packets.
38#
39block out from any to any
40#
41# allow any packets destined for localhost out.
42#
43pass out from any to 127.0.0.1/32
44#
45# allow any host to send any IP packet out to a limited number of hosts.
46#
47pass out from any to 10.1.3.1/32
48pass out from any to 10.1.3.2/32
49pass out from any to 10.1.3.3/32
50pass out from any to 10.1.3.4/32
51pass out from any to 10.1.3.5/32
52pass out from any to 10.1.0.13/32
53pass out from any to 10.1.1.1/32
54pass out from any to 10.1.2.1/32
55
56  ------------------------------------------------------------------------
57
58#
59# block all ICMP packets.
60#
61block in proto icmp from any to any
62
63  ------------------------------------------------------------------------
64
65#
66# test ruleset
67#
68# allow packets coming from foo to bar through.
69#
70pass from foo to bar
71#
72# allow any TCP packets from the same subnet as foo is on through to host
73# 10.1.1.2 if they are destined for port 6667.
74#
75pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
76#
77# allow in UDP packets which are NOT from port 53 and are destined for
78# localhost
79#
80pass proto udp from fubar port != 53 to localhost
81#
82# block all ICMP unreachables.
83#
84block from any to any icmp unreach
85#
86# allow packets through which have a non-standard IP header length (ie there
87# are IP options such as source-routing present).
88#
89pass from any to any with ipopts
90
91  ------------------------------------------------------------------------
92
93#
94# block all TCP packets with only the SYN flag set (this is the first
95# packet sent to establish a connection).
96#
97block in proto tcp from any to any flags S/SA
98
99  ------------------------------------------------------------------------
100
101#
102# log all inbound packet on le0 which has IP options present
103#
104log in on le0 from any to any with ipopts
105#
106# block any inbound packets on le0 which are fragmented and "too short" to
107# do any meaningful comparison on.  This actually only applies to TCP
108# packets which can be missing the flags/ports (depending on which part
109# of the fragment you see).
110#
111block in log quick on le0 from any to any with short frag
112#
113# log all inbound TCP packets with the SYN flag (only) set
114#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
115#         had IP options present, this rule and the above would cause it
116#         to be logged twice).
117#
118log in on le0 proto tcp from any to any flags S/SA
119#
120# block and log any inbound ICMP unreachables
121#
122block in log on le0 proto icmp from any to any icmp-type unreach
123#
124# block and log any inbound UDP packets on le0 which are going to port 2049
125# (the NFS port).
126#
127block in log on le0 proto udp from any to any port = 2049
128#
129# quickly allow any packets to/from a particular pair of hosts
130#
131pass in quick from any to 10.1.3.2/32
132pass in quick from any to 10.1.0.13/32
133pass in quick from 10.1.3.2/32 to any
134pass in quick from 10.1.0.13/32 to any
135#
136# block (and stop matching) any packet with IP options present.
137#
138block in quick on le0 from any to any with ipopts
139#
140# allow any packet through
141#
142pass in from any to any
143#
144# block any inbound UDP packets destined for these subnets.
145#
146block in on le0 proto udp from any to 10.1.3.0/24
147block in on le0 proto udp from any to 10.1.1.0/24
148block in on le0 proto udp from any to 10.1.2.0/24
149#
150# block any inbound TCP packets with only the SYN flag set that are
151# destined for these subnets.
152#
153block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
154block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
155block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
156#
157# block any inbound ICMP packets destined for these subnets.
158#
159block in on le0 proto icmp from any to 10.1.3.0/24
160block in on le0 proto icmp from any to 10.1.1.0/24
161block in on le0 proto icmp from any to 10.1.2.0/24
162#
163# Log all short TCP packets to qe3, with "packetlog" as the intended
164# destination for the packet.
165#
166block in to qe3:packetlog proto tcp all with short
167#
168# Log all connection attempts for TCP
169#
170pass in dup-to le0:packetlog proto tcp all flags S/SA
171#
172# Route all UDP packets through transparently.
173#
174pass in fastroute proto udp all
175#
176# Route all ICMP packets to network 10 out through le1, to "router"
177#
178pass in to le1:router proto icmp all
179
180  ------------------------------------------------------------------------
181Return to the IP Filter home page
182