1*bc4097aaSchristos# $NetBSD: example.sr,v 1.1.1.1 2012/03/23 21:20:15 christos Exp $ 2*bc4097aaSchristos# 3*bc4097aaSchristos# log all inbound packet on le0 which has IP options present 4*bc4097aaSchristos# 5*bc4097aaSchristoslog in on le0 from any to any with ipopts 6*bc4097aaSchristos# 7*bc4097aaSchristos# block any inbound packets on le0 which are fragmented and "too short" to 8*bc4097aaSchristos# do any meaningful comparison on. This actually only applies to TCP 9*bc4097aaSchristos# packets which can be missing the flags/ports (depending on which part 10*bc4097aaSchristos# of the fragment you see). 11*bc4097aaSchristos# 12*bc4097aaSchristosblock in log quick on le0 from any to any with short frag 13*bc4097aaSchristos# 14*bc4097aaSchristos# log all inbound TCP packets with the SYN flag (only) set 15*bc4097aaSchristos# (NOTE: if it were an inbound TCP packet with the SYN flag set and it 16*bc4097aaSchristos# had IP options present, this rule and the above would cause it 17*bc4097aaSchristos# to be logged twice). 18*bc4097aaSchristos# 19*bc4097aaSchristoslog in on le0 proto tcp from any to any flags S/SA 20*bc4097aaSchristos# 21*bc4097aaSchristos# block and log any inbound ICMP unreachables 22*bc4097aaSchristos# 23*bc4097aaSchristosblock in log on le0 proto icmp from any to any icmp-type unreach 24*bc4097aaSchristos# 25*bc4097aaSchristos# block and log any inbound UDP packets on le0 which are going to port 2049 26*bc4097aaSchristos# (the NFS port). 27*bc4097aaSchristos# 28*bc4097aaSchristosblock in log on le0 proto udp from any to any port = 2049 29*bc4097aaSchristos# 30*bc4097aaSchristos# quickly allow any packets to/from a particular pair of hosts 31*bc4097aaSchristos# 32*bc4097aaSchristospass in quick from any to 10.1.3.2/32 33*bc4097aaSchristospass in quick from any to 10.1.0.13/32 34*bc4097aaSchristospass in quick from 10.1.3.2/32 to any 35*bc4097aaSchristospass in quick from 10.1.0.13/32 to any 36*bc4097aaSchristos# 37*bc4097aaSchristos# block (and stop matching) any packet with IP options present. 38*bc4097aaSchristos# 39*bc4097aaSchristosblock in quick on le0 from any to any with ipopts 40*bc4097aaSchristos# 41*bc4097aaSchristos# allow any packet through 42*bc4097aaSchristos# 43*bc4097aaSchristospass in from any to any 44*bc4097aaSchristos# 45*bc4097aaSchristos# block any inbound UDP packets destined for these subnets. 46*bc4097aaSchristos# 47*bc4097aaSchristosblock in on le0 proto udp from any to 10.1.3.0/24 48*bc4097aaSchristosblock in on le0 proto udp from any to 10.1.1.0/24 49*bc4097aaSchristosblock in on le0 proto udp from any to 10.1.2.0/24 50*bc4097aaSchristos# 51*bc4097aaSchristos# block any inbound TCP packets with only the SYN flag set that are 52*bc4097aaSchristos# destined for these subnets. 53*bc4097aaSchristos# 54*bc4097aaSchristosblock in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA 55*bc4097aaSchristosblock in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA 56*bc4097aaSchristosblock in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA 57*bc4097aaSchristos# 58*bc4097aaSchristos# block any inbound ICMP packets destined for these subnets. 59*bc4097aaSchristos# 60*bc4097aaSchristosblock in on le0 proto icmp from any to 10.1.3.0/24 61*bc4097aaSchristosblock in on le0 proto icmp from any to 10.1.1.0/24 62*bc4097aaSchristosblock in on le0 proto icmp from any to 10.1.2.0/24 63