[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: docs on firewall and gateway?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: docs on firewall and gateway?
- From: Monty Brandenberg <mcbinc_(_at_)_world_(_dot_)_std_(_dot_)_com>
- Date: Thu, 17 Jun 1999 02:41:33 -0400 (EDT)
On Wed, 16 Jun 1999, Paul Nathan Puri wrote:
> So I need to setup ppp; gateway; ipfilter? Is there more? Where can
> I find documentation? Thanks.
>
I'm replying with some attached files that are the result of some
ip filtering work I've been doing. They consist of some text and
cpp directives which, when combined and processed, produce a
reasonable ip filtering ruleset. I'm sending these to the general
list for comments/suggestions. Some points:
. Mechanical rule generators like this aren't a replacement for
understanding the underlying system. These in particular are the
product of my own imperfect understanding so you are warned. I
guarantee that some of the templates and conventions are awkward
and outright wrong. Credit for the good in this ruleset can be
given to Robert Ziegler who's spent a good amount of time getting
Linux secured on cable modems. (http://rlz.ne.mediaone.net)
. I don't use 'keep state' though this would be a good idea and
would reduce the resulting size of the rule list. When I'm
confident 'keep state' does the right thing, I'll incorporate it.
. Sometimes the sense of 'CLIENT' and 'SERVER' in the rules is
confusing. A server can be something remote (dns), or something running
on the bastion accessed by remote sites (ssh), or something running
on the bastion used by clients on the safe net (smtp), or a combination
of the above. Pay attention.
. That said, save the three attachments as ipf.rules.local.example,
ipf.rules.standard, and ipf.rules.template. Copy the first to
ipf.rules.local and edit this copy to reflect your configuration.
Process the thing with 'cpp' with a command such as:
cpp -E -P -C -DXCOMM=# ipf.rules.template >ipf.rules.new
Inspect the output before establishing the rules as your filter
set.
--
Monty Brandenberg, Software Consultant MCB, Inc.
mcbinc_(_at_)_world_(_dot_)_std_(_dot_)_com P.O. Box 426188
mcbinc_(_at_)_ne_(_dot_)_mediaone_(_dot_)_net Cambridge, MA 02142-0021
617.864.6907
/*
* /etc/ipf.rules.local.example
*
* This file is meant to be copied to /etc/ipf.rules.local and the copy
* edited to reflect the local configuration of network services to
* be provided, accessed, and blocked. The result is then processed
* with 'cpp -E -C -P -DXCOMM=# ifp.rules.template >ipf.rules.new' or
* similar. The final output should be scrutinized before installing.
*
* A note on host addresses. These should be actual dot addresses and
* not fully-qualified host names as DNS services will not be available
* while this is being processed.
*/
XCOMM
XCOMM Site Configuration
XCOMM
XCOMM Values below reflect a particular installation.
XCOMM
/*
* Define network interfaces:
*
* __IF_HOT__ should be defined as the interface name of the
* untrusted network port.
*
* __IF_SAFE__ is set to the safe network interface name.
*
* __IF_LOOPBACK_[01]__ are the loopback device names and probably
* correct. __IF_LOOPBACK_0__ is required but the other may be
* undefined.
*/
#define __IF_HOT__ xl0, de0, ep0
#define __IF_SAFE__ de0
#define __IF_LOOPBACK_0__ lo0
#define __IF_LOOPBACK_1__ lo1
/*
* Define Network and Host addresses
*
* __ADDR_NETWORK_ISP__ should be set to the network address and mask
* of the ISP. This will be considered semi-trusted for some protocols.
*
* __ADDR_NETWORK_SAFE__ should be set to the network address and mask
* of the safe network and should conform to RFC1918 standards.
*
* __ADDR_IF_HOT__ should be set to the static IP address provided by
* the ISP (if static IP is used) or to __ADDR_NETWORK_ISP__ if DHCP
* is used. Ideally, in the case of DHCP, there would be a magic value
* which would be the interfaces's IP address at any given moment
* (late binding) but I haven't found the magic to make that happen.
*/
#define __ADDR_NETWORK_ISP__ 999.999.999.999/99
#define __ADDR_NETWORK_SAFE__ 10.62.21.0/24
#define __ADDR_IF_HOT__ 999.999.999.1/32
/*
* NAT Configuration
*
* If you're using NAT on the OpenBSD firewall, set __USING_NAT__ to
* 1. Using NAT changes the ruleset significantly (and may degrade
* the overall effectiveness of the filter). When NAT is used, packets
* sourced or targeted to hosts on the safe network appear with NAT'd
* addresses while those sourced or targeted for the bastion host appear with
* the hot interface's addresses. Additionally, portmap complicates
* matters by remapping ports used on the safe net into ranges that might
* be identified with other services such as traceroute, X Window System,
* and Openwindows. It's important to select any portmap range well.
*/
#define __USING_NAT__ 0 or 1
/*
* DHCP Configuration
*
* If the bastion host will be getting it's external ip address
* from a DHCP server, set __USING_DHCP_ON_BASTION__ to 1. Then
* set __DHCP_SERVER__ to the host ip address or network address
* of the DHCP server which will perform exchanges on the bootpc/
* bootps ports to negotiate the IP address. It may be set to
* __ADDR_NETWORK_ISP__ if a precise address is unknown. Leave
* undefined if not using DHCP.
*/
#define __USING_DHCP_ON_BASTION__ 0 or 1
/* #define __ADDR_DHCP_SERVER__ __ADDR_NETWORK_ISP__ */
/*
* Binary capability selection.
*
* Each of the __ALLOW macros takes the value '1' or '0' to describe
* whether that service should be supported by the filtering rules.
* Some services will require additional data to be provided in a
* later section. Not all capabilities are fully implemented at this
* time.
*/
#define __ALLOW_PING_INCOMING__ 0 or 1
#define __ALLOW_PING_OUTGOING__ 0 or 1
#define __ALLOW_TRACEROUTE_INCOMING__ 0 or 1
#define __ALLOW_TRACEROUTE_OUTGOING__ 0 or 1
#define __ALLOW_SSH_SERVER__ 0 or 1
#define __ALLOW_SSH_CLIENT__ 0 or 1
#define __ALLOW_TELNET_SERVER__ 0 or 1
#define __ALLOW_TELNET_CLIENT__ 0 or 1
#define __ALLOW_WEB_SERVER__ 0 or 1
#define __ALLOW_WEB_CLIENT__ 0 or 1
#define __ALLOW_SECURE_WEB_SERVER__ 0 or 1
#define __ALLOW_SECURE_WEB_CLIENT__ 0 or 1
#define __ALLOW_POP_SERVER__ 0 or 1
#define __ALLOW_POP_CLIENT__ 0 or 1
#define __ALLOW_NNTP_CLIENT__ 0 or 1
#define __ALLOW_FINGER_SERVER__ 0 or 1
#define __ALLOW_FINGER_CLIENT__ 0 or 1
#define __ALLOW_AUTH_SERVER__ 0 or 1
#define __ALLOW_AUTH_CLIENT__ 0 or 1
#define __ALLOW_SMTP_SERVER__ 0 or 1
#define __ALLOW_SMTP_CLIENT__ 0 or 1
#define __ALLOW_IMAP2_SERVER__ 0 or 1
#define __ALLOW_IMAP2_CLIENT__ 0 or 1
#define __ALLOW_IMAP3_SERVER__ 0 or 1
#define __ALLOW_IMAP3_CLIENT__ 0 or 1
#define __ALLOW_SOCKS5_SERVER__ 0 or 1
#define __ALLOW_SOCKS5_CLIENT__ 0 or 1
#define __ALLOW_IRC_SERVER__ 0 or 1
#define __ALLOW_IRC_CLIENT__ 0 or 1
#define __ALLOW_ICQ_SERVER__ 0 or 1
#define __ALLOW_ICQ_CLIENT__ 0 or 1
#define __ALLOW_FTP_SERVER_PORT__ 0 or 1
#define __ALLOW_FTP_SERVER_PASSIVE__ 0 or 1
#define __ALLOW_FTP_CLIENT_PORT__ 0 or 1
#define __ALLOW_FTP_CLIENT_PASSIVE__ 0 or 1
#define __ALLOW_REALAUDIO_CLIENT__ 0 or 1
#define __ALLOW_WHOIS_CLIENT__ 0 or 1
#define __ALLOW_NTP_CLIENT__ 0 or 1
#define __ALLOW_RIP_INCOMING__ 0 or 1
#define __ALLOW_RIP_OUTGOING__ 0 or 1
#define __ALLOW_XWINDOWS_INCOMING__ 0 or 1
#define __ALLOW_XWINDOWS_OUTGOING__ 0 or 1
#define __ALLOW_OPENWINDOWS_INCOMING__ 0 or 1
#define __ALLOW_OPENWINDOWS_OUTGOING__ 0 or 1
#define __ALLOW_NFS_INCOMING__ 0 or 1
#define __ALLOW_NFS_OUTGOING__ 0 or 1
#define __ALLOW_WEB_BANNER_SCUM__ 0 or 1
/*
* DNS Configuration
*
* __DNS_SERVER_TYPE should be set to one of the defined __DNS_SERVER_*
* values in the standard value area found in /etc/ipf.rules.standard.
* Then for each *external* nameserver, used either for caching (forwarder)
* or directly as per /etc/resolv.conf, create a __DNS_SERVER_<n>__ define
* for the server with <n> starting at 0. Any local server is assumed
* to be running on the firewall and to be the only entity on the safe
* network participating in DNS transactions with external servers. If
* no local server is specified, external servers are accessible by
* everyone on the safe network.
*/
#define __DNS_SERVER_TYPE__ __DNS_SERVER_FULL__ or __DNS_SERVER_CACHING__ or __DNS_SERVER_NONE__
/* #define __DNS_SERVER_0__ */
/* #define __DNS_SERVER_1__ */
/* #define __DNS_SERVER_2__ */
/*
* Web Proxy Servers
*
* Addresses of caching proxy servers used by clients behind the firewall.
*/
/* #define __ADDR_WEB_PROXY_0__ */
/* #define __ADDR_WEB_PROXY_1__ */
/* #define __ADDR_WEB_PROXY_2__ */
/*
* POP Servers
*
* Addresses of external POP servers that will be used by clients
* behind the firewall. Comment out definitions which will not
* be used. This is distinct from running a pop server for
* external access.
*/
#define __POP_SERVER_0__ __ADDR_NETWORK_ISP__
/* #define __POP_SERVER_1__ */
/* #define __POP_SERVER_2__ */
/*
* POP Clients
*
* If you run a POP server and provide it externally, you might
* just want to control what can access it. Use the pop client
* defines below or set one to "any" to let everyone at them.
*/
/* #define __POP_CLIENT_0__ */
/* #define __POP_CLIENT_1__ */
/* #define __POP_CLIENT_2__ */
/*
* NNTP Servers
*
* Addresses of external NNTP servers that will be used by clients
* behind the firewall. Comment out definitions which will not
* be used.
*/
#define __NNTP_SERVER_0__ __ADDR_NETWORK_ISP__
/* #define __NNTP_SERVER_1__ */
/* #define __NNTP_SERVER_2__ */
/*
* IMAP2 Servers
*
* Addresses of external IMAP2 servers that will be used by clients
* behind the firewall. Comment out definitions which will not
* be used. This is distinct from running an imap2 server for
* external access.
*/
/* #define __IMAP2_SERVER_0__ */
/* #define __IMAP2_SERVER_1__ */
/* #define __IMAP2_SERVER_2__ */
/*
* IMAP2 Clients
*
* If you run a IMAP2 server and provide it externally, you might
* just want to control what can access it. Use the imap2 client
* defines below or set one to "any" to let everyone at them.
*/
/* #define __IMAP2_CLIENT_0__ */
/* #define __IMAP2_CLIENT_1__ */
/* #define __IMAP2_CLIENT_2__ */
/*
* IMAP3 Servers
*
* Addresses of external IMAP3 servers that will be used by clients
* behind the firewall. Comment out definitions which will not
* be used. This is distinct from running an imap3 server for
* external access.
*/
/* #define __IMAP3_SERVER_0__ */
/* #define __IMAP3_SERVER_1__ */
/* #define __IMAP3_SERVER_2__ */
/*
* IMAP3 Clients
*
* If you run a IMAP3 server and provide it externally, you might
* just want to control what can access it. Use the imap3 client
* defines below or set one to "any" to let everyone at them.
*/
/* #define __IMAP3_CLIENT_0__ */
/* #define __IMAP3_CLIENT_1__ */
/* #define __IMAP3_CLIENT_2__ */
/*
* NTP Servers
*
* Addresses of external NTP servers that will be used by clients
* behind the firewall. Comment out definitions which will not
* be used.
*/
XCOMM
XCOMM 192.43.244.18 is time.nist.gov
XCOMM 18.72.0.3 is bitsy.mit.edu
XCOMM
#define __NTP_SERVER_0__ 192.43.244.18
#define __NTP_SERVER_1__ 18.72.0.3
/* #define __NTP_SERVER_2__ */
/*
* Banner Scum
*
* These are network addresses of various web banner 'services'
* which are more annoying than useful. Block them at all ends
* and some things may appear faster. This feature is enabled
* by setting __ALLOW_WEB_BANNER_SCUM__ to 0.
*/
/* #define __WEB_BANNER_SCUM_SERVER_0__ */
/* #define __WEB_BANNER_SCUM_SERVER_1__ */
/* #define __WEB_BANNER_SCUM_SERVER_2__ */
/* #define __WEB_BANNER_SCUM_SERVER_3__ */
/* #define __WEB_BANNER_SCUM_SERVER_4__ */
/* #define __WEB_BANNER_SCUM_SERVER_5__ */
XCOMM
XCOMM Below are definitions that represent standard practice and standards
XCOMM on the internet. You'll generally not want to change these. The
XCOMM traceroute ports are somewhat heuritic. Blocking them could interfere
XCOMM with other network activity.
XCOMM
#define __ADDR_BROADCAST_0__ 0.0.0.0/32
#define __ADDR_BROADCAST_1__ 255.255.255.255/32
#define __ADDR_LOOPBACK__ 127.0.0.0/8
#define __ADDR_RFC1597_CLASS_A__ 10.0.0.0/8
#define __ADDR_RFC1597_CLASS_B__ 172.16.0.0.12
#define __ADDR_RFC1597_CLASS_C__ 192.168.0.0/16
#define __PORTS_TRACEROUTE_SOURCE__ port >= 32768
#define __PORTS_TRACEROUTE_DEST__ port 33433 >< 33524
#define __PORTS_OPENWINDOWS__ port = 2000
#define __PORTS_XWINDOWS__ port 5999 >< 6004
#define __PORTS_NFS__ port = 2049
#define __PORTS_SOCKS__ port = 1080
#define __PORTS_UNPRIVILEGED__ port > 1023
#define __PORTS_SSH__ port 1021 >< 1024
#define __PORTS_SOCKS5__ port = 1080
#define __PORTS_IRC__ port = 6667
#define __PORTS_ICQ_UDP__ port = 4000
#define __PORTS_ICQ_TCP__ port 1999 >< 4001
#define __PORTS_RA_PRIV_TCP__ port = 554
#define __PORTS_RA_UNPRIV_TCP__ port 7069 >< 7072
#define __PORTS_RA_UNPRIV_UDP__ port 6969 >< 7171
XCOMM
XCOMM Types of DNS servers that may be run on the firewall. If you
XCOMM run your DNS server behind the firewall, you'll need to do more
XCOMM work.
XCOMM
#define __DNS_SERVER_NONE__ 0
#define __DNS_SERVER_CACHING__ 1
#define __DNS_SERVER_FULL__ 2
#include "ipf.rules.standard"
#include "ipf.rules.local"
XCOMM
XCOMM This is derived from experiences on Mediaone's cable modem service.
XCOMM Means are provided for a high level of paranoia though allowing some
XCOMM services means you're going to open some ports. If you want
XCOMM security, stay off the net.
XCOMM
XCOMM Configuration data:
XCOMM
XCOMM Hazardous interface: __IF_HOT__
XCOMM Safe interface: __IF_SAFE__
XCOMM Loopback or other if's: __IF_LOOPBACK_0__ __IF_LOOPBACK_1__
XCOMM ISP network: __ADDR_NETWORK_ISP__
XCOMM Private NAT network: __ADDR_NETWORK_SAFE__
XCOMM Broadcast addrs: __ADDR_BROADCAST_0__ __ADDR_BROADCAST_1__
XCOMM Loopback addrs: __ADDR_LOOPBACK__
XCOMM Using NAT: __USING_NAT__
XCOMM Bastion uses DHCP: __USING_DHCP_ON_BASTION__
XCOMM
XCOMM Now we begin
XCOMM
XCOMM
XCOMM DEFAULT POLICY
XCOMM
XCOMM Default Policy is to deny everything on the firewall.
XCOMM
block out all
block in all
XCOMM
XCOMM HOSTILE NETWORKS
XCOMM
XCOMM Quick block known bad networks. These are addresses of systems
XCOMM with virulent users with no redeeming qualities.
XCOMM
XCOMM block in quick on __IF_HOT__ from xxx.xxx.xxx.xxx/xxx to any
XCOMM
XCOMM
XCOMM SPOOF ATTACKS
XCOMM
XCOMM Block and log any packets spoofed to look like they came from or are
XCOMM going to the external interface. (At the moment, these are disabled
XCOMM because under DHCP I don't have an address and I need to have a
XCOMM late-bound value for the block rules. This stinks.)
XCOMM
XCOMM block return-rst in log on __IF_HOT__ from __ADDR_IF_HOT__ to any
XCOMM block out log on __IF_HOT__ from any to __ADDR_IF_HOT__
XCOMM
XCOMM Block quickly anything that looks destined for or sourced from an
XCOMM RFC1597 address.
XCOMM
#if __USING_NAT__
#define __NAT_SPOOF_COLLIDE__(__s__)
#else
#define __NAT_SPOOF_COLLIDE__(__s__) __s__
#endif
#define __ADDR_SERVED_NETWORK__ __ADDR_NETWORK_SAFE__
#define __ADDR_SERVED_BASTION__ __ADDR_IF_HOT__
block in quick on __IF_HOT__ from __ADDR_RFC1597_CLASS_A__ to any
__NAT_SPOOF_COLLIDE__(block in quick on __IF_HOT__ from any to __ADDR_RFC1597_CLASS_A__)
__NAT_SPOOF_COLLIDE__(block out quick on __IF_HOT__ from __ADDR_RFC1597_CLASS_A__ to any)
block out quick on __IF_HOT__ from any to __ADDR_RFC1597_CLASS_A__
block in quick on __IF_HOT__ from __ADDR_RFC1597_CLASS_B__ to any
__NAT_SPOOF_COLLIDE__(block in quick on __IF_HOT__ from any to __ADDR_RFC1597_CLASS_B__)
__NAT_SPOOF_COLLIDE__(block out quick on __IF_HOT__ from __ADDR_RFC1597_CLASS_B__ to any)
block out quick on __IF_HOT__ from any to __ADDR_RFC1597_CLASS_B__
block in quick on __IF_HOT__ from __ADDR_RFC1597_CLASS_C__ to any
__NAT_SPOOF_COLLIDE__(block in quick on __IF_HOT__ from any to __ADDR_RFC1597_CLASS_C__)
__NAT_SPOOF_COLLIDE__(block out quick on __IF_HOT__ from __ADDR_RFC1597_CLASS_C__ to any)
block out quick on __IF_HOT__ from any to __ADDR_RFC1597_CLASS_C__
XCOMM
XCOMM Block quickly and log anything involving loopback addresses as
XCOMM another spoof attack.
XCOMM
block in log quick on __IF_HOT__ from __ADDR_LOOPBACK__ to any
block in log quick on __IF_HOT__ from any to __ADDR_LOOPBACK__
block out log quick on __IF_HOT__ from __ADDR_LOOPBACK__ to any
block out log quick on __IF_HOT__ from any to __ADDR_LOOPBACK__
XCOMM
XCOMM Block *slowly* and log unwanted broadcast activity.
XCOMM
block in log on __IF_HOT__ from __ADDR_BROADCAST_1__ to any
block out log on __IF_HOT__ from any to __ADDR_BROADCAST_0__
XCOMM
XCOMM IP FRAGMENTS
XCOMM
XCOMM Block any inherently bad packets coming in from the outside world.
XCOMM These include ICMP redirect packets, IP fragments so short the
XCOMM filtering rules won't be able to examine the whole UDP/TCP header,
XCOMM and anything with IP options.
XCOMM
block in log quick on __IF_HOT__ proto icmp from any to any icmp-type redir
block in log quick on __IF_HOT__ proto tcp/udp all with short
block in log quick on __IF_HOT__ from any to any with ipopts
XCOMM
XCOMM BEGIN OTHER INTERFACES RULES
XCOMM
pass in on __IF_LOOPBACK_0__
pass out on __IF_LOOPBACK_0__
#if defined(__IF_LOOPBACK_1__)
pass in on __IF_LOOPBACK_1__
pass out on __IF_LOOPBACK_1__
#endif
pass in on __IF_SAFE__ from __ADDR_NETWORK_SAFE__ to any
pass out on __IF_SAFE__ from any to __ADDR_NETWORK_SAFE__
XCOMM
XCOMM END OTHER INTERFACES RULES
XCOMM
XCOMM
XCOMM BEGIN STANDARD ICMP RULES
XCOMM
XCOMM Commentary: To prevent denial of service attacks based on ICMP bombs,
XCOMM filter incoming Redirect (5) and outgoing Destination Unreachable (3).
XCOMM Note, however, disabling DR (3) is not advisable, as it is used to
XCOMM negotiate packet fragment size.
XCOMM
XCOMM Bi-directional ping.
XCOMM Message types: Echo_Reply (0) and Echo_Request (8)
XCOMM May wish to restrict source addresses to trusted ip addresses.
XCOMM
XCOMM Outgoing traceroute.
XCOMM Message types: Incoming Dest_Unreachable (3), Time_Exceeded (11)
XCOMM Default UDP base: 33434 to base + nhops - 1
XCOMM
XCOMM Incoming traceroute.
XCOMM Message types: Outgoing Dest_Unreachable (3), Time_Exceeded (11)
XCOMM To block, deny outgoing 3 and 11.
XCOMM
XCOMM
XCOMM Always allowed
XCOMM
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_NETWORK__ to any icmp-type unreach
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_NETWORK__ to any icmp-type squench
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_NETWORK__ to any icmp-type paramprob
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_NETWORK__ icmp-type unreach
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_NETWORK__ icmp-type squench
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_NETWORK__ icmp-type paramprob
#if __USING_NAT__
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_BASTION__ to any icmp-type unreach
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_BASTION__ to any icmp-type squench
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_BASTION__ to any icmp-type paramprob
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_BASTION__ icmp-type unreach
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_BASTION__ icmp-type squench
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_BASTION__ icmp-type paramprob
#endif
XCOMM
XCOMM END STANDARD ICMP RULES
XCOMM
XCOMM
XCOMM BEGIN SERVICE RULES
XCOMM
XCOMM
XCOMM PING Outgoing
XCOMM
#if __ALLOW_PING_OUTGOING__
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_NETWORK__ to any icmp-type echo
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_NETWORK__ icmp-type echorep
#if __USING_NAT__
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_BASTION__ to any icmp-type echo
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_BASTION__ icmp-type echorep
#endif
#endif
XCOMM
XCOMM PING Incoming
XCOMM
#if __ALLOW_PING_INCOMING__
#if __USING_NAT__
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_BASTION__ to any icmp-type echorep
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_BASTION__ icmp-type echo
#else
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_NETWORK__ to any icmp-type echorep
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_NETWORK__ icmp-type echo
#endif
#endif
XCOMM
XCOMM TRACEROUTE Outgoing
XCOMM
#if __ALLOW_TRACEROUTE_OUTGOING__
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_NETWORK__ __PORTS_TRACEROUTE_SOURCE__ to any __PORTS_TRACEROUTE_DEST__
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_NETWORK__ icmp-type timex
#if __USING_NAT__
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ __PORTS_TRACEROUTE_SOURCE__ to any __PORTS_TRACEROUTE_DEST__
pass in quick on __IF_HOT__ proto icmp from any to __ADDR_SERVED_BASTION__ icmp-type timex
#endif
#endif
XCOMM
XCOMM TRACEROUTE Incoming
XCOMM
#if __ALLOW_TRACEROUTE_INCOMING__
#if __USING_NAT__
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_BASTION__ to any icmp-type timex
pass in on __IF_HOT__ proto udp from any __PORTS_TRACEROUTE_SOURCE__ to __ADDR_SERVED_BASTION__ __PORTS_TRACEROUTE_DEST__
#else
pass out quick on __IF_HOT__ proto icmp from __ADDR_SERVED_NETWORK__ to any icmp-type timex
pass in on __IF_HOT__ proto udp from any __PORTS_TRACEROUTE_SOURCE__ to __ADDR_SERVED_NETWORK__ __PORTS_TRACEROUTE_DEST__
#endif
#endif
XCOMM
XCOMM DNS Server
XCOMM
XCOMM Establish DNS rules early so that other configuration values which
XCOMM might be by name can be resolved.
XCOMM
#if (__DNS_SERVER_TYPE__ == __DNS_SERVER_CACHING__)
#if defined(__DNS_SERVER_0__)
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_BASTION__ port = domain to __DNS_SERVER_0__ port = domain
pass in quick on __IF_HOT__ proto tcp/udp from __DNS_SERVER_0__ port = domain to __ADDR_SERVED_BASTION__ port = domain
#endif
#if defined(__DNS_SERVER_1__)
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_BASTION__ port = domain to __DNS_SERVER_1__ port = domain
pass in quick on __IF_HOT__ proto tcp/udp from __DNS_SERVER_1__ port = domain to __ADDR_SERVED_BASTION__ port = domain
#endif
#if defined(__DNS_SERVER_2__)
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_BASTION__ port = domain to __DNS_SERVER_2__ port = domain
pass in quick on __IF_HOT__ proto tcp/udp from __DNS_SERVER_2__ port = domain to __ADDR_SERVED_BASTION__ port = domain
#endif
#elif (__DNS_SERVER_TYPE__ == __DNS_SERVER_FULL__)
pass in on __IF_HOT__ proto tcp/udp from any port = domain to __ADDR_SERVED_BASTION__ port = domain
pass out on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_BASTION__ port = domain to any port = domain
#elif (__DNS_SERVER_TYPE__ == __DNS_SERVER_NONE__)
block in log quick on __IF_HOT__ proto tcp/udp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_NETWORK__ port = domain
block in log quick on __IF_HOT__ proto tcp/udp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = domain
block in log quick on __IF_HOT__ proto tcp/udp from any port = domain to __ADDR_SERVED_NETWORK__ port = domain
block in log quick on __IF_HOT__ proto tcp/udp from any port = domain to __ADDR_SERVED_BASTION__ port = domain
#endif
XCOMM
XCOMM DNS Client
XCOMM
#if (__DNS_SERVER_TYPE__ == __DNS_SERVER_NONE__)
#if defined(__DNS_SERVER_0__)
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __DNS_SERVER_0__ port = domain
pass in quick on __IF_HOT__ proto udp from __DNS_SERVER_0__ port = domain to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__
pass in quick on __IF_HOT__ proto tcp from __DNS_SERVER_0__ port = domain to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __DNS_SERVER_0__ port = domain
pass in quick on __IF_HOT__ proto udp from __DNS_SERVER_0__ port = domain to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
pass in quick on __IF_HOT__ proto tcp from __DNS_SERVER_0__ port = domain to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif /* __DNS_SERVER_0__ */
#if defined(__DNS_SERVER_1__)
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __DNS_SERVER_1__ port = domain
pass in quick on __IF_HOT__ proto udp from __DNS_SERVER_1__ port = domain to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__
pass in quick on __IF_HOT__ proto tcp from __DNS_SERVER_1__ port = domain to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __DNS_SERVER_1__ port = domain
pass in quick on __IF_HOT__ proto udp from __DNS_SERVER_1__ port = domain to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
pass in quick on __IF_HOT__ proto tcp from __DNS_SERVER_1__ port = domain to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif /* __DNS_SERVER_1__ */
#if defined(__DNS_SERVER_2__)
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __DNS_SERVER_2__ port = domain
pass in quick on __IF_HOT__ proto udp from __DNS_SERVER_2__ port = domain to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__
pass in quick on __IF_HOT__ proto tcp from __DNS_SERVER_2__ port = domain to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out quick on __IF_HOT__ proto tcp/udp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __DNS_SERVER_2__ port = domain
pass in quick on __IF_HOT__ proto udp from __DNS_SERVER_2__ port = domain to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
pass in quick on __IF_HOT__ proto tcp from __DNS_SERVER_2__ port = domain to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif /* __DNS_SERVER_2__ */
#endif
XCOMM
XCOMM SSH Server
XCOMM
#if __ALLOW_SSH_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = ssh to any __PORTS_UNPRIVILEGED__ flags A/A
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = ssh to any __PORTS_SSH__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = ssh
pass in on __IF_HOT__ proto tcp from any __PORTS_SSH__ to __ADDR_SERVED_BASTION__ port = ssh
#endif
XCOMM
XCOMM SSH Client
XCOMM
#if __ALLOW_SSH_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = ssh
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_SSH__ to any port = ssh
pass in on __IF_HOT__ proto tcp from any port = ssh to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any port = ssh to __ADDR_SERVED_NETWORK__ __PORTS_SSH__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = ssh
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_SSH__ to any port = ssh
pass in on __IF_HOT__ proto tcp from any port = ssh to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any port = ssh to __ADDR_SERVED_BASTION__ __PORTS_SSH__ flags A/A
#endif
#endif
XCOMM
XCOMM TELNET SERVER
XCOMM
#if __ALLOW_TELNET_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = telnet to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = telnet
#endif
XCOMM
XCOMM TELNET CLIENT
XCOMM
#if __ALLOW_TELNET_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = telnet
pass in on __IF_HOT__ proto tcp from any port = telnet to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = telnet
pass in on __IF_HOT__ proto tcp from any port = telnet to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM WEB SERVER
XCOMM
#if __ALLOW_WEB_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = www to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = www
#endif
XCOMM
XCOMM WEB CLIENT
XCOMM
#if __ALLOW_WEB_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = www
pass in on __IF_HOT__ proto tcp from any port = www to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = www
pass in on __IF_HOT__ proto tcp from any port = www to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM SECURE WEB SERVER
XCOMM
#if __ALLOW_SECURE_WEB_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = https to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = https
#endif
XCOMM
XCOMM SECURE WEB CLIENT
XCOMM
#if __ALLOW_SECURE_WEB_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = https
pass in on __IF_HOT__ proto tcp from any port = https to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = https
pass in on __IF_HOT__ proto tcp from any port = https to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM WEB PROXIES
XCOMM
#if defined(__ADDR_WEB_PROXY_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __ADDR_WEB_PROXY_0__
pass in on __IF_HOT__ proto tcp from __ADDR_WEB_PROXY_0__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __ADDR_WEB_PROXY_0__
pass in on __IF_HOT__ proto tcp from __ADDR_WEB_PROXY_0__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__ADDR_WEB_PROXY_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __ADDR_WEB_PROXY_1__
pass in on __IF_HOT__ proto tcp from __ADDR_WEB_PROXY_1__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __ADDR_WEB_PROXY_1__
pass in on __IF_HOT__ proto tcp from __ADDR_WEB_PROXY_1__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__ADDR_WEB_PROXY_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __ADDR_WEB_PROXY_2__
pass in on __IF_HOT__ proto tcp from __ADDR_WEB_PROXY_2__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __ADDR_WEB_PROXY_2__
pass in on __IF_HOT__ proto tcp from __ADDR_WEB_PROXY_2__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM POP_SERVER
XCOMM
#if __ALLOW_POP_SERVER__
#if defined(__POP_CLIENT_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = pop3 to __POP_CLIENT_0__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __POP_CLIENT_0__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = pop3
#endif
#if defined(__POP_CLIENT_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = pop3 to __POP_CLIENT_1__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __POP_CLIENT_1__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = pop3
#endif
#if defined(__POP_CLIENT_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = pop3 to __POP_CLIENT_2__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __POP_CLIENT_2__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = pop3
#endif
#endif
XCOMM
XCOMM POP_CLIENT
XCOMM
#if __ALLOW_POP_CLIENT__
#if defined(__POP_SERVER_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __POP_SERVER_0__ port = pop3
pass in on __IF_HOT__ proto tcp from __POP_SERVER_0__ port = pop3 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __POP_SERVER_0__ port = pop3
pass in on __IF_HOT__ proto tcp from __POP_SERVER_0__ port = pop3 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__POP_SERVER_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __POP_SERVER_1__ port = pop3
pass in on __IF_HOT__ proto tcp from __POP_SERVER_1__ port = pop3 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __POP_SERVER_1__ port = pop3
pass in on __IF_HOT__ proto tcp from __POP_SERVER_1__ port = pop3 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__POP_SERVER_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __POP_SERVER_2__ port = pop3
pass in on __IF_HOT__ proto tcp from __POP_SERVER_2__ port = pop3 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __POP_SERVER_2__ port = pop3
pass in on __IF_HOT__ proto tcp from __POP_SERVER_2__ port = pop3 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#endif
XCOMM
XCOMM NNTP_CLIENT
XCOMM
#if __ALLOW_NNTP_CLIENT__
#if defined(__NNTP_SERVER_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __NNTP_SERVER_0__ port = nntp
pass in on __IF_HOT__ proto tcp from __NNTP_SERVER_0__ port = nntp to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __NNTP_SERVER_0__ port = nntp
pass in on __IF_HOT__ proto tcp from __NNTP_SERVER_0__ port = nntp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__NNTP_SERVER_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __NNTP_SERVER_1__ port = nntp
pass in on __IF_HOT__ proto tcp from __NNTP_SERVER_1__ port = nntp to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __NNTP_SERVER_1__ port = nntp
pass in on __IF_HOT__ proto tcp from __NNTP_SERVER_1__ port = nntp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__NNTP_SERVER_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __NNTP_SERVER_2__ port = nntp
pass in on __IF_HOT__ proto tcp from __NNTP_SERVER_2__ port = nntp to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __NNTP_SERVER_2__ port = nntp
pass in on __IF_HOT__ proto tcp from __NNTP_SERVER_2__ port = nntp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#endif
XCOMM
XCOMM FINGER SERVER
XCOMM
#if __ALLOW_FINGER_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = finger to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = finger
#endif
XCOMM
XCOMM FINGER CLIENT
XCOMM
#if __ALLOW_FINGER_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = finger
pass in on __IF_HOT__ proto tcp from any port = finger to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = finger
pass in on __IF_HOT__ proto tcp from any port = finger to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM AUTH SERVER
XCOMM
#if __ALLOW_AUTH_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = auth to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = auth
#else
block return-rst in quick on __IF_HOT__ proto tcp from any to __ADDR_SERVED_BASTION__ port = auth
#endif
XCOMM
XCOMM AUTH CLIENT
XCOMM
#if __ALLOW_AUTH_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ port = auth to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_NETWORK__ port = auth flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = auth to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = auth flags A/A
#endif
#endif
XCOMM
XCOMM SMTP SERVER
XCOMM
#if __ALLOW_SMTP_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = smtp to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = smtp
#else
block return-rst in quick on __IF_HOT__ proto tcp from any to __ADDR_SERVED_BASTION__ port = smtp
#endif
XCOMM
XCOMM SMTP CLIENT
XCOMM
#if __ALLOW_SMTP_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = smtp
pass in on __IF_HOT__ proto tcp from any port = smtp to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = smtp
pass in on __IF_HOT__ proto tcp from any port = smtp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM IMAP2_SERVER
XCOMM
#if __ALLOW_IMAP2_SERVER__
#if defined(__IMAP2_CLIENT_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = imap2 to __IMAP2_CLIENT_0__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __IMAP2_CLIENT_0__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = imap2
#endif
#if defined(__IMAP2_CLIENT_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = imap2 to __IMAP2_CLIENT_1__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __IMAP2_CLIENT_1__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = imap2
#endif
#if defined(__IMAP2_CLIENT_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = imap2 to __IMAP2_CLIENT_2__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __IMAP2_CLIENT_2__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = imap2
#endif
#endif
XCOMM
XCOMM IMAP2_CLIENT
XCOMM
#if __ALLOW_IMAP2_CLIENT__
#if defined(__IMAP2_SERVER_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __IMAP2_SERVER_0__ port = imap2
pass in on __IF_HOT__ proto tcp from __IMAP2_SERVER_0__ port = imap2 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __IMAP2_SERVER_0__ port = imap2
pass in on __IF_HOT__ proto tcp from __IMAP2_SERVER_0__ port = imap2 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__IMAP2_SERVER_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __IMAP2_SERVER_1__ port = imap2
pass in on __IF_HOT__ proto tcp from __IMAP2_SERVER_1__ port = imap2 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __IMAP2_SERVER_1__ port = imap2
pass in on __IF_HOT__ proto tcp from __IMAP2_SERVER_1__ port = imap2 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__IMAP2_SERVER_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __IMAP2_SERVER_2__ port = imap2
pass in on __IF_HOT__ proto tcp from __IMAP2_SERVER_2__ port = imap2 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __IMAP2_SERVER_2__ port = imap2
pass in on __IF_HOT__ proto tcp from __IMAP2_SERVER_2__ port = imap2 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#endif
XCOMM
XCOMM IMAP3_SERVER
XCOMM
#if __ALLOW_IMAP3_SERVER__
#if defined(__IMAP3_CLIENT_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = imap3 to __IMAP3_CLIENT_0__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __IMAP3_CLIENT_0__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = imap3
#endif
#if defined(__IMAP3_CLIENT_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = imap3 to __IMAP3_CLIENT_1__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __IMAP3_CLIENT_1__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = imap3
#endif
#if defined(__IMAP3_CLIENT_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = imap3 to __IMAP3_CLIENT_2__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from __IMAP3_CLIENT_2__ __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = imap3
#endif
#endif
XCOMM
XCOMM IMAP3_CLIENT
XCOMM
#if __ALLOW_IMAP3_CLIENT__
#if defined(__IMAP3_SERVER_0__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __IMAP3_SERVER_0__ port = imap3
pass in on __IF_HOT__ proto tcp from __IMAP3_SERVER_0__ port = imap3 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __IMAP3_SERVER_0__ port = imap3
pass in on __IF_HOT__ proto tcp from __IMAP3_SERVER_0__ port = imap3 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__IMAP3_SERVER_1__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __IMAP3_SERVER_1__ port = imap3
pass in on __IF_HOT__ proto tcp from __IMAP3_SERVER_1__ port = imap3 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __IMAP3_SERVER_1__ port = imap3
pass in on __IF_HOT__ proto tcp from __IMAP3_SERVER_1__ port = imap3 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#if defined(__IMAP3_SERVER_2__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to __IMAP3_SERVER_2__ port = imap3
pass in on __IF_HOT__ proto tcp from __IMAP3_SERVER_2__ port = imap3 to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __IMAP3_SERVER_2__ port = imap3
pass in on __IF_HOT__ proto tcp from __IMAP3_SERVER_2__ port = imap3 to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#endif
XCOMM
XCOMM SOCKS5 SERVER
XCOMM
#if __ALLOWED_SOCKS5_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_SOCKS5__ to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_SOCKS5__
#endif
XCOMM
XCOMM SOCKS5 CLIENT
XCOMM
#if __ALLOWED_SOCKS5_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any __PORTS_SOCKS5__
pass in on __IF_HOT__ proto tcp from any __PORTS_SOCKS5__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
XCOMM
XCOMM IRC SERVER
XCOMM
#if __ALLOWED_IRC_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_IRC__ to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_IRC__
#endif
XCOMM
XCOMM IRC CLIENT
XCOMM
#if __ALLOWED_IRC_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any __PORTS_IRC__
pass in on __IF_HOT__ proto tcp from any __PORTS_IRC__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any __PORTS_IRC__
pass in on __IF_HOT__ proto tcp from any __PORTS_IRC__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM ICQ SERVER
XCOMM
#if __ALLOWED_ICQ_SERVER__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_ICQ_TCP__ to any __PORTS_UNPRIVILEGED__ flags A/A
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ __PORTS_ICQ_UDP__ to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_ICQ_TCP__
pass in on __IF_HOT__ proto udp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_ICQ_UDP__
#endif
XCOMM
XCOMM ICQ CLIENT
XCOMM
#if __ALLOWED_ICQ_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any __PORTS_ICQ_TCP__
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any __PORTS_ICQ_UDP__
pass in on __IF_HOT__ proto tcp from any __PORTS_ICQ_TCP__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto udp from any __PORTS_ICQ_UDP__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any __PORTS_ICQ_TCP__
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any __PORTS_ICQ_UDP__
pass in on __IF_HOT__ proto tcp from any __PORTS_ICQ_TCP__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto udp from any __PORTS_ICQ_UDP__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
#endif
#endif
XCOMM
XCOMM FTP SERVER
XCOMM
#if (__ALLOW_FTP_SERVER_PORT__ || __ALLOW_FTP_SERVER_PASSIVE__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = ftp to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = ftp
#if __ALLOW_FTP_SERVER_PASSIVE__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ port = ftp-data to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ port = ftp-data flags A/A
#endif
#if __ALLOW_FTP_SERVER_PORT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any __PORTS_UNPRIVILEGED__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
#endif
#endif
XCOMM
XCOMM FTP CLIENT
XCOMM
#if (__ALLOW_FTP_CLIENT_PORT__ || __ALLOW_FTP_CLIENT_PASSIVE__)
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = ftp
pass in on __IF_HOT__ proto tcp from any port = ftp to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = ftp
pass in on __IF_HOT__ proto tcp from any port = ftp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#if __ALLOW_FTP_CLIENT_PASSIVE__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = ftp-data flags A/A
pass in on __IF_HOT__ proto tcp from any port = ftp-data to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = ftp-data flags A/A
pass in on __IF_HOT__ proto tcp from any port = ftp-data to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
#endif
#endif
#if __ALLOW_FTP_CLIENT_PORT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
#endif
XCOMM
XCOMM REALAUDIO CLIENT
XCOMM
#if __ALLOW_REALAUDIO_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_RA_PRIV_TCP__ to any __PORTS_UNPRIVILEGED__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_RA_UNPRIV_TCP__ to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_NETWORK__ __PORTS_RA_PRIV_TCP__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_NETWORK__ __PORTS_RA_UNPRIV_TCP__ flags A/A
pass in on __IF_HOT__ proto udp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_NETWORK__ __PORTS_RA_UNPRIV_UDP__
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_RA_PRIV_TCP__ to any __PORTS_UNPRIVILEGED__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_RA_UNPRIV_TCP__ to any __PORTS_UNPRIVILEGED__
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_RA_PRIV_TCP__ flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_RA_UNPRIV_TCP__ flags A/A
pass in on __IF_HOT__ proto udp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_RA_UNPRIV_UDP__
#endif
#endif
XCOMM
XCOMM WHOIS CLIENT
XCOMM
#if __ALLOW_WHOIS_CLIENT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any port = whois
pass in on __IF_HOT__ proto tcp from any port = whois to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any port = whois
pass in on __IF_HOT__ proto tcp from any port = whois to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM DCHP CLIENT
XCOMM
#if __USING_DHCP_ON_BASTION__
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ port = bootpc to __ADDR_DHCP_SERVER__ port = bootps
pass out on __IF_HOT__ proto udp from __ADDR_BROADCAST_0__ port = bootpc to __ADDR_DHCP_SERVER__ port = bootps
pass out on __IF_HOT__ proto udp from __ADDR_BROADCAST_0__ port = bootps to __ADDR_BROADCAST_1__ port = bootpc
pass in on __IF_HOT__ proto udp from __ADDR_DHCP_SERVER__ port = bootps to __ADDR_SERVED_BASTION__ port = bootpc
pass in on __IF_HOT__ proto udp from __ADDR_DHCP_SERVER__ port = bootps to __ADDR_BROADCAST_1__ port = bootpc
pass in on __IF_HOT__ proto udp from __ADDR_BROADCAST_0__ port = bootpc to __ADDR_BROADCAST_1__ port = bootps
pass in on __IF_HOT__ proto udp from __ADDR_DHCP_SERVER__ port = bootps to any port = bootpc
#endif
XCOMM
XCOMM NTP CLIENT
XCOMM
#if __ALLOW_NTP_CLIENT__
#if defined(__NTP_SERVER_0__)
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __NTP_SERVER_0__ port = ntp
pass in on __IF_HOT__ proto udp from __NTP_SERVER_0__ port = ntp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
#endif
#if defined(__NTP_SERVER_1__)
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __NTP_SERVER_1__ port = ntp
pass in on __IF_HOT__ proto udp from __NTP_SERVER_1__ port = ntp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
#endif
#if defined(__NTP_SERVER_2__)
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to __NTP_SERVER_2__ port = ntp
pass in on __IF_HOT__ proto udp from __NTP_SERVER_2__ port = ntp to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__
#endif
#endif
XCOMM
XCOMM RIP INCOMING
XCOMM
#if __ALLOW_RIP_INCOMING__
pass in on __IF_HOT__ proto udp from __ADDR_NETWORK_ISP__ port = route to __ADDR_SERVED_BASTION__ port = route
#endif
XCOMM
XCOMM RIP OUTGOING
XCOMM
#if __ALLOW_RIP_OUTGOING__
pass out on __IF_HOT__ proto udp from __ADDR_SERVED_BASTION__ port = route to __ADDR_NETWORK_ISP__ port = route
#endif
XCOMM
XCOMM XWINDOWS INCOMING
XCOMM
#if __ALLOW_XWINDOWS_INCOMING__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_XWINDOWS__ to any __PORTS_UNPRIVILEGED flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_NETWORK__ __PORTS_XWINDOWS__
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_XWINDOWS__ to any __PORTS_UNPRIVILEGED flags A/A
pass in on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to __ADDR_SERVED_BASTION__ __PORTS_XWINDOWS__
#endif
#else
block in log quick on __IF_HOT__ proto tcp from any __PORTS_UNPRIVILEGED__ to any __PORTS_XWINDOWS__ flags S/SA
#endif
XCOMM
XCOMM XWINDOWS OUTGOING
XCOMM
#if __ALLOW_XWINDOWS_OUTGOING__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ to any __PORTS_XWINDOWS__
pass in on __IF_HOT__ proto tcp from any __PORTS_XWINDOWS__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ to any __PORTS_XWINDOWS__
pass in on __IF_HOT__ proto tcp from any __PORTS_XWINDOWS__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM OPENWINDOWS INCOMING
XCOMM
#if __ALLOW_OPENWINDOWS_INCOMING__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_OPENWINDOWS__ to any flags A/A
pass in on __IF_HOT__ proto tcp from any to __ADDR_SERVED_NETWORK__ __PORTS_OPENWINDOWS__
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_OPENWINDOWS__ to any flags A/A
pass in on __IF_HOT__ proto tcp from any to __ADDR_SERVED_BASTION__ __PORTS_OPENWINDOWS__
#endif
#else
block in log quick on __IF_HOT__ proto tcp from any to any __PORTS_OPENWINDOWS__ flags S/SA
#endif
XCOMM
XCOMM OPENWINDOWS OUTGOING
XCOMM
#if __ALLOW_OPENWINDOWS_OUTGOING__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED to any __PORTS_OPENWINDOWS__
pass in on __IF_HOT__ proto tcp from any __PORTS_OPENWINDOWS__ to __ADDR_SERVED_NETWORK__ __PORTS_UNPRIVILEGED__ flags A/A
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED to any __PORTS_OPENWINDOWS__
pass in on __IF_HOT__ proto tcp from any __PORTS_OPENWINDOWS__ to __ADDR_SERVED_BASTION__ __PORTS_UNPRIVILEGED__ flags A/A
#endif
#endif
XCOMM
XCOMM NFS INCOMING
XCOMM
#if __ALLOW_NFS_INCOMING__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_NETWORK__ __PORTS_NFS__ to any flags A/A
pass in on __IF_HOT__ proto tcp from any to __ADDR_SERVED_NETWORK__ __PORTS_NFS__
#if __USING_NAT__
pass out on __IF_HOT__ proto tcp from __ADDR_SERVED_BASTION__ __PORTS_NFS__ to any flags A/A
pass in on __IF_HOT__ proto tcp from any to __ADDR_SERVED_BASTION__ __PORTS_NFS__
#endif
#else
block in log quick on __IF_HOT__ proto tcp from any to any __PORTS_NFS__ flags S/SA
#endif
XCOMM
XCOMM NFS OUTGOING
XCOMM
XCOMM
XCOMM WEB BANNER SCUM
XCOMM
#if !(__ALLOW_WEB_BANNER_SCUM__)
#if defined(__WEB_BANNER_SCUM_SERVER_0__)
block return-icmp in quick on __IF_SAFE__ proto tcp from any to __WEB_BANNER_SCUM_SERVER_0__ port = http
#endif
#if defined(__WEB_BANNER_SCUM_SERVER_1__)
block return-icmp in quick on __IF_SAFE__ proto tcp from any to __WEB_BANNER_SCUM_SERVER_1__ port = http
#endif
#if defined(__WEB_BANNER_SCUM_SERVER_2__)
block return-icmp in quick on __IF_SAFE__ proto tcp from any to __WEB_BANNER_SCUM_SERVER_2__ port = http
#endif
#if defined(__WEB_BANNER_SCUM_SERVER_3__)
block return-icmp in quick on __IF_SAFE__ proto tcp from any to __WEB_BANNER_SCUM_SERVER_3__ port = http
#endif
#if defined(__WEB_BANNER_SCUM_SERVER_4__)
block return-icmp in quick on __IF_SAFE__ proto tcp from any to __WEB_BANNER_SCUM_SERVER_4__ port = http
#endif
#if defined(__WEB_BANNER_SCUM_SERVER_5__)
block return-icmp in quick on __IF_SAFE__ proto tcp from any to __WEB_BANNER_SCUM_SERVER_5__ port = http
#endif
#endif
Visit your host, monkey.org