scrub all no-df random-id fragment reassemble pass quick on lo0 all pass quick on fxp0 inet6 all block drop log quick from no-route to any block return log quick from any to no-route block return log on dc0 all label "dc0:default-block" queue bulk block drop in log quick on dc0 proto tcp from any to any port = domain block drop in log quick on dc0 proto udp from any to any port = domain block return out log quick on dc0 inet from ! (dc0) to any label "spoof" queue bulk block return out log quick on dc0 from any to label "dc0:bad-dest-out" queue bulk block return out log quick on dc0 from any to label "dc0:bad-dest-out" queue bulk block return out log quick on dc0 from any to label "dc0:bad-dest-out" queue bulk block drop in log quick on dc0 from to any label "dc0:bad-src-in" block drop in log quick on dc0 from to any label "dc0:bad-src-in" block drop in log quick on dc0 from to any label "dc0:bad-src-in" block drop in log quick on dc0 from to any label "dc0:bad-src-in" pass in on dc0 inet proto icmp all icmp-type echoreq code 0 keep state pass in on dc0 proto tcp from to any port = ssh keep state queue(in_bulk_ssh, in_chat) pass in on dc0 proto tcp from any to any port = smtp queue(in_bulk_smtp, in_fast) pass in on dc0 proto tcp from any to any port = submission queue(in_bulk_smtp, in_fast) pass in on dc0 proto tcp from any to any port = www keep state queue(in_bulk_std, in_fast) pass in on dc0 proto tcp from any to any port = https keep state queue(in_bulk_std, in_fast) pass in on dc0 proto tcp from any to any port = 8888 keep state queue(in_bulk_std, in_fast) pass out on dc0 inet proto icmp all icmp-type echoreq code 0 keep state queue bulk pass out on dc0 proto udp all keep state queue bulk pass out on dc0 proto tcp all flags S/FSRA modulate state queue(bulk, fast) pass out on dc0 proto tcp from any to any port = ssh flags S/FSRA modulate state queue(bulk, chat) pass out on dc0 proto tcp from any to any port = 6667 flags S/FSRA modulate state queue(chat, fast) pass out on dc0 proto udp from any to any port = domain keep state queue chat pass out on dc0 proto udp from any to any port = ntp keep state queue chat pass out on fxp0 proto udp from any to ! keep state queue in_bulk_std pass out on fxp0 proto tcp from any to ! keep state queue(in_bulk_std, in_fast) pass out on fxp0 proto tcp from any to ! port = ssh keep state queue(in_bulk_ssh, in_chat) pass out on fxp0 proto tcp from any to ! port = smtp keep state queue(in_bulk_smtp, in_fast) pass out on fxp0 proto tcp from any to ! port = submission keep state queue(in_bulk_smtp, in_fast) pass out on fxp0 proto tcp from any to ! port = 6667 keep state queue(in_chat, in_fast) pass out on fxp0 proto tcp from any to ! port = domain keep state queue in_chat pass out on fxp0 proto tcp from any to ! port = ntp keep state queue in_chat block return log on fxp1 all label "fxp1:default-block" block return out log quick on fxp1 inet from any to ! 192.168.0.0/24 label "fxp1:bad-dest-out" block return out log quick on fxp1 inet from any to label "fxp1:bad-dest-out" block return out log quick on fxp1 inet from any to label "fxp1:bad-dest-out" block return in log quick on fxp1 inet from ! 192.168.0.0/24 to any label "fxp1:bad-src-in" block return in log quick on fxp1 inet from to any label "fxp1:bad-src-in" block return in log quick on fxp1 inet from to any label "fxp1:bad-src-in" block return in log quick on fxp1 inet from to any label "fxp1:bad-src-in" pass on fxp1 inet proto icmp all icmp-type echoreq code 0 keep state pass out on fxp1 inet proto tcp from any to 192.168.0.0/24 port = ssh keep state pass in on fxp1 inet proto udp from 192.168.0.100 to 192.168.144.3 port = syslog keep state pass in on fxp1 inet proto tcp from any to 192.168.144.3 port = domain keep state pass in on fxp1 inet proto udp from any to 192.168.144.3 port = domain keep state pass in on fxp1 inet proto udp from any to 192.168.144.3 port = ntp keep state pass in on fxp1 inet proto tcp from any to 192.168.144.3 port = smtp keep state pass in on fxp1 inet proto tcp from any to 192.168.144.3 port = www keep state pass in on fxp1 inet proto tcp from any to 192.168.144.3 port = https keep state pass in on fxp1 inet proto tcp from any to 192.168.144.3 port = submission keep state pass in on fxp1 inet proto tcp from any to 192.168.0.1 port = ssh keep state pass in on fxp1 inet6 proto tcp from any to fe80::2d0:b7ff:fe81:7b2b port = ssh keep state pass in on fxp1 inet6 proto tcp from any to 2002:d827:924b::/64 port = ssh keep state pass in on fxp1 proto tcp from any to port = ssh flags S/FSRA modulate state queue(in_bulk_ssh, in_chat) pass in on fxp1 proto udp from any to port = ntp keep state queue(in_chat, in_fast) pass in on fxp1 inet proto tcp from any to 192.168.144.3 port = 8000 flags S/FSRA modulate state pass in on fxp1 inet proto tcp from any to 66.35.250.207 port = cvspserver flags S/FSRA modulate state queue(in_bulk_std, in_fast) anchor dmz on fxp1 all anchor authpf all
NovoSial Icon

This document is released into the public domain. Version 1.3.4

Site provided by Peter N. Steinmetz