Administrace komentářů

options TCP_DROP_SYNFIN
options IPSEC
options IPSTEALTH

    options IPFILTER
    options IPFILTER_LOG
    options IPFILTER_DEFAULT_BLOCK

    options IPFIREWALL
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_DEFAULT_TO_ACCEPT

    device bpf

# odmitnuti paketu nedavajicich smysl, ktere nikdy nebudeme chtit prijmout
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short

# systemove rozhrani loopback
# sami sobe muzeme cinit jakekoli prikori
pass in quick on lo0 all
pass out quick on lo0 all

# pravidla pro odchazejici pakety
pass out on rl0 all head 100
block out from 127.0.0.0/8 to any group 100
block out from any to 127.0.0.0/8 group 100
block out from any to 10.0.0.2/32 group 100

# pravidla pro prichazeici pakety
block in on rl0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 10.0.0.2/32 to any group 200
pass in quick proto tcp from 10.0.0.9 to any port = ssh keep state group 200
pass in quick proto tcp from any to any port = www keep state group 200
# pokusy o spojeni se sluzbami, ktere neposkytujeme, nechame klienty
# korektne zavrit. server bude vypadat jako rychlejsi a snizime take
# sitovou zatez. ovsem velice nepatrne mnozstvi.
block return-rst in log proto tcp from any to any flags S/SA group 200
block return-icmp(net-unr) in proto udp all group 200

ipfilter_enable="YES"
 ipfilter_rules="/etc/ipf.rules"
    ipmon_enable="YES"
    ipmon_flags="-D /var/log/firewall.log"