added my two firewall examples, plus the stuff from the distribution

12 files changed, 213 insertions, 68 deletions

diff --git a/share/ipf/Makefile b/share/ipf/Makefile
index 5d009fff9c1..10c39b793bf 100644
--- a/share/ipf/Makefile
+++ b/share/ipf/Makefile
@@ -1,7 +1,7 @@
 #
-#	$Id: Makefile,v 1.1 1996/01/09 09:29:32 dm Exp $
+#	$Id: Makefile,v 1.2 1996/07/18 05:57:20 dm Exp $
 #
-FILES=	example.*
+FILES=	example.* nat.* firewall.*
 NOOBJ=	noobj
 
 all clean cleandir depend lint tags:
diff --git a/share/ipf/example.13 b/share/ipf/example.13
index c4c1994030b..df13d0af471 100644
--- a/share/ipf/example.13
+++ b/share/ipf/example.13
@@ -1,61 +1,17 @@
 #
-# log all inbound packet on le0 which has IP options present
+# Log all short TCP packets to qe3, with "packetlog" as the intended
+# destination for the packet.
 #
-log in on le0 from any to any with ipopts
+block in to qe3:packetlog proto tcp all with short
 #
-# block any inbound packets on le0 which are fragmented and "too short" to
-# do any meaningful comparison on.  This actually only applies to TCP
-# packets which can be missing the flags/ports (depending on which part
-# of the fragment you see).
+# Log all connection attempts for TCP
 #
-block in log quick on le0 from any to any with short frag
+pass in dup-to le0:packetlog proto tcp all flags S/SA
 #
-# log all inbound TCP packets with the SYN flag (only) set
-#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
-#         had IP options present, this rule and the above would cause it
-#         to be logged twice).
+# Route all UDP packets through transparently.
 #
-log in on le0 proto tcp from any to any flags S/SA
+pass in fastroute proto udp all
 #
-# block and log any inbound ICMP unreachables
+# Route all ICMP packets to network 10 out through le1, to "router"
 #
-block in log on le0 proto icmp from any to any icmp-type unreach
-#
-# block and log any inbound UDP packets on le0 which are going to port 2049
-# (the NFS port).
-#
-block in log on le0 proto udp from any to any port = 2049
-#
-# quickly allow any packets to/from a particular pair of hosts
-#
-pass in quick from any to 10.1.3.2/32
-pass in quick from any to 10.1.0.13/32
-pass in quick from 10.1.3.2/32 to any
-pass in quick from 10.1.0.13/32 to any
-#
-# block (and stop matching) any packet with IP options present.
-#
-block in quick on le0 from any to any with ipopts
-#
-# allow any packet through
-#
-pass in from any to any
-#
-# block any inbound UDP packets destined for these subnets.
-#
-block in on le0 proto udp from any to 10.1.3.0/24
-block in on le0 proto udp from any to 10.1.1.0/24
-block in on le0 proto udp from any to 10.1.2.0/24
-#
-# block any inbound TCP packets with only the SYN flag set that are
-# destined for these subnets.
-#
-block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
-#
-# block any inbound ICMP packets destined for these subnets.
-#
-block in on le0 proto icmp from any to 10.1.3.0/24
-block in on le0 proto icmp from any to 10.1.1.0/24
-block in on le0 proto icmp from any to 10.1.2.0/24
+pass in to le1:router proto icmp all
diff --git a/share/ipf/example.14 b/share/ipf/example.14
index a7120527a28..c4c1994030b 100644
--- a/share/ipf/example.14
+++ b/share/ipf/example.14
@@ -1,10 +1,61 @@
 #
-# For a network server, which has two interfaces, 128.1.40.1 (le0) and
-# 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
-# connected to the majority of the network, whilst le0 is connected to a
-# leaf subnet.  We're not concerned about filtering individual services.
-#
-pass in quick on le0 from 128.1.40.0/24 to any
-block in quick log on le0 from any to any
-block in quick log on le1 from 128.1.40.0/24 to any
-pass in quick on le1 from any to any
+# log all inbound packet on le0 which has IP options present
+#
+log in on le0 from any to any with ipopts
+#
+# block any inbound packets on le0 which are fragmented and "too short" to
+# do any meaningful comparison on.  This actually only applies to TCP
+# packets which can be missing the flags/ports (depending on which part
+# of the fragment you see).
+#
+block in log quick on le0 from any to any with short frag
+#
+# log all inbound TCP packets with the SYN flag (only) set
+#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
+#         had IP options present, this rule and the above would cause it
+#         to be logged twice).
+#
+log in on le0 proto tcp from any to any flags S/SA
+#
+# block and log any inbound ICMP unreachables
+#
+block in log on le0 proto icmp from any to any icmp-type unreach
+#
+# block and log any inbound UDP packets on le0 which are going to port 2049
+# (the NFS port).
+#
+block in log on le0 proto udp from any to any port = 2049
+#
+# quickly allow any packets to/from a particular pair of hosts
+#
+pass in quick from any to 10.1.3.2/32
+pass in quick from any to 10.1.0.13/32
+pass in quick from 10.1.3.2/32 to any
+pass in quick from 10.1.0.13/32 to any
+#
+# block (and stop matching) any packet with IP options present.
+#
+block in quick on le0 from any to any with ipopts
+#
+# allow any packet through
+#
+pass in from any to any
+#
+# block any inbound UDP packets destined for these subnets.
+#
+block in on le0 proto udp from any to 10.1.3.0/24
+block in on le0 proto udp from any to 10.1.1.0/24
+block in on le0 proto udp from any to 10.1.2.0/24
+#
+# block any inbound TCP packets with only the SYN flag set that are
+# destined for these subnets.
+#
+block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
+block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
+#
+# block any inbound ICMP packets destined for these subnets.
+#
+block in on le0 proto icmp from any to 10.1.3.0/24
+block in on le0 proto icmp from any to 10.1.1.0/24
+block in on le0 proto icmp from any to 10.1.2.0/24
diff --git a/share/ipf/example.15 b/share/ipf/example.15
new file mode 100644
index 00000000000..5eafc7c0216
--- /dev/null
+++ b/share/ipf/example.15
@@ -0,0 +1,11 @@
+#
+# For a network server, which has two interfaces, 128.1.40.1 (le0) and
+# 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
+# connected to the majority of the network, whilst le0 is connected to a
+# leaf subnet.  We're not concerned about filtering individual services
+# or 
+#
+pass in quick on le0 from 128.1.40.0/24 to any
+block in quick log on le0 from any to any
+block in quick log on le1 from 128.1.1.0/24 to any
+pass in quick on le1 from any to any
diff --git a/share/ipf/example.16 b/share/ipf/example.16
new file mode 100644
index 00000000000..339a25f963f
--- /dev/null
+++ b/share/ipf/example.16
@@ -0,0 +1,13 @@
+#
+# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
+# somewhere, waiting for it.
+#
+pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
+block out on le0 proto tcp all
+block in on le0 proto tcp all
+#
+# allow nameserver queries and replies to pass through, but no other UDP
+#
+pass out quick on le0 proto udp from any to any port = 53 keep state
+block out on le0 proto udp all
+block in on le0 proto udp all
diff --git a/share/ipf/example.2 b/share/ipf/example.2
index d3333b37e9f..59d9ec8648b 100644
--- a/share/ipf/example.2
+++ b/share/ipf/example.2
@@ -1,4 +1,4 @@
 #
-# block all outgoing TCO packets on le0 from any host to port 23 of host bar.
+# block all outgoing TCP packets on le0 from any host to port 23 of host bar.
 #
 block out on le0 proto tcp from any to bar/32 port != 23
diff --git a/share/ipf/example.4 b/share/ipf/example.4
index 23aea7edf96..7918ec2fbd9 100644
--- a/share/ipf/example.4
+++ b/share/ipf/example.4
@@ -1,4 +1,4 @@
 #
 # block all ICMP packets.
 #
-block proto icmp from any to any mask any
+block in proto icmp from any to any
diff --git a/share/ipf/example.6 b/share/ipf/example.6
index ac91fea1b25..d40f0f3d2a1 100644
--- a/share/ipf/example.6
+++ b/share/ipf/example.6
@@ -2,4 +2,4 @@
 # block all TCP packets with only the SYN flag set (this is the first
 # packet sent to establish a connection) out of the SYN-ACK pair.
 #
-block proto tcp from any to any flags S/SA
+block in proto tcp from any to any flags S/SA
diff --git a/share/ipf/example.8 b/share/ipf/example.8
index 69fa4a2d32a..baa02581256 100644
--- a/share/ipf/example.8
+++ b/share/ipf/example.8
@@ -3,7 +3,7 @@
 # the ident port
 #
 block in proto tcp from any to any flags S/SA
-block return-rst in quick proto tcp from any to any flags S/SA
+block return-rst in quick proto tcp from any to any port = 113 flags S/SA
 #
 # block all inbound UDP packets and send back an ICMP error.
 #
diff --git a/share/ipf/firewall.1 b/share/ipf/firewall.1
new file mode 100644
index 00000000000..49323797bc5
--- /dev/null
+++ b/share/ipf/firewall.1
@@ -0,0 +1,33 @@
+#
+#  This is an example of a very light firewall used to guard against
+#  some of the most easily exploited common security holes.
+#
+#  The example assumes it is running on a gateway with interface ppp0
+#  attached to the outside world, and interface ed0 attached to
+#  network 192.168.4.0 which needs to be protected.
+#
+#
+#  Pass any packets not explicitly mentioned by subsequent rules
+#
+pass out from any to any
+pass in from any to any
+#
+#  Block any inherently bad packets coming in from the outside world.
+#  These include ICMP redirect packets and IP fragments so short the
+#  filtering rules won't be able to examine the whole UDP/TCP header.
+#
+block in log quick on ppp0 proto icmp from any to any icmp-type redir
+block in log quick on ppp0 proto tcp/udp all with short
+#
+#  Block any IP spoofing atempts.  (Packets "from" our network
+#  shouldn't be coming in from outside).
+#
+block in log quick on ppp0 from 198.168.4.0/24 to any
+block in log quick on ppp0 from localhost to any
+#
+#  Block any incoming traffic to NFS ports, to the RPC portmapper, and
+#  to X servers.
+#
+block in log on ppp0 proto tcp/udp from any to any port = sunrpc
+block in log on ppp0 proto tcp/udp from any to any port = 2049
+block in log on ppp0 proto tcp from any to any port = 6000
diff --git a/share/ipf/firewall.2 b/share/ipf/firewall.2
new file mode 100644
index 00000000000..db26e7d7667
--- /dev/null
+++ b/share/ipf/firewall.2
@@ -0,0 +1,67 @@
+#
+#  This is an example of a fairly heavy firewall used to keep everyone
+#  out of a particular network while still allowing people within that
+#  network to get outside.
+#
+#  The example assumes it is running on a gateway with interface ppp0
+#  attached to the outside world, and interface ed0 attached to
+#  network 192.168.4.0 which needs to be protected.
+#
+#
+#  Pass any packets not explicitly mentioned by subsequent rules
+#
+pass out from any to any
+pass in from any to any
+#
+#  Block any inherently bad packets coming in from the outside world.
+#  These include ICMP redirect packets, IP fragments so short the
+#  filtering rules won't be able to examine the whole UDP/TCP header,
+#  and anything with IP options.
+#
+block in log quick on ppp0 proto icmp from any to any icmp-type redir
+block in log quick on ppp0 proto tcp/udp all with short
+block in log quick on ppp0 from any to any with ipopts
+#
+#  Block any IP spoofing atempts.  (Packets "from" our network
+#  shouldn't be coming in from outside).
+#
+block in log quick on ppp0 from 198.168.4.0/24 to any
+block in log quick on ppp0 from localhost to any
+#
+#  Block all incoming UDP traffic except talk and DNS traffic.  NFS
+#  and portmap are special-cased and logged.
+#
+block in on ppp0 proto udp from any to any
+block in log on ppp0 proto udp from any to any port = sunrpc
+block in log on ppp0 proto udp from any to any port = 2049
+pass in on ppp0 proto udp from any to any port = domain
+pass in on ppp0 proto udp from any to any port = talk
+pass in on ppp0 proto udp from any to any port = ntalk
+#
+#  Block all incoming TCP traffic connections to known services,
+#  returning a connection reset so things like ident don't take
+#  forever timing out.  Don't log ident (auth port) as it's so common.
+#
+block return-rst in log on ppp0 proto tcp from any to any flags S/SA
+block in on ppp0 proto tcp from any to any port = auth flags S/SA
+#
+#  Allow incoming TCP connections to ports between 1024 and 5000, as
+#  these don't have daemons listening but are used by outgoing
+#  services like ftp and talk.  For slightly more obscurity (though
+#  not much more security), the second commented out rule can chosen
+#  instead.
+#
+pass in on ppp0 proto tcp from any to any port 1024 >< 5000
+#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000
+#
+#  Now allow various incoming TCP connections to particular hosts, TCP
+#  to the main nameserver so secondaries can do zone transfers, SMTP
+#  to the mail host, www to the web server (which really should be
+#  outside the firewall if you care about security), and ssh to a
+#  hypothetical machine caled 'gatekeeper' that can be used to gain
+#  access to the protected network from the outside world.
+#
+pass in on ppp0 proto tcp from any to ns1 port = domain
+pass in on ppp0 proto tcp from any to mail port = smtp
+pass in on ppp0 proto tcp from any to www port = www
+pass in on ppp0 proto tcp from any to gatekeeper port = ssh
diff --git a/share/ipf/nat.1 b/share/ipf/nat.1
new file mode 100644
index 00000000000..9c26754a57f
--- /dev/null
+++ b/share/ipf/nat.1
@@ -0,0 +1,14 @@
+# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
+# port number to something between 10,000 and 20,000 inclusive.  For all other
+# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
+# for each new user.
+#
+map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
+map ed1 10.1.0.0/16 -> 240.1.0.0/24
+#
+# Redirection is triggered for input packets.
+# For example, to redirect FTP connections through this box, to the local ftp
+# port, forcing them to connect through a proxy, you would use:
+#
+rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
+#