Projects > ipfmeta
Objects are defined in ipf.objs. Metarules (that use objects) are defined in ipf.metarules. The results after running ipfmeta are in the 'Results' box. Note that this is NOT a good ruleset, it is optimised to show what ipfmeta can do.
ipf.objs
[BLOCK-TCP]
23 # telnet
37 # time
111 # portmap
119 # news
143 # imap
389 # ldap
407 # Timbuktu
513 # 'r' services
514 # syslog
5800 # vnc
5900 # vnc
6667 # irc
6668 # irc
[BROADCAST]
# all broadcast addresses
0.0.0.0/32
xxx.yyy.zz1.255/32
xxx.yyy.zz2.255/32
xxx.yyy.zz3.255/32
255.255.255.255/32
[UNWANTED] PRIVATE MULTICAST # other objects
[PRIVATE]
192.168.0.0/16
172.16.0.0/12
127.0.0.0/8
10.0.0.0/8
[MULTICAST]
224.0.0.0/4
# Corp. is allowed to manage their own webservers
[CORP-MGMT]
aaa.bbb.ccc.dd1/32
aaa.bbb.ccc.dd2/32
aaa.bbb.ccc.dd3/32
[CORP-WWW]
xxx.yyy.zz1.10/32
xxx.yyy.zz1.11/32
xxx.yyy.zz1.12/32
[CORP-TPT] # tcp ports
1433 5631
[CORP-UPT] # udp ports
22 5632
# "TCP handshake"
[flags H] "flags S/SAFR"
# NetBIOS, SMB CIFS: ports 135-139 inclusive
[NETBIOS] "134 >< 140"
# shorter
[K-F] "keep frags"
[K-S] "keep state"
[K-SF] "keep state keep frags"
# TCP flags used by nmap
[NMAP]
SF/SF # SYN-FIN (can be legitimate if using T/TCP)
/FSRA # NULL scan
FUP # can be legitimate
ipf.metarules
%verbose 1 ## Main block in log quick on fxp0 all head 10 block in log quick on fxp1 all head 20 pass in quick on lo0 all pass out quick on lo0 all block in log quick all block out log quick all ## Internet inbound - group 10 %group 10 block in log quick all with short block in log quick all with ipopt block in log quick from UNWANTED to any block in log quick from any to BROADCAST block in log quick from BROADCAST to any block in log quick proto tcp all head 12 block in log quick proto udp all head 14 block in log quick proto icmp all head 16 ## Internet TCP inbound - group 12 %group 12 block in log quick proto tcp from any to any flags NMAP K-F block in log quick proto tcp from any to any port NETBIOS K-F pass in quick proto tcp from CORP-MGMT to CORP-WWW port = CORP-TPT K-SF block in log quick proto tcp from any to any port = BLOCK-TCP K-F pass in quick proto tcp from any to any flags H K-SF ## Internet UDP inbound - group 14 %group 14 pass in quick proto udp from CORP-MGMT to CORP-WWW port = CORP-UPT K-SF ## Internet ICMP inbound - group 16 %group 16 pass in quick proto icmp from any to any icmp-type squench K-F ## LAN outbound - group 20 %group 20 block in quick from UNWANTED to any block in quick from any to UNWANTED block in quick from BROADCAST to any block in quick from any to BROADCAST block in quick proto tcp/udp from any to any port NETBIOS pass in quick proto tcp all K-S pass in quick proto udp all K-S pass in quick proto icmp all icmp-type echo K-S %dump
ipf.rules
## Main block in log quick on fxp0 all head 10 block in log quick on fxp1 all head 20 pass in quick on lo0 all pass out quick on lo0 all block in log quick all block out log quick all ## Internet inbound - group 10 block in log quick all with short group 10 block in log quick all with ipopt group 10 # block in log quick from UNWANTED to any group 10 block in log quick from 192.168.0.0/16 to any group 10 block in log quick from 172.16.0.0/12 to any group 10 block in log quick from 127.0.0.0/8 to any group 10 block in log quick from 10.0.0.0/8 to any group 10 block in log quick from 224.0.0.0/4 to any group 10 # block in log quick from any to BROADCAST group 10 block in log quick from any to 0.0.0.0/32 group 10 block in log quick from any to xxx.yyy.zz1.255/32 group 10 block in log quick from any to xxx.yyy.zz2.255/32 group 10 block in log quick from any to xxx.yyy.zz3.255/32 group 10 block in log quick from any to 255.255.255.255/32 group 10 # block in log quick from BROADCAST to any group 10 block in log quick from 0.0.0.0/32 to any group 10 block in log quick from xxx.yyy.zz1.255/32 to any group 10 block in log quick from xxx.yyy.zz2.255/32 to any group 10 block in log quick from xxx.yyy.zz3.255/32 to any group 10 block in log quick from 255.255.255.255/32 to any group 10 block in log quick proto tcp all head 12 group 10 block in log quick proto udp all head 14 group 10 block in log quick proto icmp all head 16 group 10 ## Internet TCP inbound - group 12 # block in log quick proto tcp from any to any flags NMAP K-F group 12 block in log quick proto tcp from any to any flags SF/SF keep frags group 12 block in log quick proto tcp from any to any flags /FSRA keep frags group 12 block in log quick proto tcp from any to any flags FUP keep frags group 12 # block in log quick proto tcp from any to any port NETBIOS K-F group 12 block in log quick proto tcp from any to any port 134 >< 140 keep frags group 12 # pass in quick proto tcp from CORP-MGMT to CORP-WWW port = CORP-TPT K-SF group 12 pass in quick proto tcp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.10/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.11/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.12/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.10/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.11/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.12/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.10/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.11/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.12/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.10/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.11/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.12/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.10/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.11/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.12/32 port = 1433 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.10/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.11/32 port = 5631 keep state keep frags group 12 pass in quick proto tcp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.12/32 port = 5631 keep state keep frags group 12 # block in log quick proto tcp from any to any port = BLOCK-TCP K-F group 12 block in log quick proto tcp from any to any port = 23 keep frags group 12 block in log quick proto tcp from any to any port = 37 keep frags group 12 block in log quick proto tcp from any to any port = 111 keep frags group 12 block in log quick proto tcp from any to any port = 119 keep frags group 12 block in log quick proto tcp from any to any port = 143 keep frags group 12 block in log quick proto tcp from any to any port = 389 keep frags group 12 block in log quick proto tcp from any to any port = 407 keep frags group 12 block in log quick proto tcp from any to any port = 513 keep frags group 12 block in log quick proto tcp from any to any port = 514 keep frags group 12 block in log quick proto tcp from any to any port = 5800 keep frags group 12 block in log quick proto tcp from any to any port = 5900 keep frags group 12 block in log quick proto tcp from any to any port = 6667 keep frags group 12 block in log quick proto tcp from any to any port = 6668 keep frags group 12 # pass in quick proto tcp from any to any flags H K-SF group 12 pass in quick proto tcp from any to any flags S/SAFR keep state keep frags group 12 ## Internet UDP inbound - group 14 # pass in quick proto udp from CORP-MGMT to CORP-WWW port = CORP-UPT K-SF group 14 pass in quick proto udp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.10/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.11/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.12/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.10/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.11/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd1/32 to xxx.yyy.zz1.12/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.10/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.11/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.12/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.10/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.11/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd2/32 to xxx.yyy.zz1.12/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.10/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.11/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.12/32 port = 22 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.10/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.11/32 port = 5632 keep state keep frags group 14 pass in quick proto udp from aaa.bbb.ccc.dd3/32 to xxx.yyy.zz1.12/32 port = 5632 keep state keep frags group 14 ## Internet ICMP inbound - group 16 # pass in quick proto icmp from any to any icmp-type squench K-F group 16 pass in quick proto icmp from any to any icmp-type squench keep frags group 16 ## LAN outbound - group 20 # block in quick from UNWANTED to any group 20 block in quick from 192.168.0.0/16 to any group 20 block in quick from 172.16.0.0/12 to any group 20 block in quick from 127.0.0.0/8 to any group 20 block in quick from 10.0.0.0/8 to any group 20 block in quick from 224.0.0.0/4 to any group 20 # block in quick from any to UNWANTED group 20 block in quick from any to 192.168.0.0/16 group 20 block in quick from any to 172.16.0.0/12 group 20 block in quick from any to 127.0.0.0/8 group 20 block in quick from any to 10.0.0.0/8 group 20 block in quick from any to 224.0.0.0/4 group 20 # block in quick from BROADCAST to any group 20 block in quick from 0.0.0.0/32 to any group 20 block in quick from xxx.yyy.zz1.255/32 to any group 20 block in quick from xxx.yyy.zz2.255/32 to any group 20 block in quick from xxx.yyy.zz3.255/32 to any group 20 block in quick from 255.255.255.255/32 to any group 20 # block in quick from any to BROADCAST group 20 block in quick from any to 0.0.0.0/32 group 20 block in quick from any to xxx.yyy.zz1.255/32 group 20 block in quick from any to xxx.yyy.zz2.255/32 group 20 block in quick from any to xxx.yyy.zz3.255/32 group 20 block in quick from any to 255.255.255.255/32 group 20 # block in quick proto tcp/udp from any to any port NETBIOS group 20 block in quick proto tcp/udp from any to any port 134 >< 140 group 20 # pass in quick proto tcp all K-S group 20 pass in quick proto tcp all keep state group 20 # pass in quick proto udp all K-S group 20 pass in quick proto udp all keep state group 20 # pass in quick proto icmp all icmp-type echo K-S group 20 pass in quick proto icmp all icmp-type echo keep state group 20 # [BLOCK-TCP] # '111' # '119' # '143' # '23' # '37' # '389' # '407' # '513' # '514' # '5800' # '5900' # '6667' # '6668' # [BROADCAST] # '0.0.0.0/32' # '255.255.255.255/32' # 'xxx.yyy.zz1.255/32' # 'xxx.yyy.zz2.255/32' # 'xxx.yyy.zz3.255/32' # [CORP-MGMT] # 'aaa.bbb.ccc.dd1/32' # 'aaa.bbb.ccc.dd2/32' # 'aaa.bbb.ccc.dd3/32' # [CORP-TPT] # '1433' # '5631' # [CORP-UPT] # '22' # '5632' # [CORP-WWW] # 'xxx.yyy.zz1.10/32' # 'xxx.yyy.zz1.11/32' # 'xxx.yyy.zz1.12/32' # [K-F] # 'keep frags' # [K-S] # 'keep state' # [K-SF] # 'keep state keep frags' # [MULTICAST] # '224.0.0.0/4' # [NETBIOS] # '134 >< 140' # [NMAP] # '/FSRA' # 'FUP' # 'SF/SF' # [PRIVATE] # '10.0.0.0/8' # '127.0.0.0/8' # '172.16.0.0/12' # '192.168.0.0/16' # [UNWANTED] # 'MULTICAST' # 'PRIVATE' # [flags H] # 'flags S/SAFR'