1*bc4097aaSchristos# $NetBSD: example.5,v 1.1.1.1 2012/03/23 21:20:15 christos Exp $ 2*bc4097aaSchristos# 3*bc4097aaSchristos# test ruleset 4*bc4097aaSchristos# 5*bc4097aaSchristos# allow packets coming from foo to bar through. 6*bc4097aaSchristos# 7*bc4097aaSchristospass in from 10.1.1.2 to 10.2.1.1 8*bc4097aaSchristos# 9*bc4097aaSchristos# allow any TCP packets from the same subnet as foo is on through to host 10*bc4097aaSchristos# 10.1.1.2 if they are destined for port 6667. 11*bc4097aaSchristos# 12*bc4097aaSchristospass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 13*bc4097aaSchristos# 14*bc4097aaSchristos# allow in UDP packets which are NOT from port 53 and are destined for 15*bc4097aaSchristos# localhost 16*bc4097aaSchristos# 17*bc4097aaSchristospass in proto udp from 10.2.2.2 port != 53 to localhost 18*bc4097aaSchristos# 19*bc4097aaSchristos# block all ICMP unreachables. 20*bc4097aaSchristos# 21*bc4097aaSchristosblock in proto icmp from any to any icmp-type unreach 22*bc4097aaSchristos# 23*bc4097aaSchristos# allow packets through which have a non-standard IP header length (ie there 24*bc4097aaSchristos# are IP options such as source-routing present). 25*bc4097aaSchristos# 26*bc4097aaSchristospass in from any to any with ipopts 27