Appendix F. Sample defaultfilter.pf File

Appendix F. Sample defaultfilter.pf File

The following is a sample default filter INSPECT script.

 // IP source and destination #define src [12,b] #define dst [16,b] // TCP or UDP source and destination ports #define sport [20:2,b] #define dport [22:2,b] // IP protocol #define ip_p [9:1] // Table for recording outgoing sessions. Incoming packets are // matched against this table. connections = dynamic refresh expires 300; // The following two rules deal with outgoing and incoming // packets in which the IP source and destination are the same as // well as connections originating from the firewall going to tcp // port 256 (e.g., for fetching the security policy from the // management console) or to tcp port 22 (for ssh access). The // first rule accepts and records such outgoing packets. The // second rule accepts such packets if a matching packet was // previously recorded. <= all@all    accept (      (src = dst,       record <0,src,ip_p,sport,dport> in connections)         or      (ip_p = 6, dport = 256 or dport = 22,       record <src,dst,ip_p,sport,dport> in connections)      ); => all@all    accept (      (src = dst,      <0,src,ip_p,sport,dport> in connections)         or      (ip_p = 6, sport = 256 or sport = 22,      <dst,src,ip_p,dport,sport> in connections) ); // The next rule just drops everything else. drop;